Edit tour

Windows Analysis Report
SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe
Analysis ID:	1544200
MD5:	23d85c693614bedaed9142bfcbd7cb77
SHA1:	e5556d7ef81d95dc7cdf1b78ef28d2decb93654c
SHA256:	b6cd79a1fc147046cdca607e3ad30274ad7a5aa8544a0221455a1b4305962d42
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5: 23D85C693614BEDAED9142BFCBD7CB77)

conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6540 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

certutil.exe (PID: 2364 cmdline: certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)

find.exe (PID: 2008 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

find.exe (PID: 3260 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 1816 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 1892 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 4420 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)

WerFault.exe (PID: 2380 cmdline: C:\Windows\system32\WerFault.exe -u -p 7140 -s 484 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Virustotal: Detection: 30%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CC1BD strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,_strdup,CertOpenStore,GetLastError,free,free,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,malloc,fread,fclose,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,calloc,CertFreeCertificateContext,fclose,free,CertFreeCertificateContext,free,calloc,	0_2_00007FF7197CC1BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197E7A40 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,malloc,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,	0_2_00007FF7197E7A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197F0EA0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7197F0EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197EEDB0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	0_2_00007FF7197EEDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CE2C0 CryptHashData,	0_2_00007FF7197CE2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CE2D0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7197CE2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CE270 CryptAcquireContextA,CryptCreateHash,	0_2_00007FF7197CE270
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CB4B0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_00007FF7197CB4B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197E8360 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,malloc,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,free,	0_2_00007FF7197E8360
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CB580 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7197CB580

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_00007FF7197B21A0
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

0_2_00007FF7197DABB0

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197C6CE0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,

0_2_00007FF7197C6CE0

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe, 00000000.00000002.1699091200.000001D7B54FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe, 00000000.00000002.1699091200.000001D7B54FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/9
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe, 00000000.00000002.1699091200.000001D7B54FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/ace

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197EEDB0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

0_2_00007FF7197EEDB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF71979C980	0_2_00007FF71979C980
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197B9990	0_2_00007FF7197B9990
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197BACD0	0_2_00007FF7197BACD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CC1BD	0_2_00007FF7197CC1BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF71979E120	0_2_00007FF71979E120
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719798490	0_2_00007FF719798490
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197993B0	0_2_00007FF7197993B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197BB8F0	0_2_00007FF7197BB8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF71978A7C0	0_2_00007FF71978A7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197D6AA0	0_2_00007FF7197D6AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719799AD0	0_2_00007FF719799AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197C4B10	0_2_00007FF7197C4B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719793B08	0_2_00007FF719793B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719784B10	0_2_00007FF719784B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF71978EA20	0_2_00007FF71978EA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197E7A40	0_2_00007FF7197E7A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197ABA50	0_2_00007FF7197ABA50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197939DE	0_2_00007FF7197939DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719797970	0_2_00007FF719797970
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719783B30	0_2_00007FF719783B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719796F04	0_2_00007FF719796F04
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197F0E30	0_2_00007FF7197F0E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197EEDB0	0_2_00007FF7197EEDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF71979A0C9	0_2_00007FF71979A0C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197C9F40	0_2_00007FF7197C9F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719784F70	0_2_00007FF719784F70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197842C0	0_2_00007FF7197842C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197DF2D0	0_2_00007FF7197DF2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CC285	0_2_00007FF7197CC285
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CC27C	0_2_00007FF7197CC27C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197E24F0	0_2_00007FF7197E24F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719795500	0_2_00007FF719795500
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197B63F0	0_2_00007FF7197B63F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197B36C0	0_2_00007FF7197B36C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197C7660	0_2_00007FF7197C7660
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719787670	0_2_00007FF719787670
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197CE680	0_2_00007FF7197CE680
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197DB5D0	0_2_00007FF7197DB5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197E3520	0_2_00007FF7197E3520
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719785530	0_2_00007FF719785530
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF71979B8A0	0_2_00007FF71979B8A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF71979289A	0_2_00007FF71979289A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197927AC	0_2_00007FF7197927AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197C1810	0_2_00007FF7197C1810
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197BC730	0_2_00007FF7197BC730
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF719798740	0_2_00007FF719798740

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197BBD00 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197B8980 appears 380 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197BBC70 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197A7230 appears 40 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197F26DE appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197B3300 appears 70 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197A7300 appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197A3860 appears 49 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197BBDE0 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: String function: 00007FF7197B8B00 appears 310 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7140 -s 484

Source: classification engine

Classification label: mal64.winEXE@18/0@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197A22E0 GetLastError,_errno,FormatMessageA,strchr,strncpy,_errno,_errno,GetLastError,SetLastError,

0_2_00007FF7197A22E0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\52b4248b-35fa-4094-88a8-ded2194e74c4

Jump to behavior

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Virustotal: Detection: 30%

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7140 -s 484
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197BB5D0 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

0_2_00007FF7197BB5D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197876CA push rdx; ret

0_2_00007FF7197876CB

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

API coverage: 4.3 %

Source: C:\Windows\System32\timeout.exe TID: 4960

Thread sleep count: 43 > 30

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe, 00000000.00000002.1699091200.000001D7B54FC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197833E0 _invalid_parameter_noinfo_noreturn,IsDebuggerPresent,Sleep,IsDebuggerPresent,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,

0_2_00007FF7197833E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197F2578 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7197F2578

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197BB5D0 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

0_2_00007FF7197BB5D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197A63C0 GetProcessHeap,

0_2_00007FF7197A63C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197F1C20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF7197F1C20

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF7197F1160

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Code function: 0_2_00007FF7197F23F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7197F23F8

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197C6CE0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,	0_2_00007FF7197C6CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197D6AA0 calloc,strchr,strncpy,strchr,strncpy,strchr,strtoul,strchr,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,	0_2_00007FF7197D6AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197BA640 memset,strncmp,strncmp,strchr,htons,atoi,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	0_2_00007FF7197BA640
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197DD5D4 calloc,calloc,calloc,bind,WSAGetLastError,	0_2_00007FF7197DD5D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Code function: 0_2_00007FF7197DD800 calloc,calloc,calloc,bind,WSAGetLastError,	0_2_00007FF7197DD800

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	42%	ReversingLabs	Win64.Trojan.Generic
SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	31%	Virustotal		Browse
SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	100%	Avira	HEUR/AGEN.1315740
SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
keyauth.win	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html#	0%	Virustotal		Browse
https://keyauth.win/api/1.2/9	0%	Virustotal		Browse
https://keyauth.win/api/1.2/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.2/ace	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe, 00000000.00000002.1699091200.000001D7B54FC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/9	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe, 00000000.00000002.1699091200.000001D7B54FC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://curl.haxx.se/docs/http-cookies.html	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	false	URL Reputation: safe	unknown
https://curl.haxx.se/docs/http-cookies.html#	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	false	0%, Virustotal, Browse	unknown
https://keyauth.win/api/1.2/	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe, 00000000.00000002.1699091200.000001D7B54FC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.0.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544200
Start date and time:	2024-10-29 02:18:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe
Detection:	MAL
Classification:	mal64.winEXE@18/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 52 Number of non-executed functions: 227
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.0.5	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	104.26.1.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://api.inspectrealestate.com.au/email/track?eta=1&t=B32-5UARLGTXC6GHXC7PJPHCGUP7HMF6FJEQ76L6MOL7WYB6P6EYQNBONANBBGKOXFRO3HPDET5TXGOZXG5FJNMJJC437YUYUWDF5VEVIWPK6LECEZJV3OMRCXF6VI76ZOGYOFIOERVACTHYB4KHK22IKKEWLYPTUBLONXLA7QVY2SW2TZMW4ULVG2UAKDR3DM3RL4TTJAF3F3ROXQ3ZLRVYS7Z2T4TIQETEEUV73V42AQLF65YKSUX6JMYEW3ZHXPREAMXXBOQV32GKOYOISFZKX4GPTPR2IMSMCULLR2V4QUSMU3MWF7NQ%3D%3D%3D%3D	Get hash	malicious	Unknown	Browse	188.114.96.3
	Payment Advice.xls	Get hash	malicious	Unknown	Browse	104.21.21.60
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://hianime.to	Get hash	malicious	Unknown	Browse	104.21.11.245
	(No subject) (98).eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://mail.kb4.io/XT0VNMzRJS3djRnBKZnFha1JaVThBUHFHRmpuS2FmSUY4aUszUlY3Sm0rWmpyUWR3ekQzL2xjN0xhVVJlTzhvZzgyMGtTUkxmSWtGdWlUY2I0NStmRWlLS2xHcGZsNTZUN3VyanNiKzVaNjhaeTRSTXFXVGdwc0J4amUxRFFPMU5DTTd5ejl5aXZxUlBwL1NDaDBRSk9DWVJkc09KRUZodTl0SFh5bFVVWEdYZTMzcm5ZTCtCSGpmZWRIMEprQjhiZExvOE9wSGkwUS9KTjQwSVdjQT0tLVBNYWNLTzcyT0xCdDkzb3ItLURlVmNvdGI3d3BGenM5UWJzc1EreXc9PQ==?cid=2260646675	Get hash	malicious	Unknown	Browse	104.18.90.62
	https://mail.kb4.io/XV2pCbFUvdkZ0U1V3cHZQWXpqL3hjTU9wcmY4ZmEyNXZRWTRiU1VvMTVwRnRrYWdnVjdlM0lLQ3VmVXlCSlpGdkkvQUNJWjZLaHpVWnRmYjY0VktjbmJLUFlpV0xzWTVEdkJsa1hrWXY0dGZHMUNoclZ3aDRORWlpQlNhTlpLSy9pdXMwQXozSHVrYSthQnJrS2J6T0EvSVBMYUFYRG1EZ254WlBRUGdyZU55TkdBZjB0aWhCMFdIN081T2RsdFFIMVpIdFAvU2Q2NXlLKzNJY1JZQ1JNMTBwaDlZPS0tNE01L0hRZXp6Tm50TW1MTS0tSlkrYWNuVllJcXZpelZWZ2ppaVRSdz09?cid=2260646675	Get hash	malicious	Unknown	Browse	104.18.89.62
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.FileRepMalware.12632.12594.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.FileRepMalware.8628.17723.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Iyto7FYCJO.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.20301.32747.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.456567607049873
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe
File size:	607'232 bytes
MD5:	23d85c693614bedaed9142bfcbd7cb77
SHA1:	e5556d7ef81d95dc7cdf1b78ef28d2decb93654c
SHA256:	b6cd79a1fc147046cdca607e3ad30274ad7a5aa8544a0221455a1b4305962d42
SHA512:	b82bf7690219fe0aba54b3180aea8daf8ccc97741b2ba23641cc1437a8fd3c889b5006167a36fc79a131de61bd690c7a08c641d84dd03205ba82e46c9130edfc
SSDEEP:	12288:31ixytRvGF+JAx05dew7msZN0XLpUP6w:CytlGkGxQew7mWILpfw
TLSH:	1CD47D56A7E904EAD1A7C13C8647C613E7B2B45A13109BDB43A0C9792F13BE56F3E720
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........................<......yR......y.......y.......y.......y.......\|..........m...N........................x.......xP......x.....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140071930
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FB2767 [Mon Sep 30 22:34:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	323a540f00c2b993579bbdc97e09167b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA2A4C39244h
dec eax
add esp, 28h
jmp 00007FA2A4C385F7h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0001F194h]
call dword ptr [0000292Eh]
mov eax, dword ptr [0001E714h]
dec eax
lea ecx, dword ptr [0001F181h]
mov edx, dword ptr [0001F183h]
inc eax
mov dword ptr [0001E6FFh], eax
mov dword ptr [ebx], eax
dec eax
mov eax, dword ptr [00000058h]
inc ecx
mov ecx, 00000004h
dec esp
mov eax, dword ptr [eax+edx*8]
mov eax, dword ptr [0001E6E4h]
inc ebx
mov dword ptr [ecx+eax], eax
call dword ptr [000028F6h]
dec eax
lea ecx, dword ptr [0001F13Fh]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [000028C3h]
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0001F128h]
call dword ptr [000028C2h]
cmp dword ptr [ebx], 00000000h
jne 00007FA2A4C387A4h
or dword ptr [ebx], FFFFFFFFh
jmp 00007FA2A4C387C7h
inc ebp
xor ecx, ecx
dec eax
lea edx, dword ptr [0001F10Eh]
inc ecx
or eax, FFFFFFFFh
dec eax
lea ecx, dword ptr [0001F0FBh]
call dword ptr [00002895h]
jmp 00007FA2A4C3875Bh
cmp dword ptr [ebx], FFFFFFFFh
je 00007FA2A4C38760h
dec eax
mov eax, dword ptr [00000058h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8c450	0x1f4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x97000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x92000	0x4c08	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0x5c4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x83f60	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x84000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x83e20	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x74000	0xb58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x72d80	0x72e00	5e4517b582cef5cd4c8dc9dcf102da43	False	0.5149576645810664	data	6.391370609924596	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x74000	0x1b1dc	0x1b200	3fa35070c0a8402f40a942e8dd94c84b	False	0.3824974798387097	OpenPGP Public Key	5.624820765468368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x14c8	0xa00	9b4091fe32573f9d20204ff808ed9d70	False	0.196875	data	3.5496317521529486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x92000	0x4c08	0x4e00	7d2ea751bdeb80154ec68584a7f44bc6	False	0.47806490384615385	data	5.710918288582408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x97000	0x1e8	0x200	bd319242e0d4994db1e7d370d3a05a5b	False	0.5390625	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0x5c4	0x600	847fa98c492d41f8bc58c0bc6e82b439	False	0.5865885416666666	data	5.298964399411476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x97060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	MultiByteToWideChar, GetEnvironmentVariableA, GetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, CreateFileA, GetFileSizeEx, WideCharToMultiByte, OutputDebugStringW, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, LeaveCriticalSection, EnterCriticalSection, LocalFree, FormatMessageA, SetLastError, QueryFullProcessImageNameW, GetModuleFileNameA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, CloseHandle, MoveFileExA, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, WakeAllConditionVariable, GetCurrentThreadId, SleepConditionVariableSRW, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AreFileApisANSI, SetCurrentDirectoryW, GetLocaleInfoEx, WaitForSingleObjectEx, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, FreeLibrary, GetSystemDirectoryA, QueryPerformanceFrequency, VerSetConditionMask, SleepEx, CreateFileW, IsDebuggerPresent, GetConsoleWindow, GetModuleHandleW, GetProcAddress, CreateThread, LoadLibraryA, GetCurrentThread, Sleep, GetModuleHandleA, GetStdHandle, GetCurrentProcess, SetConsoleTitleA, VirtualProtect, WriteProcessMemory
USER32.dll	MoveWindow, FindWindowA, ShowWindow, MessageBoxA
ADVAPI32.dll	CryptReleaseContext, AddAccessAllowedAce, GetLengthSid, GetTokenInformation, InitializeAcl, IsValidSid, SetSecurityInfo, CopySid, ConvertSidToStringSidA, CryptAcquireContextA, CryptGetHashParam, CryptGenRandom, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptEncrypt, CryptImportKey, OpenProcessToken
SHELL32.dll	ShellExecuteA
MSVCP140.dll	?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?setf@ios_base@std@@QEAAHHH@Z, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, _Thrd_detach, _Query_perf_counter, _Cnd_do_broadcast_at_thread_exit, ?_Syserror_map@std@@YAPEBDH@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Xbad_function_call@std@@YAXXZ, ?_Winerror_map@std@@YAHH@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?uncaught_exception@std@@YA_NXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Throw_Cpp_error@std@@YAXH@Z, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, _Query_perf_frequency, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertOpenStore, CertGetNameStringA, CertFindExtension, CertFreeCertificateChain, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertAddCertificateContextToStore
WS2_32.dll	bind, send, recv, closesocket, connect, getpeername, getsockname, getsockopt, htons, ntohs, setsockopt, WSAGetLastError, socket, WSASetLastError, select, __WSAFDIsSet, ioctlsocket, listen, recvfrom, htonl, accept, WSACleanup, WSAStartup, freeaddrinfo, ntohl, gethostname, sendto, WSAIoctl, getaddrinfo
RPCRT4.dll	UuidToStringA, UuidCreate, RpcStringFreeA
PSAPI.DLL	GetModuleInformation
USERENV.dll	UnloadUserProfile
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__std_exception_destroy, __std_exception_copy, __std_terminate, _CxxThrowException, memchr, memcmp, memcpy, memmove, memset, strchr, __current_exception_context, strstr, __C_specific_handler, __current_exception, strrchr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, _cexit, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, __p___argc, __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _invalid_parameter_noinfo_noreturn, strerror, __sys_nerr, _errno, _getpid, terminate, system, _invalid_parameter_noinfo, _beginthreadex, exit, _seh_filter_exe, _resetstkoflw
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, fputc, feof, fflush, fseek, __acrt_iob_func, fclose, fopen, ftell, _open, _close, _write, _popen, _pclose, fgets, _read, fgetc, __p__commode, _set_fmode, _get_stream_buffer_pointers, _lseeki64, _fseeki64, fread, fsetpos, ungetc, setvbuf, fgetpos, fwrite, __stdio_common_vsprintf, fputs
api-ms-win-crt-heap-l1-1-0.dll	realloc, _set_new_mode, calloc, free, _callnewh, malloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dclass
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtoll, strtol, strtoul, strtod, strtoull
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand
api-ms-win-crt-filesystem-l1-1-0.dll	_access, _stat64, _unlock_file, _unlink, _lock_file, _fstat64
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, localeconv, _configthreadlocale
api-ms-win-crt-string-l1-1-0.dll	strcmp, strspn, strpbrk, _strdup, tolower, strncmp, isupper, strncpy, strcspn
api-ms-win-crt-time-l1-1-0.dll	_time64, _gmtime64

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 02:19:01.797086000 CET	49734	443	192.168.2.4	104.26.0.5
Oct 29, 2024 02:19:01.797173977 CET	443	49734	104.26.0.5	192.168.2.4
Oct 29, 2024 02:19:01.797261000 CET	49734	443	192.168.2.4	104.26.0.5
Oct 29, 2024 02:19:01.809922934 CET	49734	443	192.168.2.4	104.26.0.5
Oct 29, 2024 02:19:01.809962034 CET	443	49734	104.26.0.5	192.168.2.4
Oct 29, 2024 02:19:02.433577061 CET	443	49734	104.26.0.5	192.168.2.4
Oct 29, 2024 02:19:02.433656931 CET	49734	443	192.168.2.4	104.26.0.5
Oct 29, 2024 02:19:03.437453032 CET	49734	443	192.168.2.4	104.26.0.5
Oct 29, 2024 02:19:03.437496901 CET	443	49734	104.26.0.5	192.168.2.4
Oct 29, 2024 02:19:03.437572002 CET	49734	443	192.168.2.4	104.26.0.5
Oct 29, 2024 02:19:03.437663078 CET	443	49734	104.26.0.5	192.168.2.4
Oct 29, 2024 02:19:03.437719107 CET	49734	443	192.168.2.4	104.26.0.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 02:19:01.782392979 CET	55884	53	192.168.2.4	1.1.1.1
Oct 29, 2024 02:19:01.792089939 CET	53	55884	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 02:19:01.782392979 CET	192.168.2.4	1.1.1.1	0xcb74	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 02:19:01.792089939 CET	1.1.1.1	192.168.2.4	0xcb74	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Oct 29, 2024 02:19:01.792089939 CET	1.1.1.1	192.168.2.4	0xcb74	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Oct 29, 2024 02:19:01.792089939 CET	1.1.1.1	192.168.2.4	0xcb74	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	21:19:00
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe"
Imagebase:	0x7ff719780000
File size:	607'232 bytes
MD5 hash:	23D85C693614BEDAED9142BFCBD7CB77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:19:00
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:19:01
Start date:	28/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Imagebase:	0x7ff611370000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:19:01
Start date:	28/10/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe" MD5
Imagebase:	0x7ff763d10000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:19:01
Start date:	28/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "md5"
Imagebase:	0x7ff7912d0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:19:01
Start date:	28/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "certutil"
Imagebase:	0x7ff7912d0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:19:02
Start date:	28/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff611370000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:19:03
Start date:	28/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff611370000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:19:03
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:19:03
Start date:	28/10/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 5
Imagebase:	0x7ff72d660000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:19:03
Start date:	28/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7140 -s 484
Imagebase:	0x7ff62d4f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	114

Executed Functions

Function 00007FF7197CC1BD Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197CC318
strchr.VCRUNTIME140 ref: 00007FF7197CC344
strchr.VCRUNTIME140 ref: 00007FF7197CC37E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197CC3A2
strchr.VCRUNTIME140 ref: 00007FF7197CC4B2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197CC4CA

Strings

LocalMachineEnterprise, xrefs: 00007FF7197CC48B
schannel: TLS 1.3 is not yet supported, xrefs: 00007FF7197CC24B
schannel: AcquireCredentialsHandle failed: %s, xrefs: 00007FF7197CC935
http/1.1, xrefs: 00007FF7197CC9D3
Services, xrefs: 00007FF7197CC417
schannel: unable to allocate memory, xrefs: 00007FF7197CC83C, 00007FF7197CCAC7
Microsoft Unified Security Protocol Provider, xrefs: 00007FF7197CC8BF
CurrentUserGroupPolicy, xrefs: 00007FF7197CC44D
schannel: Failed to read cert file %s, xrefs: 00007FF7197CC879
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF7197CC9B3
schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00007FF7197CC530
CurrentUser, xrefs: 00007FF7197CC392
CurrentService, xrefs: 00007FF7197CC3F5
schannel: Failed to get certificate location or file for %s, xrefs: 00007FF7197CC8A2
LocalMachine, xrefs: 00007FF7197CC3D3
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 00007FF7197CC784
Users, xrefs: 00007FF7197CC436
Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00007FF7197CC3B7
LocalMachineGroupPolicy, xrefs: 00007FF7197CC46C
http/1.1, xrefs: 00007FF7197CC9E7
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 00007FF7197CC7CF
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF7197CC759
schannel: ALPN, offering %s, xrefs: 00007FF7197CC9F5

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupstrncmpstrtol
String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$Services$Unable to set ciphers to passed via SSL_CONN_CONFIG$Users$http/1.1$http/1.1$schannel: ALPN, offering %s$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: TLS 1.3 is not yet supported$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.
API String ID: 707411602-3372543188
Opcode ID: 6f20a3098ada05b8637e2bb69d452da5419154e3d137eabee69a00ebfac4dd4a
Instruction ID: 5d4dc9d72544466667028001d91a1623223729452344b0ff2747fe729d323efa
Opcode Fuzzy Hash: 6f20a3098ada05b8637e2bb69d452da5419154e3d137eabee69a00ebfac4dd4a
Instruction Fuzzy Hash: 06429121A18E4386EB14AF15A8546B9A7B0FF49BF8F844435CA1E57794EF3CE50EC320

Function 00007FF71979C980 Relevance: 60.6, APIs: 32, Strings: 2, Instructions: 1122windowsleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF71979C9DB
UuidCreate.RPCRT4 ref: 00007FF71979CA2E
UuidToStringA.RPCRT4 ref: 00007FF71979CA49
RpcStringFreeA.RPCRT4 ref: 00007FF71979CA7E

Part of subcall function 00007FF71978FB80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978FC47

Part of subcall function 00007FF71978BEE0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF71979CB03), ref: 00007FF71978BF38

Part of subcall function 00007FF71978BF80: memcpy.VCRUNTIME140(?,?,?,00007FF71978165A), ref: 00007FF71978C073

memcmp.VCRUNTIME140 ref: 00007FF71979CFC0
MessageBoxA.USER32 ref: 00007FF71979D053
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979D05B
memset.VCRUNTIME140 ref: 00007FF71979D13F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF71979D1F1
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z.MSVCP140 ref: 00007FF71979D206
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140 ref: 00007FF71979D216
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF71979D234
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979D2B9

Part of subcall function 00007FF71978F740: memcpy.VCRUNTIME140(?,?,?,00000000,?,?,?,00007FF71979B6D0), ref: 00007FF71978F84E
Part of subcall function 00007FF71978F740: memcpy.VCRUNTIME140(?,?,?,00000000,?,?,?,00007FF71979B6D0), ref: 00007FF71978F85D

Part of subcall function 00007FF71979B690: memcpy.VCRUNTIME140 ref: 00007FF71979B70F
Part of subcall function 00007FF71979B690: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B782
Part of subcall function 00007FF71979B690: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B7BC
Part of subcall function 00007FF71979B690: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B80F

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979D3D9
Sleep.KERNEL32 ref: 00007FF71979D4A9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979D5A4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979D691
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979D6DA

Part of subcall function 00007FF7197F1420: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF71978DA00), ref: 00007FF7197F143A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979D846
MessageBoxA.USER32 ref: 00007FF71979DA50
ShellExecuteA.SHELL32 ref: 00007FF71979DA98
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DAA0
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF71979DAF5
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF71979DB02
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DB41
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DBB0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DC0D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DC52
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DCAF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DCF4
MessageBoxA.USER32 ref: 00007FF71979DD89
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979DD91

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00007FF71979D2D0
-, xrefs: 00007FF71979CB03

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$D@std@@@std@@U?$char_traits@$memcpy$Messageexit$??6?$basic_ostream@CreateStringUuidV01@$??1?$basic_ios@??1?$basic_iostream@?fill@?$basic_ios@?setw@std@@ExecuteFreeJ@1@_ShellSleepSmanip@_ThreadU?$_V21@@Vios_base@1@mallocmemcmpmemsetsystem
String ID: -$Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message:
API String ID: 3289044329-3430715778
Opcode ID: 8a36e4602b210adab6503ee844bd3db43c68f51e7f90be6cee31234b0ffa8d61
Instruction ID: d851d03063d7d1e2c04b9a65ad03b641077b392d4bb80ebaffdc3c97e5612fc0
Opcode Fuzzy Hash: 8a36e4602b210adab6503ee844bd3db43c68f51e7f90be6cee31234b0ffa8d61
Instruction Fuzzy Hash: 65C2B662A18AC285EB20EF34D8453EDA770FF497ACF905231DA9D16A99DF78D14EC310

Function 00007FF7197BB8F0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF7197BB918
WSACleanup.WS2_32 ref: 00007FF7197BB933
GetModuleHandleA.KERNEL32 ref: 00007FF7197BB984
GetProcAddress.KERNEL32 ref: 00007FF7197BB9B0
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197BB9CA
LoadLibraryA.KERNEL32 ref: 00007FF7197BB9ED
GetProcAddress.KERNEL32 ref: 00007FF7197BBA0A
LoadLibraryExA.KERNELBASE ref: 00007FF7197BBA20
GetSystemDirectoryA.KERNEL32 ref: 00007FF7197BBA36
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BBA4E
GetSystemDirectoryA.KERNEL32 ref: 00007FF7197BBA62
LoadLibraryA.KERNEL32 ref: 00007FF7197BBAD0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BBADC
GetProcAddress.KERNEL32 ref: 00007FF7197BBB08
VerSetConditionMask.KERNEL32 ref: 00007FF7197BBB91
VerSetConditionMask.KERNEL32 ref: 00007FF7197BBBA4
VerSetConditionMask.KERNEL32 ref: 00007FF7197BBBB3
VerSetConditionMask.KERNEL32 ref: 00007FF7197BBBC2
VerSetConditionMask.KERNEL32 ref: 00007FF7197BBBD2
VerifyVersionInfoA.KERNEL32 ref: 00007FF7197BBBE3
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7197BBBFF

Strings

kernel32, xrefs: 00007FF7197BB96B
AddDllDirectory, xrefs: 00007FF7197BBA00
iphlpapi.dll, xrefs: 00007FF7197BB9B6
if_nametoindex, xrefs: 00007FF7197BBAFE
LoadLibraryExA, xrefs: 00007FF7197BB99E

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleInfoModulePerformanceQueryStartupVerifyVersionfreemallocstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 2612373469-2794540096
Opcode ID: 3f701482bbca59d8f205688d17fec966a25a37f7fb5c4f435630c7a60f984e48
Instruction ID: 6877648c4a4ea3b00819dae33190c55e98856cb545fe44f2bf520b106b12e88f
Opcode Fuzzy Hash: 3f701482bbca59d8f205688d17fec966a25a37f7fb5c4f435630c7a60f984e48
Instruction Fuzzy Hash: 50916221E09F8286EB60AF11E4543B9A3B1FF9DBE8F844135D95E16754EF2CE14E8720

Function 00007FF7197BACD0 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF7197BAD6C
socket.WS2_32 ref: 00007FF7197BADB5
htons.WS2_32 ref: 00007FF7197BAE41
setsockopt.WS2_32 ref: 00007FF7197BAEA3
WSAGetLastError.WS2_32 ref: 00007FF7197BAEAD
getsockopt.WS2_32 ref: 00007FF7197BAF4F
setsockopt.WS2_32 ref: 00007FF7197BAF7E
setsockopt.WS2_32 ref: 00007FF7197BAFBD
WSAIoctl.WS2_32 ref: 00007FF7197BB04A
WSAGetLastError.WS2_32 ref: 00007FF7197BB054

Part of subcall function 00007FF7197C6F10: ioctlsocket.WS2_32 ref: 00007FF7197C6F29

Part of subcall function 00007FF7197BFA30: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF7197A88FF), ref: 00007FF7197BFA47

connect.WS2_32 ref: 00007FF7197BB17B
WSAGetLastError.WS2_32 ref: 00007FF7197BB198

Part of subcall function 00007FF7197A2AD0: GetLastError.KERNEL32 ref: 00007FF7197A2AF2
Part of subcall function 00007FF7197A2AD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2AFA

Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C25
Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C40

Part of subcall function 00007FF7197B95E0: closesocket.WS2_32 ref: 00007FF7197B9623

Strings

Immediate connect fail for %s: %s, xrefs: 00007FF7197BB1C8
Trying %s:%ld..., xrefs: 00007FF7197BAE4F
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00007FF7197BAFCA
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00007FF7197BB05D
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00007FF7197BB23E
Could not set TCP_NODELAY: %s, xrefs: 00007FF7197BAECA
@, xrefs: 00007FF7197BAEE7

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$setsockopt$fwrite$CounterIoctlPerformanceQuery_errnoclosesocketconnectgetsockopthtonsioctlsocketmemcpysocket
String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3453287622-3868455274
Opcode ID: 8a3f797c695f041bff7e698bd8e2315470290d5b3e5acea5cb0d8eff9f9976b9
Instruction ID: 4a0b04640fd506f3577eb339a9554b8509ad4f2fe8c10fbdb06b204bc85781ba
Opcode Fuzzy Hash: 8a3f797c695f041bff7e698bd8e2315470290d5b3e5acea5cb0d8eff9f9976b9
Instruction Fuzzy Hash: C7F19271A08A4286E724BF2594442BDA3B1FF59BECF804035EA5E47A94DF3CE64EC710

Function 00007FF71979E120 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF71979E20C
OpenProcessToken.ADVAPI32 ref: 00007FF71979E21E
GetTokenInformation.KERNELBASE ref: 00007FF71979E243
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF71979E24C
GetTokenInformation.KERNELBASE ref: 00007FF71979E277
IsValidSid.ADVAPI32 ref: 00007FF71979E288
GetLengthSid.ADVAPI32 ref: 00007FF71979E299
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF71979E2A4
InitializeAcl.ADVAPI32 ref: 00007FF71979E2BD
AddAccessAllowedAce.ADVAPI32 ref: 00007FF71979E2D8
GetCurrentProcess.KERNEL32 ref: 00007FF71979E2E2
SetSecurityInfo.ADVAPI32 ref: 00007FF71979E305
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF71979E314
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF71979E31D
CloseHandle.KERNELBASE ref: 00007FF71979E32C
GetModuleHandleA.KERNEL32 ref: 00007FF71979E3B3
GetCurrentProcess.KERNEL32 ref: 00007FF71979E3BC
GetModuleInformation.PSAPI ref: 00007FF71979E3D2
SleepEx.KERNELBASE ref: 00007FF71979E480

Strings

LockMemAccess() failed, don't tamper with the program., xrefs: 00007FF71979E348
check_section_integrity() failed, don't tamper with the program., xrefs: 00007FF71979E1E4
Pattern checksum failed, don't tamper with the program., xrefs: 00007FF71979E45E

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentInformationToken$HandleModulefreemalloc$AccessAllowedCloseInfoInitializeLengthOpenSecuritySleepValid
String ID: LockMemAccess() failed, don't tamper with the program.$Pattern checksum failed, don't tamper with the program.$check_section_integrity() failed, don't tamper with the program.
API String ID: 2765164163-3085296333
Opcode ID: e4ed526a3015a8a9b4e3bf66b9dba17f105dce27b85476a70544fa81bcd938e3
Instruction ID: 9125ee5ab417995441ba19a66d49bf05a90c3c6988e1247c6b84b68e6fdd37f2
Opcode Fuzzy Hash: e4ed526a3015a8a9b4e3bf66b9dba17f105dce27b85476a70544fa81bcd938e3
Instruction Fuzzy Hash: 65A15132A18A8286E710EF31D4546BD67B0EF49BACF844535DA4D17A55EF38E54EC320

Function 00007FF71978A7C0 Relevance: 35.4, APIs: 14, Strings: 6, Instructions: 385
sleepprocesslibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF71979C980: CreateThread.KERNELBASE ref: 00007FF71979C9DB
Part of subcall function 00007FF71979C980: UuidCreate.RPCRT4 ref: 00007FF71979CA2E
Part of subcall function 00007FF71979C980: UuidToStringA.RPCRT4 ref: 00007FF71979CA49
Part of subcall function 00007FF71979C980: RpcStringFreeA.RPCRT4 ref: 00007FF71979CA7E

Part of subcall function 00007FF719797970: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797B07

Part of subcall function 00007FF719798740: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719798900

Sleep.KERNEL32 ref: 00007FF71978A83B
GetConsoleWindow.KERNEL32 ref: 00007FF71978A841
ShowWindow.USER32 ref: 00007FF71978A84C
GetCurrentProcess.KERNEL32 ref: 00007FF71978A852
GetModuleHandleW.KERNEL32 ref: 00007FF71978A862
GetProcAddress.KERNEL32 ref: 00007FF71978A872
WriteProcessMemory.KERNEL32 ref: 00007FF71978A892
CreateThread.KERNEL32 ref: 00007FF71978A8B9
GetConsoleWindow.KERNEL32 ref: 00007FF71978A949
MoveWindow.USER32 ref: 00007FF71978A975
GetConsoleWindow.KERNEL32 ref: 00007FF71978A97B
ShowWindow.USER32 ref: 00007FF71978A989
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978ADE7
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978ADF7

Strings

Connecting, xrefs: 00007FF71978AB3B
Completed, xrefs: 00007FF71978AD75
mw1 chair, xrefs: 00007FF71978A7EF, 00007FF71978A7FB, 00007FF71978A807, 00007FF71978A82A
DbgUiRemoteBreakin, xrefs: 00007FF71978A868
cls, xrefs: 00007FF71978ADE0
ntdll.dll, xrefs: 00007FF71978A85B

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Window$ConsoleCreate$ProcessShowStringThreadUuid_invalid_parameter_noinfo_noreturn$AddressCurrentFreeHandleMemoryModuleMoveProcSleepWriteexitsystem
String ID: Completed$Connecting$DbgUiRemoteBreakin$cls$mw1 chair$ntdll.dll
API String ID: 1758327050-1968594271
Opcode ID: 63000a24059d4661d4f02abe9c0f3ad03801b56eab4f0bdcd05e0f1d886e6546
Instruction ID: 2e681605f808910f8fa615c6d3d25817ff242d746a0da7bb3b257fd3b2c41287
Opcode Fuzzy Hash: 63000a24059d4661d4f02abe9c0f3ad03801b56eab4f0bdcd05e0f1d886e6546
Instruction Fuzzy Hash: 4802A521E08E5245FB05BF24D8461B9E771AF45BDCFC48232D95D67A95EF2CA10EC360

Function 00007FF7197A22E0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF7197A2308
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2310

Strings

SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00007FF7197A2819
%s - %s, xrefs: 00007FF7197A2869
CRYPT_E_REVOKED, xrefs: 00007FF7197A2742
No error, xrefs: 00007FF7197A2760
SEC_I_CONTINUE_NEEDED, xrefs: 00007FF7197A276C
%s (0x%08X), xrefs: 00007FF7197A2365
Unknown error, xrefs: 00007FF7197A2800

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_CONTINUE_NEEDED$Unknown error
API String ID: 3939687465-1752685260
Opcode ID: 5231f01785016486938217524027c857c84e06ee1205152c8c71cf0d4cb1e3c7
Instruction ID: 73b1ff01a0a11e3a63f7ba6c73bb0ac635f90e856e8be2060d75091f6fe44966
Opcode Fuzzy Hash: 5231f01785016486938217524027c857c84e06ee1205152c8c71cf0d4cb1e3c7
Instruction Fuzzy Hash: E9516261A0DE9286E725AF21A4443B9A7B4BF4CFE8FC44035DA5D42A95DF3CE50E8720

Function 00007FF7197993B0 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF719799400
memcpy.VCRUNTIME140 ref: 00007FF719799495
memcpy.VCRUNTIME140 ref: 00007FF7197994F0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197995EE
_popen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF719799636
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF719799663
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197996A2
_pclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197996B0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197996EB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979973D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979977E

Strings

mw1 chair, xrefs: 00007FF7197993BE
>, xrefs: 00007FF719799623
certutil -hashfile ", xrefs: 00007FF7197994FF

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$fgetsmemcpy$FileModuleName_pclose_popen
String ID: >$certutil -hashfile "$mw1 chair
API String ID: 367312288-3995347440
Opcode ID: 0e85f4cf80bfc5290cf4ef4c267bc54f7baeee8498c6f4c0096c59e5fa8c300c
Instruction ID: 84013b5c59aecedcfb7e334446b390ff2f18e857db64e24ef8a99909d72e8df1
Opcode Fuzzy Hash: 0e85f4cf80bfc5290cf4ef4c267bc54f7baeee8498c6f4c0096c59e5fa8c300c
Instruction Fuzzy Hash: D4C1A562A18F8285FB10DF64E4443ADA770FF897F8F905235DA5D12AA9EF78D189C310

Function 00007FF719798490 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 172
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7197984CA
GetCurrentProcess.KERNEL32 ref: 00007FF719798512
QueryFullProcessImageNameW.KERNELBASE ref: 00007FF719798527
CreateFileW.KERNELBASE ref: 00007FF719798555
CreateFileMappingW.KERNELBASE ref: 00007FF719798586
MapViewOfFile.KERNELBASE ref: 00007FF7197985A6
VirtualProtect.KERNEL32 ref: 00007FF71979869B
VirtualProtect.KERNEL32 ref: 00007FF7197986C3
UnmapViewOfFile.KERNEL32 ref: 00007FF7197986DA
CloseHandle.KERNELBASE ref: 00007FF7197986E5
UnmapViewOfFile.KERNEL32 ref: 00007FF7197986F4
CloseHandle.KERNEL32 ref: 00007FF7197986FD

Strings

mw1 chair, xrefs: 00007FF7197984A0
@, xrefs: 00007FF71979868A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: File$HandleView$CloseCreateProcessProtectUnmapVirtual$CurrentFullImageMappingModuleNameQuery
String ID: @$mw1 chair
API String ID: 1254450295-2589584795
Opcode ID: 53e0c052093bd5f18d42bb84d1a69512dce1efec8af0a75c5a9f0870c0494dfc
Instruction ID: c10bbf1ad8750a0c3f89b2c57f0c0179a881e371972dc03f50f02f65201920b8
Opcode Fuzzy Hash: 53e0c052093bd5f18d42bb84d1a69512dce1efec8af0a75c5a9f0870c0494dfc
Instruction Fuzzy Hash: B571A032A08A42C7EB509F25E4146AAB7B1FF88BA8F844135DA5907795DF3CE44EC721

Function 00007FF7197BB5D0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000000,00007FF7197E442A,?,?,?,?,00007FF7197BB95B), ref: 00007FF7197BB5E4
GetProcAddress.KERNEL32(?,?,?,?,00007FF7197BB95B), ref: 00007FF7197BB609
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF7197BB95B), ref: 00007FF7197BB61C

Strings

kernel32, xrefs: 00007FF7197BB5DD
AddDllDirectory, xrefs: 00007FF7197BB663
LoadLibraryExA, xrefs: 00007FF7197BB5FA

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: c7683f32c6e1a657e47d9add1c44c74177711802a15aa0ccccaeae6cd2880b9b
Instruction ID: 045b680bb6e4a4459bd998a075eb545443461ebf9038f03f6df67189dfbb84e4
Opcode Fuzzy Hash: c7683f32c6e1a657e47d9add1c44c74177711802a15aa0ccccaeae6cd2880b9b
Instruction Fuzzy Hash: 76417616B09E4286EB15AF16A544139A7B1EF99FF5F884130CE1E07790EE3CD59F8720

Function 00007FF7197C6CE0 Relevance: 24.1, APIs: 16, Instructions: 127
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF7197C6D21
htonl.WS2_32 ref: 00007FF7197C6D4E
setsockopt.WS2_32 ref: 00007FF7197C6D85
bind.WS2_32 ref: 00007FF7197C6DA0
getsockname.WS2_32 ref: 00007FF7197C6DBC
listen.WS2_32 ref: 00007FF7197C6DD1
socket.WS2_32 ref: 00007FF7197C6DE8
connect.WS2_32 ref: 00007FF7197C6E07
accept.WS2_32 ref: 00007FF7197C6E1E
send.WS2_32 ref: 00007FF7197C6E6C
recv.WS2_32 ref: 00007FF7197C6E8A
memcmp.VCRUNTIME140 ref: 00007FF7197C6EA5
closesocket.WS2_32 ref: 00007FF7197C6EB1

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: socket$acceptbindclosesocketconnectgetsocknamehtonllistenmemcmprecvsendsetsockopt
String ID:
API String ID: 3699910901-0
Opcode ID: 356b554b0468fa619ed2cb9eb10850772ad47a966e683e3ab1c1b6ecb39aa9ae
Instruction ID: 06648a73bbf9eefa791b7c09cdc674c36655ea0cc5662c2a76152d2904a6b1b6
Opcode Fuzzy Hash: 356b554b0468fa619ed2cb9eb10850772ad47a966e683e3ab1c1b6ecb39aa9ae
Instruction Fuzzy Hash: C6514D31618E4282D660AF25E494569B371FF89BF8F905331EA7A43AE4DF3CE44E8710

Function 00007FF7197B9990 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Connection failed, xrefs: 00007FF7197B9D76
Failed to connect to %s port %ld: %s, xrefs: 00007FF7197B9EBE
connect to %s port %ld failed: %s, xrefs: 00007FF7197B9C0D
Connection time-out, xrefs: 00007FF7197B9A79
After %I64dms connect time, move on!, xrefs: 00007FF7197B9B55

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
API String ID: 0-3307081561
Opcode ID: e12939264609ffec3524bf024e473388a7055e7f836579bc36d1507cbdd6c775
Instruction ID: e6da4f19b63d30421c6e39da70f0757189326a3904a6b7db1688fff7cb55b66f
Opcode Fuzzy Hash: e12939264609ffec3524bf024e473388a7055e7f836579bc36d1507cbdd6c775
Instruction Fuzzy Hash: 0EE1B231608A8282EB54AF2594442B9A7B1FF59BECF840235DA6E477C5DF38E64EC310

Function 00007FF7197CCCD0 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CCDC0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CCE11
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CCE54
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CCF37
memcpy.VCRUNTIME140 ref: 00007FF7197CCFD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CD042
memcpy.VCRUNTIME140 ref: 00007FF7197CD11A
memset.VCRUNTIME140 ref: 00007FF7197CD2E7
CertFreeCertificateContext.CRYPT32 ref: 00007FF7197CD34A

Strings

SSL: public key does not match pinned public key!, xrefs: 00007FF7197CD32C, 00007FF7197CD354
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 00007FF7197CD146
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7197CD38A
schannel: unable to re-allocate memory, xrefs: 00007FF7197CCE62
schannel: unable to allocate memory, xrefs: 00007FF7197CD43F
schannel: SNI or certificate check failed: %s, xrefs: 00007FF7197CD1AB
SSL: failed retrieving public key from server certificate, xrefs: 00007FF7197CD36A
schannel: next InitializeSecurityContext failed: %s, xrefs: 00007FF7197CD1DE, 00007FF7197CD3F2
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 00007FF7197CD1F4

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: malloc$memcpy$CertCertificateContextFreefreememsetrealloc
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 860210379-3059304359
Opcode ID: 2fce1b501544009a3a3c044fa151e52764b513539095c800b7457093632eb82e
Instruction ID: ca6f7abb009a0c3ca596379ec3278216807054df3ff372297622c5fb2b72aab2
Opcode Fuzzy Hash: 2fce1b501544009a3a3c044fa151e52764b513539095c800b7457093632eb82e
Instruction Fuzzy Hash: 9B127E72A18E4285EB609F19D8443AAB7B4FF48BE8F940136CA5E57790DF38E54EC710

Function 00007FF7197CBEF0 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7197CBFC1
GetProcAddress.KERNEL32 ref: 00007FF7197CBFD1

Strings

schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00007FF7197CBFA2
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7197CC062
ntdll, xrefs: 00007FF7197CBFBA
http/1.1, xrefs: 00007FF7197CC9D3
wine_get_version, xrefs: 00007FF7197CBFCA
schannel: unable to allocate memory, xrefs: 00007FF7197CCAC7
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF7197CC9B3
schannel: SNI or certificate check failed: %s, xrefs: 00007FF7197CCBAD
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00007FF7197CCC69
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00007FF7197CCB8C, 00007FF7197CCBD3
http/1.1, xrefs: 00007FF7197CC9E7
Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 00007FF7197CC96F
schannel: ALPN, offering %s, xrefs: 00007FF7197CC9F5

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Unrecognized parameter passed via CURLOPT_SSLVERSION$http/1.1$http/1.1$ntdll$schannel: ALPN, offering %s$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 1646373207-2477831187
Opcode ID: 97ffa9d630631196a168c5272390d36c7de08dde74dd016803c132e704823476
Instruction ID: ffc56bbf0ac06be96ae53d21dd729718f17b6a10e3d388c1fd52f62344d212ee
Opcode Fuzzy Hash: 97ffa9d630631196a168c5272390d36c7de08dde74dd016803c132e704823476
Instruction Fuzzy Hash: F9029D72A18F828AEB10AF25D8402AAB7B4FF487E8F844136DA5D57790DF38D54EC710

Function 00007FF7197AE370 Relevance: 28.7, APIs: 19, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE3A2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE43D
InitializeCriticalSectionEx.KERNEL32 ref: 00007FF7197AE456

Part of subcall function 00007FF7197C6CE0: socket.WS2_32 ref: 00007FF7197C6D21

DeleteCriticalSection.KERNEL32 ref: 00007FF7197AE490
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE49A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE4A4
closesocket.WS2_32 ref: 00007FF7197AE4C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE4F8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197AE4FE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AE52D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE547
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AE550
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197AE585
EnterCriticalSection.KERNEL32 ref: 00007FF7197AE5A6
LeaveCriticalSection.KERNEL32 ref: 00007FF7197AE5BA
CloseHandle.KERNEL32 ref: 00007FF7197AE5C7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE5F2
closesocket.WS2_32 ref: 00007FF7197AE60B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE61F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalSection$_errno_strdupclosesocket$CloseDeleteEnterHandleInitializeLeavecallocmallocsocket
String ID:
API String ID: 259767416-0
Opcode ID: 77bd467bb61fb7d67d35f4c9857e0d9a9b32fd1a570912d8ff1346b077024d0b
Instruction ID: b03533b923ade291a619cdd8b20b1d6da05063c5a3e3d42ef9701f1d4c5e5167
Opcode Fuzzy Hash: 77bd467bb61fb7d67d35f4c9857e0d9a9b32fd1a570912d8ff1346b077024d0b
Instruction Fuzzy Hash: 05812F26E05F8186E624EF11E854279B370FF98BA8F455235DB9E03661EF78F4DA8310

Function 00007FF7197B59E0 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON

Download Yara Rule

Strings

No connections available in cache, xrefs: 00007FF7197B63DB
NTLM picked AND auth done set, clear picked!, xrefs: 00007FF7197B6232
anonymous, xrefs: 00007FF7197B5B98
host, xrefs: 00007FF7197B60B0
NTLM-proxy picked AND auth done set, clear picked!, xrefs: 00007FF7197B6260
ftp@example.com, xrefs: 00007FF7197B5B9F
No connections available., xrefs: 00007FF7197B6181
proxy, xrefs: 00007FF7197B60A2
No more connections allowed to host %s: %zu, xrefs: 00007FF7197B6172
Re-using existing connection! (#%ld) with %s %s, xrefs: 00007FF7197B60C3

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host %s: %zu$Re-using existing connection! (#%ld) with %s %s$anonymous$ftp@example.com$host$proxy
API String ID: 0-760484938
Opcode ID: e2e17bcd5ea5e81b917f5bee54899a1cb80f56c66da1e4ac8e5891d29c3c3314
Instruction ID: 71029a866502da7a8ac387eef999298084549e5db86fb1f031d40e366152cc87
Opcode Fuzzy Hash: e2e17bcd5ea5e81b917f5bee54899a1cb80f56c66da1e4ac8e5891d29c3c3314
Instruction Fuzzy Hash: FC429322A09F8295EB58AF2195503B9A3B0FF59BE8F480135CF5E47745DF38E56E8320

Function 00007FF7197BA310 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32 ref: 00007FF7197BA37C
WSAGetLastError.WS2_32 ref: 00007FF7197BA386

Part of subcall function 00007FF7197A2AD0: GetLastError.KERNEL32 ref: 00007FF7197A2AF2
Part of subcall function 00007FF7197A2AD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2AFA

getsockname.WS2_32 ref: 00007FF7197BA406
WSAGetLastError.WS2_32 ref: 00007FF7197BA410

Strings

getpeername() failed with errno %d: %s, xrefs: 00007FF7197BA3A6
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00007FF7197BA52C
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00007FF7197BA496
getsockname() failed with errno %d: %s, xrefs: 00007FF7197BA430

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_errnogetpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 2911674258-670633250
Opcode ID: 23bd2806dbeffc762be87214f42f8eaca9b8138416de4aff16d44993728ebbe6
Instruction ID: 52887b32d8312f764561d922960b83c4ee96d63bcff4c27f42671df59ef260f6
Opcode Fuzzy Hash: 23bd2806dbeffc762be87214f42f8eaca9b8138416de4aff16d44993728ebbe6
Instruction Fuzzy Hash: 5F918E72A19AC186D710EF25D4442E9B3B0FB9DB9CF845235DE4D47615EF38E28AC720

Function 00007FF7197CA950 Relevance: 19.6, APIs: 13, Instructions: 128
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FF7197CA972
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CA9DE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA18
memcpy.VCRUNTIME140(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA31
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA3F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA83
freeaddrinfo.WS2_32(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAAB1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAAC5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAACF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAADC
WSASetLastError.WS2_32(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAAFD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$ErrorLast_strdupfreeaddrinfogetaddrinfomemcpy
String ID:
API String ID: 2364279375-0
Opcode ID: 826810ee5a9ebccdab44c80232c07f21e8297b43653121451e59b1d0358431ae
Instruction ID: bbd1c626558404071a24c2d953e7cd10eee0d3e9d1d48f568c2d2fb81a861b7f
Opcode Fuzzy Hash: 826810ee5a9ebccdab44c80232c07f21e8297b43653121451e59b1d0358431ae
Instruction Fuzzy Hash: 06513A35A19F4286EA69AF11A640129B7B0FF48BF9F844035DE4E13750DF3CE85E8720

Function 00007FF7197C8260 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF7197C82BD
Sleep.KERNEL32 ref: 00007FF7197C82CE
WSASetLastError.WS2_32 ref: 00007FF7197C8438
Sleep.KERNEL32 ref: 00007FF7197C8449
__WSAFDIsSet.WS2_32 ref: 00007FF7197C84FC
__WSAFDIsSet.WS2_32 ref: 00007FF7197C8513
__WSAFDIsSet.WS2_32 ref: 00007FF7197C852E
__WSAFDIsSet.WS2_32 ref: 00007FF7197C8542
__WSAFDIsSet.WS2_32 ref: 00007FF7197C855D
__WSAFDIsSet.WS2_32 ref: 00007FF7197C8571

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 5889fa0345c52cd6d4f581f2939be173a8a84ba2c72307cee304e578530dd025
Instruction ID: 2aab84320806b9964f4d8f248b4f366b29e8533e80d4d8d1823c66c49f3984e2
Opcode Fuzzy Hash: 5889fa0345c52cd6d4f581f2939be173a8a84ba2c72307cee304e578530dd025
Instruction Fuzzy Hash: B191D821B2CE4386E764AE14A8442F9E2B1FF487FCF945135D91987BC4DF39EA4E8211

Function 00007FF71979F71E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F883
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F8D2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F9A3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F9AA

Strings

xf, xrefs: 00007FF71979F7A3
Bf, xrefs: 00007FF71979F7D9
f, xrefs: 00007FF71979F73A
Sf, xrefs: 00007FF71979F7C8
gf, xrefs: 00007FF71979F7B4

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Bf$Sf$gf$xf$f
API String ID: 3668304517-3071979009
Opcode ID: 999b8fb6704ed6e37762fee42026d656bd3a39c9b5e56b52890205e6f3a96b13
Instruction ID: c2d7a787fe0f0ebb47eb5f7fab202d952a053c7f55548b28a5e1b7b56adfd8ca
Opcode Fuzzy Hash: 999b8fb6704ed6e37762fee42026d656bd3a39c9b5e56b52890205e6f3a96b13
Instruction Fuzzy Hash: AA719F62A18A8195FB04EF75D4143BDA331EF49BF8F804635CA5D16ACADF3C958E8350

Function 00007FF7197A241E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

SEC_E_BAD_PKGID, xrefs: 00007FF7197A241E
%s - %s, xrefs: 00007FF7197A2869
%s (0x%08X), xrefs: 00007FF7197A2365

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
API String ID: 600764987-1052566392
Opcode ID: c312e47bae083d480977d69b78fcc56b3f3cc5f565424858d79991b1b3b6a96f
Instruction ID: 67a8a828896154189231697db0547bb1739eebed519a9eda06589a8c15ffbcb6
Opcode Fuzzy Hash: c312e47bae083d480977d69b78fcc56b3f3cc5f565424858d79991b1b3b6a96f
Instruction Fuzzy Hash: 06314662A0DFC186E725AF20E4543AAB774FF88BA9F840035DA5D02A95DF3CD54EC724

Function 00007FF7197A2436 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

%s - %s, xrefs: 00007FF7197A2869
SEC_E_CANNOT_INSTALL, xrefs: 00007FF7197A2436
%s (0x%08X), xrefs: 00007FF7197A2365

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
API String ID: 600764987-2628789574
Opcode ID: eb913ce04ae3934b53e2c9b669eae7c99e9a923e22017345ee08d1cb073886d2
Instruction ID: f7aed90468d3a7f31b70029efd1b0b88f04eca7ed487547756d340c6ad832b60
Opcode Fuzzy Hash: eb913ce04ae3934b53e2c9b669eae7c99e9a923e22017345ee08d1cb073886d2
Instruction Fuzzy Hash: E8314662A0DFC186E725AF20E4543AAB774FF88BA9F840035DA5D02A95DF3CD54DC724

Function 00007FF7197A242A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

%s - %s, xrefs: 00007FF7197A2869
%s (0x%08X), xrefs: 00007FF7197A2365
SEC_E_BUFFER_TOO_SMALL, xrefs: 00007FF7197A242A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 600764987-1965992168
Opcode ID: f2b9e5b0b13f6187cca1c1fe9717c9c3dabd0cfd0a73d5400d8c5b097cc57c44
Instruction ID: cc30dfc3b7cf5a6819533dcc1a75b00d1c742412b66f2c12654019be5a50c6f6
Opcode Fuzzy Hash: f2b9e5b0b13f6187cca1c1fe9717c9c3dabd0cfd0a73d5400d8c5b097cc57c44
Instruction Fuzzy Hash: 6A314862A0DFC186E725AF20E4543AAB774FF88BA9F840035DA5D02A95DF3CD54DC724

Function 00007FF7197A2442 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

%s - %s, xrefs: 00007FF7197A2869
%s (0x%08X), xrefs: 00007FF7197A2365
SEC_E_CANNOT_PACK, xrefs: 00007FF7197A2442

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
API String ID: 600764987-1502336670
Opcode ID: 3cf75d6b14f47e79712e35c80e1940203620386dd547da0375d54fb62db18446
Instruction ID: c42df418c7602c68514d80f33623440669c761e330877bab9438a7e708e8d1ff
Opcode Fuzzy Hash: 3cf75d6b14f47e79712e35c80e1940203620386dd547da0375d54fb62db18446
Instruction Fuzzy Hash: F4314662A0DFC186E725AF20E4543AAB774FF88BA9F840035DA5D02A95DF3CD54DC724

Function 00007FF7197A244E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

%s - %s, xrefs: 00007FF7197A2869
SEC_E_CERT_EXPIRED, xrefs: 00007FF7197A244E
%s (0x%08X), xrefs: 00007FF7197A2365

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
API String ID: 600764987-3862749013
Opcode ID: 47fac95866ffedb9a8389d01e73e41f08162380b91e2dcd653d7b1f9c4bb4ccf
Instruction ID: 90944944e3fd2758e5861e97539d96570fe6d7ddd32fd359953cfc1f2ca60d72
Opcode Fuzzy Hash: 47fac95866ffedb9a8389d01e73e41f08162380b91e2dcd653d7b1f9c4bb4ccf
Instruction Fuzzy Hash: 93314662A0DFC186E725AF20E4543AAB774FF88BA9F840035DA5D02A95DF3CD54DC724

Function 00007FF7197A245A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

%s - %s, xrefs: 00007FF7197A2869
SEC_E_CERT_UNKNOWN, xrefs: 00007FF7197A245A
%s (0x%08X), xrefs: 00007FF7197A2365

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
API String ID: 600764987-1381340633
Opcode ID: d2d92c8171a57b81ea33b8349c1409968bb8b34de7506742a25f06a5e623c7aa
Instruction ID: 469583c24394317a55c05c0152e81fe896b89996474c5127e67841060a2d696b
Opcode Fuzzy Hash: d2d92c8171a57b81ea33b8349c1409968bb8b34de7506742a25f06a5e623c7aa
Instruction Fuzzy Hash: 73314662A0DFC186E725AF20E4543AAB774FF88BA9F840035DA5D02A95DF3CD54DC724

Function 00007FF7197A2412 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

SEC_E_BAD_BINDINGS, xrefs: 00007FF7197A2412
%s - %s, xrefs: 00007FF7197A2869
%s (0x%08X), xrefs: 00007FF7197A2365

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
API String ID: 600764987-2710416593
Opcode ID: ef126b83569338c8dd8d32fe558353e1f5ca4ef4cae622e2af4e5c83a358bc3f
Instruction ID: cad73f3ea97b8b7de9cf35b4d0b8b2ca610a1a64c7ce88e574ac5f5005c7b9db
Opcode Fuzzy Hash: ef126b83569338c8dd8d32fe558353e1f5ca4ef4cae622e2af4e5c83a358bc3f
Instruction Fuzzy Hash: 25314662A0DFC186E725AF20E4543AAB774FF88BA9F840035DA5D02A95DF3CD54DC724

Function 00007FF7197A235E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF7197A23B9
strchr.VCRUNTIME140 ref: 00007FF7197A23E0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A287F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A288A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2895
GetLastError.KERNEL32 ref: 00007FF7197A289E
SetLastError.KERNEL32 ref: 00007FF7197A28AA

Strings

SEC_E_ALGORITHM_MISMATCH, xrefs: 00007FF7197A235E
%s - %s, xrefs: 00007FF7197A2869
%s (0x%08X), xrefs: 00007FF7197A2365

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 600764987-618797061
Opcode ID: da9e4016f1700bcfd8279e04b10e7bbff56ef87a166a106093475dc8f015fee7
Instruction ID: d2ac8749c0f1792bf1c1ab9c8c27888d3fcf6ebe659dc15c1464078b2dbf85aa
Opcode Fuzzy Hash: da9e4016f1700bcfd8279e04b10e7bbff56ef87a166a106093475dc8f015fee7
Instruction Fuzzy Hash: CD314662A0DAC186E721AF20E4543AAB775FF88BA9F840035DA9D02A55DF3CD54DC720

Function 00007FF7197B4970 Relevance: 15.2, APIs: 10, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197A36B1,?,?,?,?,00007FF71979F692), ref: 00007FF7197B4988
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B49D1

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 72d853f823ea88fc251c2802e34ed2d947989ce0a54d5650297b26ed064931ff
Instruction ID: 95b7d4e5cd4fd791fe5965b4920cce609112dadaf4f8fd3d19248e98f032fb8b
Opcode Fuzzy Hash: 72d853f823ea88fc251c2802e34ed2d947989ce0a54d5650297b26ed064931ff
Instruction Fuzzy Hash: 5E913C32908BC186E3009F34D4043E877A0FB59B6CF485239DE9D1B796DF7AA199C720

Function 00007FF7197B7FB0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7FFF

Strings

Couldn't resolve proxy '%s', xrefs: 00007FF7197B81DC
Couldn't resolve host '%s', xrefs: 00007FF7197B8131
Unix socket path too long: '%s', xrefs: 00007FF7197B8056

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: calloc
String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$Unix socket path too long: '%s'
API String ID: 2635317215-3812100122
Opcode ID: bd6f99720c1bb92e00a543da0e9cac06eca5ebf4a937b02936f022757b2017d9
Instruction ID: 9d2e718405790450bdf88cac032767e0dcefeb8dee568eb8b8dfd0b4e4c09d3f
Opcode Fuzzy Hash: bd6f99720c1bb92e00a543da0e9cac06eca5ebf4a937b02936f022757b2017d9
Instruction Fuzzy Hash: 1951D322B0DE428AF619AF2594403F9A6A0EF587E8F540035DB5E473A0DF3DE65E8721

Function 00007FF71979B690 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135processCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71978F740: memcpy.VCRUNTIME140(?,?,?,00000000,?,?,?,00007FF71979B6D0), ref: 00007FF71978F84E
Part of subcall function 00007FF71978F740: memcpy.VCRUNTIME140(?,?,?,00000000,?,?,?,00007FF71979B6D0), ref: 00007FF71978F85D

memcpy.VCRUNTIME140 ref: 00007FF71979B70F
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B782
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B7BC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B80F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B88D

Strings

&& timeout /t 5", xrefs: 00007FF71979B705, 00007FF71979B723
start cmd /C "color b && title Error && echo , xrefs: 00007FF71979B6BF

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy$system
String ID: && timeout /t 5"$start cmd /C "color b && title Error && echo
API String ID: 2264491462-3357973498
Opcode ID: 4b8a51feb1037063bb059112d8736458dad7ce0213eee081cab864378eab82be
Instruction ID: 2be03363947ba78d7e5b345e5e1a21d4b79a17da605d5653873975b5967704df
Opcode Fuzzy Hash: 4b8a51feb1037063bb059112d8736458dad7ce0213eee081cab864378eab82be
Instruction Fuzzy Hash: 10517162A18F8582EB04DF25E454379A371FF89BE8F905235DAAD02795DF6CE08D8350

Function 00007FF7197AE260 Relevance: 12.1, APIs: 8, Instructions: 67networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197CA950: getaddrinfo.WS2_32 ref: 00007FF7197CA972
Part of subcall function 00007FF7197CA950: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CA9DE
Part of subcall function 00007FF7197CA950: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA18
Part of subcall function 00007FF7197CA950: memcpy.VCRUNTIME140(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA31
Part of subcall function 00007FF7197CA950: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAA3F
Part of subcall function 00007FF7197CA950: freeaddrinfo.WS2_32(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAAB1
Part of subcall function 00007FF7197CA950: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAAC5
Part of subcall function 00007FF7197CA950: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAACF
Part of subcall function 00007FF7197CA950: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197AE2B5), ref: 00007FF7197CAADC

WSAGetLastError.WS2_32 ref: 00007FF7197AE2BB
WSAGetLastError.WS2_32 ref: 00007FF7197AE2C5
EnterCriticalSection.KERNEL32 ref: 00007FF7197AE2E0
LeaveCriticalSection.KERNEL32 ref: 00007FF7197AE2EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE300
send.WS2_32 ref: 00007FF7197AE323
WSAGetLastError.WS2_32 ref: 00007FF7197AE32D
LeaveCriticalSection.KERNEL32 ref: 00007FF7197AE340

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalErrorLastSection$Leavemalloc$Enter_strdupfreeaddrinfogetaddrinfomemcpysend
String ID:
API String ID: 506363382-0
Opcode ID: 34d92b24159a85357c38d0ada56053ba7442cf5bdefc3c4fdf4df049145647d0
Instruction ID: 88e0715e7de33eca844fb77fff840597cc03a48d6053dbeff4dc428837974e88
Opcode Fuzzy Hash: 34d92b24159a85357c38d0ada56053ba7442cf5bdefc3c4fdf4df049145647d0
Instruction Fuzzy Hash: 01312F32A08E4286E750AF25E454269A7B0FF88FECF940131DA5E92694DF3CE44EC760

Function 00007FF7197C7EC0 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF7197C7F26
WSASetLastError.WS2_32 ref: 00007FF7197C80E6
Sleep.KERNEL32 ref: 00007FF7197C80F6
__WSAFDIsSet.WS2_32 ref: 00007FF7197C820A
__WSAFDIsSet.WS2_32 ref: 00007FF7197C8222
Sleep.KERNEL32 ref: 00007FF7197C824D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: d95a31798d0151bcaeb50a7a4601c107789cf2f957820e7c3fa37ea77088056e
Instruction ID: 84103ed3b5f7f477aa3446ddf80cb10402c9d4f926c731b11e25d23c1d5c922b
Opcode Fuzzy Hash: d95a31798d0151bcaeb50a7a4601c107789cf2f957820e7c3fa37ea77088056e
Instruction Fuzzy Hash: 39A1D921A28E5386E7695E1598003F9E2B5FF48BF8F944238E929477C4DF3DD94E8311

Function 00007FF7197A9DD0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197AE010: EnterCriticalSection.KERNEL32 ref: 00007FF7197AE163
Part of subcall function 00007FF7197AE010: LeaveCriticalSection.KERNEL32 ref: 00007FF7197AE177
Part of subcall function 00007FF7197AE010: CloseHandle.KERNEL32 ref: 00007FF7197AE184
Part of subcall function 00007FF7197AE010: closesocket.WS2_32 ref: 00007FF7197AE1C4
Part of subcall function 00007FF7197AE010: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE1DD

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A9E1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A9E35
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A9F62
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A9F8E

Strings

mw1 chair, xrefs: 00007FF7197A9DD4
Connection #%ld to host %s left intact, xrefs: 00007FF7197AA04B
%s, xrefs: 00007FF7197AA097

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalSection$CloseEnterHandleLeaveclosesocket
String ID: %s$Connection #%ld to host %s left intact$mw1 chair
API String ID: 1742564213-708184411
Opcode ID: 14fc8627047496365cab5282c789d4c3397d654a0d5ae097a18192cd864e3027
Instruction ID: 37bf294d8bd0f6cf2afae1d56f465361df3dc80e96bb7c900015d4ced2309390
Opcode Fuzzy Hash: 14fc8627047496365cab5282c789d4c3397d654a0d5ae097a18192cd864e3027
Instruction Fuzzy Hash: 48916236A08E8182E758BF2595403B9A3B1FF49FE8F884431DE4E07255DF39E56E8760

Function 00007FF7197CB130 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CB35A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CB39F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CB3C7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CB409

Strings

schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 00007FF7197CB1AE
schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 00007FF7197CB323
schannel: ApplyControlToken failure: %s, xrefs: 00007FF7197CB238

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
API String ID: 1294909896-116363806
Opcode ID: c55f672c7333a6716099094c61bfd1cbbbf754fcfb7bdccba06579440c176d2e
Instruction ID: a424f53a830e9698fc21b0bc5f9961a3d8f42528e86f2813eef5e5c1837ca3b8
Opcode Fuzzy Hash: c55f672c7333a6716099094c61bfd1cbbbf754fcfb7bdccba06579440c176d2e
Instruction Fuzzy Hash: 94915B32608F4186EB109F25E8506AEB7B4FB88BE9F840136DE4D47B64DF38D55ACB10

Function 00007FF7197B51E0 Relevance: 9.2, APIs: 6, Instructions: 161COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7197B5A5B), ref: 00007FF7197B51F7
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7197B5A5B), ref: 00007FF7197B5228

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 50987c5cad14bdfcda24b30612eb1aa8d4050ebd4d327836e1914b9a10a96704
Instruction ID: 53df5b20c32cedaf7a0208cc364fce491b009fb119ce929ef934f59ec56918af
Opcode Fuzzy Hash: 50987c5cad14bdfcda24b30612eb1aa8d4050ebd4d327836e1914b9a10a96704
Instruction Fuzzy Hash: AA91AC22609BC189D7459F3894403AD7BA0FB59B6CF480235CFAD4B3D6DF3992A9C721

Function 00007FF7197B4250 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B427B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4291

Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40AD
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40CA
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40DE
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40FA
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4117
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B413A
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B414E
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4162
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4188
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B419C
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B41B0
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B41FF
Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B420C

Part of subcall function 00007FF7197B4030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4235

memset.VCRUNTIME140 ref: 00007FF7197B42C5

Strings

Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF7197B44A1
User-Agent: %s, xrefs: 00007FF7197B435F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$memset
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 2717317152-3248832348
Opcode ID: 46516f5f89a36fd41fa8d3f8aa0d933426d5d903802ef5b1c03d2c1d1f58118e
Instruction ID: 5a306ae4c5ebaf290a45d980b220051fe5e3f3aa771210fdd19c6a5024f0d363
Opcode Fuzzy Hash: 46516f5f89a36fd41fa8d3f8aa0d933426d5d903802ef5b1c03d2c1d1f58118e
Instruction Fuzzy Hash: 7B71526290CEC185E751EF2594103BDA760EFA9FECF884131DA5E4B295DF38E65E8320

Function 00007FF7197AE130 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7197AE163
LeaveCriticalSection.KERNEL32 ref: 00007FF7197AE177
CloseHandle.KERNEL32 ref: 00007FF7197AE184
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE1A6
closesocket.WS2_32 ref: 00007FF7197AE1C4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE1DD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: 90c15c59037da5175e91b1f97d9db1e39e4c3b9db4a617c0b516e91113119501
Instruction ID: 604432b7cab37e8d58537b580242e268bf1850f208f5b329cb89b63fc955e345
Opcode Fuzzy Hash: 90c15c59037da5175e91b1f97d9db1e39e4c3b9db4a617c0b516e91113119501
Instruction Fuzzy Hash: 8121E836A08E5186E720AF12E584269A370FF9DBA4F444131DF8D43B51DF38E4AE8720

Function 00007FF7197B8EE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8FA6
recv.WS2_32 ref: 00007FF7197B8FD0
send.WS2_32 ref: 00007FF7197B8FF3
WSAGetLastError.WS2_32 ref: 00007FF7197B9005

Strings

Send failure: %s, xrefs: 00007FF7197B9035

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastmallocrecvsend
String ID: Send failure: %s
API String ID: 25851408-857917747
Opcode ID: f7caa862d7d0562d6a326ef744cd5be1dbdbfc6008a7b94c6162be3df3c7598e
Instruction ID: ff2d51019163a02c4b0ee95233ab315b9e3ad72c8e2982184a77ac12ed6bdff9
Opcode Fuzzy Hash: f7caa862d7d0562d6a326ef744cd5be1dbdbfc6008a7b94c6162be3df3c7598e
Instruction Fuzzy Hash: 5D417D32705B4189EB60AF25A8447B9A2A1AF59BFCF844135DE6E47794DE38D14EC310

Function 00007FF7197A8C90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A8CAD
closesocket.WS2_32 ref: 00007FF7197A8DB9
closesocket.WS2_32 ref: 00007FF7197A8DC6

Strings

d, xrefs: 00007FF7197A8D59

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: closesocket$calloc
String ID: d
API String ID: 2958813939-2564639436
Opcode ID: dc96643bf28bd306c5f1ace07b0758f16f93c7f2ff44c8bbdf56e9a8f08e671b
Instruction ID: be826058ff2c1899ff8dbbd40443cb3460f85764a56fffda353322680cc58f9f
Opcode Fuzzy Hash: dc96643bf28bd306c5f1ace07b0758f16f93c7f2ff44c8bbdf56e9a8f08e671b
Instruction Fuzzy Hash: 6B411D35608E4292E740BF35D4542E9A271FF9CBB8F884235DA5D462DAEF38D54E8360

Function 00007FF7197E43F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197BB5D0: GetModuleHandleA.KERNEL32(00000000,?,00000000,00007FF7197E442A,?,?,?,?,00007FF7197BB95B), ref: 00007FF7197BB5E4

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF7197BB95B), ref: 00007FF7197E4440

Strings

secur32.dll, xrefs: 00007FF7197E4413
InitSecurityInterfaceA, xrefs: 00007FF7197E4436
security.dll, xrefs: 00007FF7197E441A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: AddressCallerHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2084706301-3788156360
Opcode ID: 749552f60eb2127888e98b67cffdfbbd08535677c87377954582435b4fb00ed6
Instruction ID: 63b030fe56fc07bb6913af14581f3573df845e99709e7a5b6b9f31bdcfe5a06d
Opcode Fuzzy Hash: 749552f60eb2127888e98b67cffdfbbd08535677c87377954582435b4fb00ed6
Instruction Fuzzy Hash: 74F01960F09F0785FF95BF15A881770A2B06F6ABA8FC84435C80D52291EE7CA16F8360

Function 00007FF7197C3550 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3650

Part of subcall function 00007FF7197C3BE0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3C3A

Part of subcall function 00007FF7197C3990: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3A28
Part of subcall function 00007FF7197C3990: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3A31

Strings

TCP6, xrefs: 00007FF7197C35D7
TCP4, xrefs: 00007FF7197C35EA
PROXY %s %s %s %li %li, xrefs: 00007FF7197C3624

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$calloc
String ID: PROXY %s %s %s %li %li$TCP4$TCP6
API String ID: 3095843317-1242256665
Opcode ID: c396e27ed7a239927dfce4a08ab9b8c93f010392e7d2b45e33ff45d3352210b8
Instruction ID: 4739716b410035fcda7dccd18f8dc5701ed25230df126670274ed5b0e84fa75b
Opcode Fuzzy Hash: c396e27ed7a239927dfce4a08ab9b8c93f010392e7d2b45e33ff45d3352210b8
Instruction Fuzzy Hash: 6C41A831A1CA8386E754EF25A4403B9A7B1AF897ECF844032EA8D57785DE3DD51EC720

Function 00007FF7197CBD00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

SSL/TLS connection timeout, xrefs: 00007FF7197CBE5C
select/poll on SSL/TLS socket, errno: %d, xrefs: 00007FF7197CBE43

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 1d7a4d072cdd2c6e46df6e4551e4d0a56e12c4a59ab16b47baf55204849aa488
Instruction ID: c9863e2ff5dd939518fd862895a24b8820deac6982d7944b58321f583cb22a8f
Opcode Fuzzy Hash: 1d7a4d072cdd2c6e46df6e4551e4d0a56e12c4a59ab16b47baf55204849aa488
Instruction Fuzzy Hash: A7518121A18E4785EB94AF2195452B9A7A0EF48FFCF944231EA2D473D4DE3CE44ED320

Function 00007FF7197A8E90 Relevance: 4.8, APIs: 3, Instructions: 309networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7197A9286
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A92A7

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freerecv
String ID:
API String ID: 2032557106-0
Opcode ID: 2b7179c2e53bdcc627888a6c325a1966c3b745451b4a8e8bc75eedb3cb8ff2e2
Instruction ID: 32dda4ce001783682a6c9b5cf25fed43947af419bb563d313e593d88e6d30696
Opcode Fuzzy Hash: 2b7179c2e53bdcc627888a6c325a1966c3b745451b4a8e8bc75eedb3cb8ff2e2
Instruction Fuzzy Hash: AAC1B736608A8285EB659E1594447BAA3B0FF48BFCF984235DE5E437C4EE3CD85E8710

Function 00007FF7197B4F50 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4FB5

Strings

Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF7197B50F4
User-Agent: %s, xrefs: 00007FF7197B4FC6

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 1294909896-3248832348
Opcode ID: 424f4a392657ad6d2764c8e514688c217f27326b06242757cd0048e651768efa
Instruction ID: b68293a8fc03946f723ab5d7d44bfc87f0d9b7dfdaa786adf5786cd05bf547f1
Opcode Fuzzy Hash: 424f4a392657ad6d2764c8e514688c217f27326b06242757cd0048e651768efa
Instruction Fuzzy Hash: 8E518162A08AC181E7519F35D0403E9A760EB99BECF484131DF5E0B399DF79D59AC360

Function 00007FF7197B8D00 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7197B8D0C
WSAGetLastError.WS2_32 ref: 00007FF7197B8D1B

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 20e57d370d5a4562b334f604a10441347382489be41bd7eccfc8f966b83bbee2
Instruction ID: cc1d917f3dc35fc0f260f89da75c967fa9636a84d8fb81cd352feb5efba38ccd
Opcode Fuzzy Hash: 20e57d370d5a4562b334f604a10441347382489be41bd7eccfc8f966b83bbee2
Instruction Fuzzy Hash: E6E0DF21F0890583FF286B70B85937851A5DF98B75F885374CA3A863C0EA2C44DA4320

Function 00007FF7197CB020 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FF7197CB038
CloseHandle.KERNELBASE ref: 00007FF7197CB048

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleObjectSingleWait
String ID:
API String ID: 528846559-0
Opcode ID: 8a11b43826a5c1d2fe062743faa585eb1cc7c3fe793f9c8501c6c020771fb244
Instruction ID: f4cc846ef4bb466819359c72c0d642832ad571018a814f9983fe2fee406bd108
Opcode Fuzzy Hash: 8a11b43826a5c1d2fe062743faa585eb1cc7c3fe793f9c8501c6c020771fb244
Instruction Fuzzy Hash: 00E0BF37714E8283DB405FBAF59472A6260EB8CBE4F549130EA69437A4DF38C4A98700

Function 00007FF7197ADEC0 Relevance: 2.6, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,-00000001,?,00007FF7197C1035), ref: 00007FF7197ADEFF
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,-00000001,?,00007FF7197C1035), ref: 00007FF7197ADF0C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b8d37040b4e5ad0de564752d1a004a95ad015ce422d3aba9948c6b9beccfb232
Instruction ID: 9fd9753f1bb1bde96e3f24bd89f931940c4660772cf27919f060421eca95e4b2
Opcode Fuzzy Hash: b8d37040b4e5ad0de564752d1a004a95ad015ce422d3aba9948c6b9beccfb232
Instruction Fuzzy Hash: 42314132A08E8183E714EF15D5502A9A3B0FF58F98F544435DB5E43B55DF38E59A8710

Function 00007FF7197B95E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF7197B9623

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 5a1019d261a828d2997fd3be63db00cb255fb9f4cb533f7a408f908a227f19b4
Instruction ID: fa8c0c4a7e4d18846e3970d86815f01fa490e4f165e906ada0a3328d45c6c827
Opcode Fuzzy Hash: 5a1019d261a828d2997fd3be63db00cb255fb9f4cb533f7a408f908a227f19b4
Instruction Fuzzy Hash: 33018421B0A94181EB54EF2AD1593ADA2B0EF9CFDCF485031D71E47291DE28D49E8711

Function 00007FF7197C0370 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7197C0399

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: eb828bb8e6cf67ca4620dac37dd72dfff1fd979d3311dd17075bff24d790287a
Instruction ID: 8b1a7f19cfa7f61d4d000b781d7a5c0d1797ebadc4079d66433f689661e7d491
Opcode Fuzzy Hash: eb828bb8e6cf67ca4620dac37dd72dfff1fd979d3311dd17075bff24d790287a
Instruction Fuzzy Hash: 3FE09B36E1694183DE097B3584511792371AF95BB8FC44375C53D023D0DD2DD25F9B10

Function 00007FF7197CAFD0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197CAFEB

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: ffa20f5c86af0c71820ec21381e1c222c80a4396c08846a17e0aaa1445935150
Instruction ID: d8bdb8e330f49be7f3f6c5779eef665627f9acb63300fad0cbaf53ab129af987
Opcode Fuzzy Hash: ffa20f5c86af0c71820ec21381e1c222c80a4396c08846a17e0aaa1445935150
Instruction Fuzzy Hash: 13D02B63718A00439F10DF76A844029E351BB8C7B4B884338AE7D827E4EB3CD24A4600

Function 00007FF7197C6F10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF7197C6F29

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 748b9091ed51b69ea683cab6bc317e1796865a5c3fb811f049a1f8a1912088da
Instruction ID: 6ef1a0d94bb1ec78e0990b2d31e47257ff5c178be5612c309cf184763245b679
Opcode Fuzzy Hash: 748b9091ed51b69ea683cab6bc317e1796865a5c3fb811f049a1f8a1912088da
Instruction Fuzzy Hash: D8C08056F149C1C3C3446F655485087A7B2FFC4654FD55435D10741128ED3CD2AD8B50

Non-executed Functions

Function 00007FF7197C4B10 Relevance: 127.2, APIs: 25, Strings: 47, Instructions: 1228stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197C5CD3

Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C25
Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C40

memchr.VCRUNTIME140 ref: 00007FF7197C5DC6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197C5EDE
strchr.VCRUNTIME140 ref: 00007FF7197C5EF2
strchr.VCRUNTIME140 ref: 00007FF7197C5F1A
strchr.VCRUNTIME140 ref: 00007FF7197C5F30

Strings

HTTP/1.0 connection set to keep alive!, xrefs: 00007FF7197C54DB
Received HTTP/0.9 when not allowed, xrefs: 00007FF7197C5E3B
RTSP/%1d.%1d%c%3d, xrefs: 00007FF7197C4E9D
Proxy-authenticate:, xrefs: 00007FF7197C57D1
Got 417 while waiting for a 100, xrefs: 00007FF7197C5CB3
HTTP/, xrefs: 00007FF7197C4E19
WWW-Authenticate:, xrefs: 00007FF7197C57A6
, xrefs: 00007FF7197C4CFC
no chunk, no close, no size. Assume close to signal end, xrefs: 00007FF7197C5AC6
HTTP error before end of send, stop sending, xrefs: 00007FF7197C5D1D
Location:, xrefs: 00007FF7197C58DE
Proxy-Connection:, xrefs: 00007FF7197C5143, 00007FF7197C521C
Maximum file size exceeded, xrefs: 00007FF7197C5F6F
HTTP, xrefs: 00007FF7197C5ECE
The requested URL returned error: %d, xrefs: 00007FF7197C60A3
The requested URL returned error: %s, xrefs: 00007FF7197C5F47
RTSP/, xrefs: 00007FF7197C4C04
Lying server, not serving HTTP/2, xrefs: 00007FF7197C4D2C
HTTP/%1[23] %d, xrefs: 00007FF7197C4CD4
HTTP %3d, xrefs: 00007FF7197C4D78
Keep sending data to get tossed away!, xrefs: 00007FF7197C5D6C
Connection closure while negotiating auth (HTTP 1.0?), xrefs: 00007FF7197C5B1C, 00007FF7197C5B68
Mark bundle as not supporting multiuse, xrefs: 00007FF7197C4D4F
false, xrefs: 00007FF7197C5880
Negotiate: noauthpersist -> %d, header part: %s, xrefs: 00007FF7197C589C
close, xrefs: 00007FF7197C52A3, 00007FF7197C5423
Invalid Content-Length: value, xrefs: 00007FF7197C5F88
Content-Range:, xrefs: 00007FF7197C55DE
Unsupported HTTP version in response, xrefs: 00007FF7197C5EB1
HTTP/1.1 proxy connection set close!, xrefs: 00007FF7197C54BD
HTTP 1.0, assume close after body, xrefs: 00007FF7197C4F77
HTTP error before end of send, keep sending, xrefs: 00007FF7197C5CF9
keep-alive, xrefs: 00007FF7197C51D6, 00007FF7197C5366
HTTP/1.0 proxy connection set to keep alive!, xrefs: 00007FF7197C549C
, xrefs: 00007FF7197C4EB2
Retry-After:, xrefs: 00007FF7197C5553
Content-Type:, xrefs: 00007FF7197C50C6
Transfer-Encoding:, xrefs: 00007FF7197C545A
Set-Cookie:, xrefs: 00007FF7197C56A3
Received 101, xrefs: 00007FF7197C5FAB
Content-Length:, xrefs: 00007FF7197C501F
Content-Encoding:, xrefs: 00007FF7197C5511
Connection:, xrefs: 00007FF7197C52DB, 00007FF7197C5390
HTTP/%1d.%1d%c%3d, xrefs: 00007FF7197C4CA9
Last-Modified:, xrefs: 00007FF7197C5747
Persistent-Auth, xrefs: 00007FF7197C5842
Overflow Content-Length: value!, xrefs: 00007FF7197C50AB

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$fwrite$_strdupmemchrstrncmp
String ID: $ $ HTTP %3d$ HTTP/%1[23] %d$ HTTP/%1d.%1d%c%3d$ RTSP/%1d.%1d%c%3d$Connection closure while negotiating auth (HTTP 1.0?)$Connection:$Content-Encoding:$Content-Length:$Content-Range:$Content-Type:$Got 417 while waiting for a 100$HTTP$HTTP 1.0, assume close after body$HTTP error before end of send, keep sending$HTTP error before end of send, stop sending$HTTP/$HTTP/1.0 connection set to keep alive!$HTTP/1.0 proxy connection set to keep alive!$HTTP/1.1 proxy connection set close!$Invalid Content-Length: value$Keep sending data to get tossed away!$Last-Modified:$Location:$Lying server, not serving HTTP/2$Mark bundle as not supporting multiuse$Maximum file size exceeded$Negotiate: noauthpersist -> %d, header part: %s$Overflow Content-Length: value!$Persistent-Auth$Proxy-Connection:$Proxy-authenticate:$RTSP/$Received 101$Received HTTP/0.9 when not allowed$Retry-After:$Set-Cookie:$The requested URL returned error: %d$The requested URL returned error: %s$Transfer-Encoding:$Unsupported HTTP version in response$WWW-Authenticate:$close$false$keep-alive$no chunk, no close, no size. Assume close to signal end
API String ID: 3939785054-690044944
Opcode ID: a966fad93b7751da1a2eafffaedcf9b2cc46eaf9654dafc2a7450ccaa96eadad
Instruction ID: 0404f83b05530ab4540d4b7273176c1fea8823f4efd0568444ce71de96b6cf56
Opcode Fuzzy Hash: a966fad93b7751da1a2eafffaedcf9b2cc46eaf9654dafc2a7450ccaa96eadad
Instruction Fuzzy Hash: 23C28171A1CE8385EB54AF2584543F9A7B1AF49BFCF884135CE5D0B295EE2DA44EC320

Function 00007FF7197ABA50 Relevance: 105.7, APIs: 41, Strings: 19, Instructions: 728stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000000,?,00000000,?,?,00007FF7197AD2A7), ref: 00007FF7197ABAC0
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ABADB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ABB14
strchr.VCRUNTIME140 ref: 00007FF7197ABB27
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ABCA7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ABCC8
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ABCEB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ABCF8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ABD91
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ABD9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ABDB2
strchr.VCRUNTIME140 ref: 00007FF7197ABF9F
strchr.VCRUNTIME140 ref: 00007FF7197ABFB9
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC0AC
strchr.VCRUNTIME140 ref: 00007FF7197AC0D8
strrchr.VCRUNTIME140 ref: 00007FF7197AC0EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC10B
memcpy.VCRUNTIME140 ref: 00007FF7197AC124
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC198
strchr.VCRUNTIME140 ref: 00007FF7197AC1BB
strchr.VCRUNTIME140 ref: 00007FF7197AC1D0

Strings

domain, xrefs: 00007FF7197ABDD1
__Host-, xrefs: 00007FF7197ABCC1
expires, xrefs: 00007FF7197ABF35
max-age, xrefs: 00007FF7197ABF08
__Secure-, xrefs: 00007FF7197ABCA0
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF7197AC6D7
TRUE, xrefs: 00007FF7197AC207
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 00007FF7197AC02F
Replaced, xrefs: 00007FF7197AC6C1
version, xrefs: 00007FF7197ABEDB
#HttpOnly_, xrefs: 00007FF7197AC18E
skipped cookie with bad tailmatch domain: %s, xrefs: 00007FF7197ABEBE
%4095[^;=] =%4095[^;], xrefs: 00007FF7197ABB66
FALSE, xrefs: 00007FF7197AC20E, 00007FF7197AC40B
secure, xrefs: 00007FF7197ABD1E
Added, xrefs: 00007FF7197AC6CD
httponly, xrefs: 00007FF7197ABD56
localhost, xrefs: 00007FF7197ABDFF
path, xrefs: 00007FF7197ABD7D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdup$freestrncmp$_time64callocmallocmemcpystrrchr
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 2059720140-3844637060
Opcode ID: 41103d9851d4d4e19879cecec1e75071db510cede8e2293ef3ff4e83f9a20db5
Instruction ID: 54dba4e8c54407270dde9d99f70bbda857b064c7a1d82c9a3c22b357d81aa537
Opcode Fuzzy Hash: 41103d9851d4d4e19879cecec1e75071db510cede8e2293ef3ff4e83f9a20db5
Instruction Fuzzy Hash: 4A72A461E08F8695FB61AF25D440379E7B0AF58BECF8C0531DA4E46695EF2CE54E8320

Function 00007FF7197DF2D0 Relevance: 102.1, APIs: 45, Strings: 13, Instructions: 580COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C25
Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C40

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DF35E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DF392
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DF39C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DF3B9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DF3CC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DF3D5
#22.WLDAP32 ref: 00007FF7197DF3E6
#211.WLDAP32 ref: 00007FF7197DF480
#217.WLDAP32 ref: 00007FF7197DF49C
#211.WLDAP32 ref: 00007FF7197DF4B5
#211.WLDAP32 ref: 00007FF7197DF4C7
#60.WLDAP32 ref: 00007FF7197DF4F7
#211.WLDAP32 ref: 00007FF7197DF612
#60.WLDAP32 ref: 00007FF7197DF637
#22.WLDAP32 ref: 00007FF7197DF6DA
#41.WLDAP32 ref: 00007FF7197DFAF6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DFB1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DFB28
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DFB48
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DFB5B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DFB64
#46.WLDAP32 ref: 00007FF7197DFB76

Strings

LDAP remote: %s, xrefs: 00007FF7197DF757
LDAP local: %s, xrefs: 00007FF7197DF3EC
LDAP local: trying to establish %s connection, xrefs: 00007FF7197DF419
There are more than %d entries, xrefs: 00007FF7197DFB06
LDAP local: Cannot connect to %s:%ld, xrefs: 00007FF7197DF51B
cleartext, xrefs: 00007FF7197DF40F
LDAP local: %s, xrefs: 00007FF7197DF347
;binary, xrefs: 00007FF7197DF960
LDAP local: LDAP Vendor = %s ; LDAP Version = %d, xrefs: 00007FF7197DF304
Microsoft Corporation., xrefs: 00007FF7197DF2F0
encrypted, xrefs: 00007FF7197DF42E
DN: , xrefs: 00007FF7197DF7D2
LDAP local: bind via ldap_win_bind %s, xrefs: 00007FF7197DF6E4

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$#211$fwrite$#217calloc
String ID: ;binary$DN: $LDAP local: %s$LDAP local: %s$LDAP local: Cannot connect to %s:%ld$LDAP local: LDAP Vendor = %s ; LDAP Version = %d$LDAP local: bind via ldap_win_bind %s$LDAP local: trying to establish %s connection$LDAP remote: %s$Microsoft Corporation.$There are more than %d entries$cleartext$encrypted
API String ID: 2742731861-78870445
Opcode ID: 0132037dcbb878a53ae2eb3e7c95ae34dbe9a0826bf8ec574caacb9de82dcfb9
Instruction ID: d7a0fd182d6a053ea1e738b3ff39755f66c468df55a3fe1a2e37a3aebfd67b08
Opcode Fuzzy Hash: 0132037dcbb878a53ae2eb3e7c95ae34dbe9a0826bf8ec574caacb9de82dcfb9
Instruction Fuzzy Hash: E7425E65B19E4286EB10AF6194542B9A7B1FF89BECF804031CE1E67794EE3CE54EC350

Function 00007FF7197E7A40 Relevance: 72.3, APIs: 17, Strings: 24, Instructions: 549encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF7197E7BAF
GetLastError.KERNEL32 ref: 00007FF7197E7BC2
CertCreateCertificateChainEngine.CRYPT32 ref: 00007FF7197E7C74
GetLastError.KERNEL32 ref: 00007FF7197E7C7E
CertGetCertificateChain.CRYPT32 ref: 00007FF7197E7D0B
GetLastError.KERNEL32 ref: 00007FF7197E7D15
CertGetNameStringA.CRYPT32 ref: 00007FF7197E7E83
CertFreeCertificateChainEngine.CRYPT32 ref: 00007FF7197E82FB
CertCloseStore.CRYPT32 ref: 00007FF7197E8310
CertFreeCertificateChain.CRYPT32 ref: 00007FF7197E8320
CertFreeCertificateContext.CRYPT32 ref: 00007FF7197E8330

Strings

schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 00007FF7197E7D7D
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7197E7B81
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 00007FF7197E7DC2
schannel: failed to create certificate chain engine: %s, xrefs: 00007FF7197E7C98
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00007FF7197E7F4E, 00007FF7197E80F5
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7197E82AD
schannel: CertGetNameString() returned no certificate name information, xrefs: 00007FF7197E7FCD
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 00007FF7197E8286
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 00007FF7197E7DAC
schannel: Null certificate context., xrefs: 00007FF7197E7E98, 00007FF7197E8047
schannel: Not enough memory to list all host names., xrefs: 00007FF7197E81AC
schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 00007FF7197E7DEA
2.5.29.17, xrefs: 00007FF7197E7EE3, 00007FF7197E7F14, 00007FF7197E807F, 00007FF7197E80BB
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 00007FF7197E81C3
schannel: CertGetCertificateChain failed: %s, xrefs: 00007FF7197E7D2F
schannel: Null certificate info., xrefs: 00007FF7197E7ED3, 00007FF7197E8064
schannel: server certificate name verification failed, xrefs: 00007FF7197E826E
schannel: failed to create certificate store: %s, xrefs: 00007FF7197E7BDC
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 00007FF7197E8229
schannel: CertFindExtension() returned no extension., xrefs: 00007FF7197E7EFB, 00007FF7197E8097
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 00007FF7197E7DD9
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 00007FF7197E7D95
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 00007FF7197E8239
schannel: Empty DNS name., xrefs: 00007FF7197E7F8A, 00007FF7197E8138

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Cert$Certificate$Chain$ErrorFreeLast$EngineStore$CloseContextCreateNameOpenString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Failed to read remote certificate context: %s$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: failed to create certificate chain engine: %s$schannel: failed to create certificate store: %s$schannel: server certificate name verification failed$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 561913010-2037819326
Opcode ID: 04f56f9fc5ea19e209b175ca6a5c16f24bc8558bd1784ab9995ea6de565a5352
Instruction ID: 06c9fc4e8e62debdfef27ae246e15970ffb8fc5f179f1791f2df7eecbb92c548
Opcode Fuzzy Hash: 04f56f9fc5ea19e209b175ca6a5c16f24bc8558bd1784ab9995ea6de565a5352
Instruction Fuzzy Hash: 36429C32A08E4286EB50AF14E4402B9A7B1FF48BE8F944235DA5D27794DF3CE54ED721

Function 00007FF7197D6AA0 Relevance: 67.0, APIs: 25, Strings: 13, Instructions: 515networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D6B81
getsockname.WS2_32 ref: 00007FF7197D6D7A
WSAGetLastError.WS2_32 ref: 00007FF7197D6D84
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D72BB

Strings

getsockname() failed: %s, xrefs: 00007FF7197D6D9E, 00007FF7197D6FAE
bind() failed, we ran out of ports!, xrefs: 00007FF7197D6F76
,%d,%d, xrefs: 00007FF7197D7199
Failure sending PORT command: %s, xrefs: 00007FF7197D71EC
bind(port=%hu) on non-local address failed: %s, xrefs: 00007FF7197D6F14
failed to resolve the address provided to PORT: %s, xrefs: 00007FF7197D72A9
EPRT, xrefs: 00007FF7197D7232
bind(port=%hu) failed: %s, xrefs: 00007FF7197D6FE5
socket failure: %s, xrefs: 00007FF7197D6E7F, 00007FF7197D7086
%s %s, xrefs: 00007FF7197D71C9
%s |%d|%s|%hu|, xrefs: 00007FF7197D7249
Failure sending EPRT command: %s, xrefs: 00007FF7197D726F
PORT, xrefs: 00007FF7197D71C2

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastcallocfreegetsockname
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 2454324209-2383553807
Opcode ID: 2506126233441dbd59eeba638b13e9866409b4834d07817132997a71c59bbb09
Instruction ID: 8abb37c98501a75715eda2d2be2a44fadfd21867b62e0b594fe55ea4d1b13c46
Opcode Fuzzy Hash: 2506126233441dbd59eeba638b13e9866409b4834d07817132997a71c59bbb09
Instruction Fuzzy Hash: 8F228861A08F8285EB50AF2594402BAE7B1FF49BECF844031EA5E47695DF3DE54EC720

Function 00007FF7197939DE Relevance: 60.3, APIs: 29, Strings: 5, Instructions: 816COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719793E0F
__std_exception_destroy.VCRUNTIME140 ref: 00007FF719793E3B
__std_exception_destroy.VCRUNTIME140 ref: 00007FF719793E48
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719793E82
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719793EE1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719793FA4
__std_exception_destroy.VCRUNTIME140 ref: 00007FF719793FD0
__std_exception_destroy.VCRUNTIME140 ref: 00007FF719793FDD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719794017
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719794076
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197949D2
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7197949FE
__std_exception_destroy.VCRUNTIME140 ref: 00007FF719794A0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719794A45
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719794A98

Strings

object separator, xrefs: 00007FF71979457C
object key, xrefs: 00007FF71979467B
array, xrefs: 00007FF7197942CA
object, xrefs: 00007FF71979445C
number overflow parsing ', xrefs: 00007FF719794091

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: array$number overflow parsing '$object$object key$object separator
API String ID: 1346393832-85532522
Opcode ID: 957cb1d069f10821013d6d0e8e743f4fdf26fda56c0313c8a7246a6a80166625
Instruction ID: 6b3ce627c9e66ce0e71b251c00d69ecab492237653867751f5942d2adceb38e8
Opcode Fuzzy Hash: 957cb1d069f10821013d6d0e8e743f4fdf26fda56c0313c8a7246a6a80166625
Instruction Fuzzy Hash: F0829462E18F9585FB00EF78D4452ADA331FF897B8F905231DA5C16AD5EF68E08AC350

Function 00007FF7197B21A0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 254stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B2206
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B222D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2288

Strings

sha256//, xrefs: 00007FF7197B21FC, 00007FF7197B234E
-----END PUBLIC KEY-----, xrefs: 00007FF7197B248E
;sha256//, xrefs: 00007FF7197B2300
public key hash: sha256//%s, xrefs: 00007FF7197B229E
-----BEGIN PUBLIC KEY-----, xrefs: 00007FF7197B245A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemallocstrncmp
String ID: public key hash: sha256//%s$-----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$;sha256//$sha256//
API String ID: 1436789207-471711153
Opcode ID: 462ab1ef3dc549e44d95ee799e473f2f586a5f4cdc6c78c0b0a941ab025bce8c
Instruction ID: 3c1d1add703f8ea45f22eee72a6b051bb0ba77ce6f9470b5df143f73102b666a
Opcode Fuzzy Hash: 462ab1ef3dc549e44d95ee799e473f2f586a5f4cdc6c78c0b0a941ab025bce8c
Instruction Fuzzy Hash: 8DA18311B0AE4281FA55AF15A814279E6B0AF6CBF8FC44431DD1F577A5EE2CE54F8320

Function 00007FF719797970 Relevance: 47.9, APIs: 24, Strings: 3, Instructions: 670COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797B07
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797B46

Part of subcall function 00007FF71978D3B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF719781080), ref: 00007FF71978D3E8

Part of subcall function 00007FF71979B690: memcpy.VCRUNTIME140 ref: 00007FF71979B70F
Part of subcall function 00007FF71979B690: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B782
Part of subcall function 00007FF71979B690: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B7BC
Part of subcall function 00007FF71979B690: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B80F

Part of subcall function 00007FF71978F8A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978F967

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797C61
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797CB0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797CEF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797D3E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797D7D
memcpy.VCRUNTIME140 ref: 00007FF719797E60
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797FC5
memset.VCRUNTIME140 ref: 00007FF719797FF1
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF719798019
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00007FF719798039
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF719798079

Part of subcall function 00007FF7197A6C80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A6D98
Part of subcall function 00007FF7197A6C80: memcpy.VCRUNTIME140 ref: 00007FF7197A6DCA
Part of subcall function 00007FF7197A6C80: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A6DFC
Part of subcall function 00007FF7197A6C80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A6E07

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF719798142
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z.MSVCP140 ref: 00007FF719798157
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140 ref: 00007FF719798167
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF719798185
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719798272
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF719798335
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF719798342
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719798381
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719798388
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197983E1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979843C

Part of subcall function 00007FF719781AD0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF71978D4A5,?,?,?,?,00007FF719781080), ref: 00007FF719781ADB

Strings

You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 00007FF7197979CF
Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00007FF719798289
, xrefs: 00007FF7197980FE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$U?$char_traits@$D@std@@@std@@$memcpy$??6?$basic_ostream@V01@malloc$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_iostream@?fill@?$basic_ios@?setw@std@@D@std@@@1@@J@1@_Smanip@_U?$_V21@@V?$basic_streambuf@Vios_base@1@Xlength_error@std@@freememsetsystem
String ID: $Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $You need to run the KeyAuthApp.init(); function before any other KeyAuth functions
API String ID: 3735971780-4274135686
Opcode ID: 05062014d779f7e6fec32f4097d0dc290ca12604f9d7c6b0cf133cfc9143369d
Instruction ID: 249d5cb45f1558dae41a06bc06b8943a7956067519e8a1fe880b7734b35af98b
Opcode Fuzzy Hash: 05062014d779f7e6fec32f4097d0dc290ca12604f9d7c6b0cf133cfc9143369d
Instruction Fuzzy Hash: 0B629062A14E8685EB10EF34D8443EDA771FF497ACF804621DA6D16A99EF78D18EC310

Function 00007FF719796F04 Relevance: 46.0, APIs: 24, Strings: 2, Instructions: 518COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719796F19
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719796F68
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719796FA7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719796FF6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797038
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979708A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197970C9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797314
memset.VCRUNTIME140 ref: 00007FF719797340

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00007FF7197975C9
, xrefs: 00007FF71979744C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memset
String ID: $Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message:
API String ID: 3820209055-927317299
Opcode ID: d9f83e36331ecc97ec25f1ecf0fe2c7caa72ba45707463b8d565c630b1046038
Instruction ID: 01a73970be464f3e44b32730e15ab578c77f82b490e4876d2c1625c8741b7781
Opcode Fuzzy Hash: d9f83e36331ecc97ec25f1ecf0fe2c7caa72ba45707463b8d565c630b1046038
Instruction Fuzzy Hash: 15326D62A14A8285EB10EF74D8443ECA371FF49BF8F904231D66D16AD9EF68D18EC310

Function 00007FF7197CC27C Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197CC318
strchr.VCRUNTIME140 ref: 00007FF7197CC344
strchr.VCRUNTIME140 ref: 00007FF7197CC37E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197CC3A2
strchr.VCRUNTIME140 ref: 00007FF7197CC4B2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197CC4CA
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197CC5F5
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197CC621

Strings

CurrentUser, xrefs: 00007FF7197CC392
, xrefs: 00007FF7197CC27C
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF7197CC759

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: $CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-4282655970
Opcode ID: 2bc3b4ff1b728bd590babf64760f3361fd49c7e633ab9c713fce5191dcbf56e2
Instruction ID: 595b434659baf59780c11a415328297ae6b475f96f7cbec27b07d45ab30b7d43
Opcode Fuzzy Hash: 2bc3b4ff1b728bd590babf64760f3361fd49c7e633ab9c713fce5191dcbf56e2
Instruction Fuzzy Hash: 51814621F19E4386FB55AF21A854275A6B0BF4DBF8F884535C91E566D0EF3CE44E8320

Function 00007FF7197CC285 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197CC318
strchr.VCRUNTIME140 ref: 00007FF7197CC344
strchr.VCRUNTIME140 ref: 00007FF7197CC37E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197CC3A2
strchr.VCRUNTIME140 ref: 00007FF7197CC4B2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197CC4CA
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197CC5F5
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197CC621

Strings

CurrentUser, xrefs: 00007FF7197CC392
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF7197CC759

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-1887299029
Opcode ID: 86fffcfc8eb61dd9ba0f61dda9cea2c5dfdd98c58769a83221200aafa928ff93
Instruction ID: a5f6e0a5d4e1f0a88197ab6e09d663332ee52bcbb6c7593b6e6550cb838d7b13
Opcode Fuzzy Hash: 86fffcfc8eb61dd9ba0f61dda9cea2c5dfdd98c58769a83221200aafa928ff93
Instruction Fuzzy Hash: 0E814621F19E4386FB55AF21A854275A6B0BF49BF8F884535C92E567D0EF3CE44E8320

Function 00007FF719795500 Relevance: 34.3, APIs: 18, Strings: 1, Instructions: 1012COMMON

Download Yara Rule

Strings

You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 00007FF71979A5BE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: You need to run the KeyAuthApp.init(); function before any other KeyAuth functions
API String ID: 0-2984758112
Opcode ID: c8e4e7b71f9810b5a41f25e536691d601e7088a1ad53077bc4e8de7c14d4b2e4
Instruction ID: 0ba2007991af92a6b2503ae3313dfeb3d1f6821a3ca5f9cde376e8c765311a3b
Opcode Fuzzy Hash: c8e4e7b71f9810b5a41f25e536691d601e7088a1ad53077bc4e8de7c14d4b2e4
Instruction Fuzzy Hash: 46A2DE62A19A8289EB14EF74D4443ECA771FF497FCF904221DA6D17A99DF38D18AC310

Function 00007FF71979A0C9 Relevance: 30.7, APIs: 16, Strings: 1, Instructions: 943COMMON

Download Yara Rule

Strings

You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 00007FF71979A5BE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: You need to run the KeyAuthApp.init(); function before any other KeyAuth functions
API String ID: 0-2984758112
Opcode ID: 5c02e654ac3daa0694eb309eacaacd9a192ce08af0194dc3c006fc7505a6b47b
Instruction ID: b256cfc6a38427a0fbe2e12b035a9d22ad32ef16500970d67d91a9c029237c9d
Opcode Fuzzy Hash: 5c02e654ac3daa0694eb309eacaacd9a192ce08af0194dc3c006fc7505a6b47b
Instruction Fuzzy Hash: 9992BF62A19A8289EB14EF74D4443ECA771FB497FCF904221DA6D17A99DF38D18EC310

Function 00007FF7197E24F0 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000468,00000470,00000000,?), ref: 00007FF7197E2583
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197E25AD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E2672
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E267E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E26E2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E26EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E27F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E27FF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197E280A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E285F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E287E

Strings

machine, xrefs: 00007FF7197E2741, 00007FF7197E2782
login, xrefs: 00007FF7197E270E
password, xrefs: 00007FF7197E2729
, xrefs: 00007FF7197E25C1, 00007FF7197E27C2
default, xrefs: 00007FF7197E279D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup$fclosefgetsfopen
String ID: $default$login$machine$password
API String ID: 431015889-155862542
Opcode ID: 508c512da910758eb45f15e609f30a01ef11bb745af601c804d16c987fefaa5c
Instruction ID: add78538d9affe0ff35367b6ce8469e70243cec2dbfcb433023dcbe24873ebb0
Opcode Fuzzy Hash: 508c512da910758eb45f15e609f30a01ef11bb745af601c804d16c987fefaa5c
Instruction Fuzzy Hash: A2A18521A0DE8289FA61AF119550779E6B0AF9C7ECF884031DE4E16794EE3CE44E8724

Function 00007FF719793B08 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 342COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF719793B08
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979419A
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7197941C6
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7197941D3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979420D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719794ADC

Strings

array, xrefs: 00007FF7197942CA
number overflow parsing ', xrefs: 00007FF719794091

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$_dclass
String ID: array$number overflow parsing '
API String ID: 1391767211-1723591761
Opcode ID: 9538e38ff7c61a3d32f854fbbb1483515952fee3f87f33fb687ee692d21f818d
Instruction ID: d52245b558fdf4897c8afd571162ee8e28ea05bc3d7b65caa9976f0b92dcc982
Opcode Fuzzy Hash: 9538e38ff7c61a3d32f854fbbb1483515952fee3f87f33fb687ee692d21f818d
Instruction Fuzzy Hash: A4E19362A18F9585FB00DF78D4453ADA331FF597F8F905231DA6D16AD5EF28E08AC210

Function 00007FF719783B30 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 320threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF719783FEC

Strings

8, xrefs: 00007FF719783C1C
5, xrefs: 00007FF719783C10
6, xrefs: 00007FF719783C14
=, xrefs: 00007FF719783C30
:, xrefs: 00007FF719783C24
9, xrefs: 00007FF719783C20
<, xrefs: 00007FF719783C2C
;, xrefs: 00007FF719783C28
7, xrefs: 00007FF719783C18
n, xrefs: 00007FF719783C34

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: CurrentThread
String ID: 5$6$7$8$9$:$;$<$=$n
API String ID: 2882836952-3329899210
Opcode ID: 4fdf88316e3e14cd9c51ca5689c98a2efad4e3aab6ebebc18664c92eb7eed8c5
Instruction ID: fac52411282503bbf78d9fe9c20b8449bb0fce0f22313c5e15ba09c715c32fd6
Opcode Fuzzy Hash: 4fdf88316e3e14cd9c51ca5689c98a2efad4e3aab6ebebc18664c92eb7eed8c5
Instruction Fuzzy Hash: 42D17C26E19F9246F703DB399401169F770AFA77D8B94C337FE1432A91EF29A1968300

Function 00007FF7197C9F40 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197CA1BE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197CA1C6
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197CA1DC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197CA1E5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197CA1ED
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197CA1F7

Strings

%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00007FF7197C9FFE
%02d:%02d:%02d%n, xrefs: 00007FF7197CA169
GMT, xrefs: 00007FF7197CA0B7
%02d:%02d%n, xrefs: 00007FF7197CA19D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: 2e5424407be538489bc9d8d6cb8a3c1b9d0c12c1910608ac32b99392c699efcf
Instruction ID: 7fc29e0a148c944a8d1d3f15fd49290eacc91e17dbdc664efb5684273f87911f
Opcode Fuzzy Hash: 2e5424407be538489bc9d8d6cb8a3c1b9d0c12c1910608ac32b99392c699efcf
Instruction Fuzzy Hash: 62F1B572F249128AEB28AF6494001BC77B1AF587FDB904235DE1E577D4EE38A84E8750

Function 00007FF719799AD0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71979F340: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FF71978A7FB), ref: 00007FF71979F4A4

memcpy.VCRUNTIME140 ref: 00007FF719799BAB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719799D1D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719799D6F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719799DC0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719799DFF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719799E50
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719799E8F

Part of subcall function 00007FF719781B60: __std_exception_copy.VCRUNTIME140 ref: 00007FF719781B9E

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719799F0B

Strings

mw1 chair, xrefs: 00007FF719799AD9
parse error, xrefs: 00007FF719799BA1, 00007FF719799BC1

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$__std_exception_copy
String ID: mw1 chair$parse error
API String ID: 2484256320-280240065
Opcode ID: 1536065ae0a35c5f9eacec888e5bf35c9484e616c2239f31697ebbd7b3b1ee5c
Instruction ID: d917acfe3e096136abdc0fffde05a5e85358f6c2bb6549e32a785541eaab800e
Opcode Fuzzy Hash: 1536065ae0a35c5f9eacec888e5bf35c9484e616c2239f31697ebbd7b3b1ee5c
Instruction Fuzzy Hash: 72D18F62A18F8685FB00DF35E4443ADA771FF997F8F905221EA6D12695EF68E089C310

Function 00007FF7197F0EA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7197F0EE6
CryptCreateHash.ADVAPI32 ref: 00007FF7197F0F0A
CryptHashData.ADVAPI32 ref: 00007FF7197F0F26
CryptGetHashParam.ADVAPI32 ref: 00007FF7197F0F45
CryptGetHashParam.ADVAPI32 ref: 00007FF7197F0F68
CryptDestroyHash.ADVAPI32 ref: 00007FF7197F0F78
CryptReleaseContext.ADVAPI32 ref: 00007FF7197F0F8A

Strings

@, xrefs: 00007FF7197F0EBD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID: @
API String ID: 3606780921-2766056989
Opcode ID: b199ebcfed380d48043e581de1b523fcb5d011091ec35df18f3fe7f03df88b60
Instruction ID: b14ccf1b78571f5b86a03ec1c58e5e04658a7e290a6a03db23c25d0d39ca64b2
Opcode Fuzzy Hash: b199ebcfed380d48043e581de1b523fcb5d011091ec35df18f3fe7f03df88b60
Instruction Fuzzy Hash: 1A214C32618A8187EB609F61F45466AB371FFC9BD8F845135EA8E47A18DF3CD40A8B14

Function 00007FF7197842C0 Relevance: 13.0, Strings: 10, Instructions: 549COMMON

Download Yara Rule

Strings

9, xrefs: 00007FF7197848EE
7, xrefs: 00007FF7197848E6
<, xrefs: 00007FF7197848FA
6, xrefs: 00007FF7197848E2
5, xrefs: 00007FF7197848DE
n, xrefs: 00007FF719784902
=, xrefs: 00007FF7197848FE
:, xrefs: 00007FF7197848F2
8, xrefs: 00007FF7197848EA
;, xrefs: 00007FF7197848F6

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 5$6$7$8$9$:$;$<$=$n
API String ID: 0-3329899210
Opcode ID: 7603848dbae701a4f6dde75cfe4a8349f3b2e3999f758e02aabcd30d25443663
Instruction ID: a7a8ed1c39664b25f92c7f3a4d9edb3792d74e68f7d8740414ca0fb2653474f8
Opcode Fuzzy Hash: 7603848dbae701a4f6dde75cfe4a8349f3b2e3999f758e02aabcd30d25443663
Instruction Fuzzy Hash: C9225E22E18F9146EB12DF359001279E7B0BF5ABD8F84D336ED4927A41EF2DE54A8300

Function 00007FF7197EEDB0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7197EEDF7
CryptImportKey.ADVAPI32 ref: 00007FF7197EEEC9
CryptReleaseContext.ADVAPI32 ref: 00007FF7197EEEE1
CryptEncrypt.ADVAPI32 ref: 00007FF7197EEF12
CryptDestroyKey.ADVAPI32 ref: 00007FF7197EEF1C
CryptReleaseContext.ADVAPI32 ref: 00007FF7197EEF28

Strings

@, xrefs: 00007FF7197EEDDD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID: @
API String ID: 3016261861-2766056989
Opcode ID: 4f400fb149a1b548b67f52ef4e7b998509afac53caf920d5a782184336a16432
Instruction ID: 8810813f29a1b71ee077ce19cfc50eba5326688c216313f632a1cfb38c11ba05
Opcode Fuzzy Hash: 4f400fb149a1b548b67f52ef4e7b998509afac53caf920d5a782184336a16432
Instruction Fuzzy Hash: 8C41CB22A04AA08EF7108FB5E4543FE7BB0FB4A788F444061DE9823A5ACB3C911ED710

Function 00007FF7197CB4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7197CB4E1
CryptGenRandom.ADVAPI32 ref: 00007FF7197CB4F5
CryptReleaseContext.ADVAPI32 ref: 00007FF7197CB506
CryptReleaseContext.ADVAPI32 ref: 00007FF7197CB51C

Strings

@, xrefs: 00007FF7197CB4C9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireRandom
String ID: @
API String ID: 2916321625-2766056989
Opcode ID: 6082fa5a4986b7d1eefb3f70c625ecfa5b2544f5ccb5c2cf636573f7448ed044
Instruction ID: e37f3f82805f2ac09cf5fb1782744398fc58aa02835d6e8daa6f0dd73e8179c7
Opcode Fuzzy Hash: 6082fa5a4986b7d1eefb3f70c625ecfa5b2544f5ccb5c2cf636573f7448ed044
Instruction Fuzzy Hash: BBF08666718A4282E7009F15F448336E370EFCCBE8F844430DE5C56668EE7CC08E8B14

Function 00007FF7197CE2D0 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF7197CE300
CryptGetHashParam.ADVAPI32 ref: 00007FF7197CE326
CryptDestroyHash.ADVAPI32 ref: 00007FF7197CE335
CryptReleaseContext.ADVAPI32 ref: 00007FF7197CE345

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 8f12a1f414620edc71d4b012d0aba369fc9a7e8b3e0ec3a1e560b23f03fb7696
Instruction ID: 97d030fd544d78b5f3d602610bd6c68bd4039802f593cc1c11463b7fa1882b86
Opcode Fuzzy Hash: 8f12a1f414620edc71d4b012d0aba369fc9a7e8b3e0ec3a1e560b23f03fb7696
Instruction Fuzzy Hash: 34015E36618A41C2EB109F20E45873AB730FF88BE8F944531DA5906A68CF3CE84ECB10

Function 00007FF7197F1160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF719782195), ref: 00007FF7197F1186
FormatMessageA.KERNEL32 ref: 00007FF7197F11B9

Strings

!x-sys-default-locale, xrefs: 00007FF7197F1179

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: b6396efd2b411913c604dfbcd843a41c083d30f8696823506ca71d1e4185de52
Instruction ID: 2f93254134e3e8c39020bc74251dd11bf858088743d58919d5fd6e7578304985
Opcode Fuzzy Hash: b6396efd2b411913c604dfbcd843a41c083d30f8696823506ca71d1e4185de52
Instruction Fuzzy Hash: C901C472B08B8282E7119F12B4447BAA7B2FB897E8F848135DA5916A94DF3CD50EC710

Function 00007FF7197CE270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7197CE28C
CryptCreateHash.ADVAPI32 ref: 00007FF7197CE2AD

Strings

@, xrefs: 00007FF7197CE27C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID: @
API String ID: 1914063823-2766056989
Opcode ID: 07c9d47108fc3ad71a41631baf01da2f3da8390ba16a22fec74377c9f0bb1267
Instruction ID: 22d941a0036f703b2b8d7d94db0bbc60ee5e00059dfc61b84dda756eb352144f
Opcode Fuzzy Hash: 07c9d47108fc3ad71a41631baf01da2f3da8390ba16a22fec74377c9f0bb1267
Instruction Fuzzy Hash: F9E01266B2495283F7609F65E405B26A360EF98B98F8540208E8D46A54DF3DD15A8B14

Function 00007FF7197DABB0 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF7197DABEB
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197DAC1F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _getpidhtons
String ID:
API String ID: 3416910171-0
Opcode ID: cc9e7fa553ed23a3e6780596f40e94c0e3b7503552778ab360693c8f915b6de3
Instruction ID: accd8700cf9710874be9a4e7f7a16f5432053ded443a4fd61d8b0c14f77f436a
Opcode Fuzzy Hash: cc9e7fa553ed23a3e6780596f40e94c0e3b7503552778ab360693c8f915b6de3
Instruction Fuzzy Hash: 60113C26A247D0CAD304CF35E5001AD7770FB5CB88B44962AFB9987B19EB78D6D4C744

Function 00007FF71978EA20 Relevance: 1.6, APIs: 1, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15f5102f12e8194bc44bd48c809dd33afe684242a5eb66359b70ce73724ac58
Instruction ID: d808c092e45e8240c008184c1e7770e2b9da74596132cc50f826917a3858d3e8
Opcode Fuzzy Hash: f15f5102f12e8194bc44bd48c809dd33afe684242a5eb66359b70ce73724ac58
Instruction Fuzzy Hash: 3EC1E373B25A9587E716DF12D945569F7A2FBD8BE4B85C130DA4A07B44CB3CE80AC700

Function 00007FF719784B10 Relevance: 1.5, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF719784B51

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 45ef815ea85129ee6b0d6973e0bb183715d2ac43699a5b2549753aa1c042f307
Instruction ID: d62cac5a180e3318448442f3d25e3dea04063a12f3c5809b69e3fa5c85ab7d14
Opcode Fuzzy Hash: 45ef815ea85129ee6b0d6973e0bb183715d2ac43699a5b2549753aa1c042f307
Instruction Fuzzy Hash: 8AC10F22A08E9186EB649F11D051379E7A4FF99FD8F84803ACA8D47784DF7CD54E8710

Function 00007FF7197A63C0 Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF7197A5E73,?,?,00000000,00007FF7197A68C5), ref: 00007FF7197A64AD

Part of subcall function 00007FF7197F19B0: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF719781813), ref: 00007FF7197F19C0

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: AcquireExclusiveHeapLockProcess
String ID:
API String ID: 3110430671-0
Opcode ID: d1505e472a0fd281962cf8dbfb803b5a8f8c708247806b02aff7a1cdafd5ce21
Instruction ID: 4ad915320675f4850c592739b8181dc3d587766e82a7df7adf02a1a7655d1302
Opcode Fuzzy Hash: d1505e472a0fd281962cf8dbfb803b5a8f8c708247806b02aff7a1cdafd5ce21
Instruction Fuzzy Hash: 3A317760A1DE42C9E740FF14FC802A4A3B0AF597B8FD44136D45D562A5EE2CA5AFC6A0

Function 00007FF719784F70 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdca47630f0c8f04c3bca8bb16ecddcb7a49b36e39df03ee866b2b24d727d04
Instruction ID: 14b35d8022eebd16432846c2d9448e7775a5fb1c53360fdc78741727a5a9de0e
Opcode Fuzzy Hash: 2cdca47630f0c8f04c3bca8bb16ecddcb7a49b36e39df03ee866b2b24d727d04
Instruction Fuzzy Hash: 65A12322B18A9586DA149F15C061378F7A1FF59BD8F888072DA8E07798DF3CE85E8710

Function 00007FF7197F0E30 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction ID: 4ef697208e660e51e32471434644e5badccefc59c34fd8e3ccbce27ccf45d264
Opcode Fuzzy Hash: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction Fuzzy Hash: 07F05269324B67AEFE01893B4624FAD5E519B90B40FA368748C84020CB9AAE54A7D724

Function 00007FF7197CE2C0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c289d905f3bdd2934b30085e9b980ed7e8fe7661c540f790fd8fd46bb9bd6746
Instruction ID: 3103bf17cff96ac591342a460208bc6079c5c75b43ad8c10ad5c3311fb5a9ba0
Opcode Fuzzy Hash: c289d905f3bdd2934b30085e9b980ed7e8fe7661c540f790fd8fd46bb9bd6746
Instruction Fuzzy Hash: 61A01123B0AC0AC0A2008B00E2A0E20A220EBC8BA83828020880E028208E28808AC200

Function 00007FF7197B7B10 Relevance: 52.7, APIs: 34, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197BFA30: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF7197A88FF), ref: 00007FF7197BFA47

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7C9D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7CB1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7CC5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7CD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7CED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D01
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D15
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D29
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D3D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D51
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D65
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7D8D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7DA1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7DB5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7DC9

Part of subcall function 00007FF7197C1160: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C119E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7DDD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7DF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E05
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E19
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E2D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E41
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E69
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7E91
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7EA5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7EB9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7ECD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7EE1

Part of subcall function 00007FF7197B5960: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B597B
Part of subcall function 00007FF7197B5960: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B59A9

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7F0B

Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2121
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2131
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B213F
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B214D
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B215B
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2169
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2177
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2185

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7F37
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7F4B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7F5B

Strings

Closing connection %ld, xrefs: 00007FF7197B7C09

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$CounterPerformanceQuery
String ID: Closing connection %ld
API String ID: 3490100708-2599090834
Opcode ID: 8a8a0e4e5fe022af89b3c130e90702d560810d86965a795d9a901474a6c626b6
Instruction ID: 46abe46b303a4ab83456a68a0c1b48be69f8ec07e9c66c94c38b91970a775f50
Opcode Fuzzy Hash: 8a8a0e4e5fe022af89b3c130e90702d560810d86965a795d9a901474a6c626b6
Instruction Fuzzy Hash: 6AC1DC35A09F8186E740AF21D8502AD7374FB99FB8F484135EE5E47669CF38929F8720

Function 00007FF7197D8F40 Relevance: 49.9, APIs: 6, Strings: 27, Instructions: 385COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D903D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D913E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D91B1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D922B

Strings

Transport: %s, xrefs: 00007FF7197D904A
Refusing to issue an RTSP SETUP without a Transport: header., xrefs: 00007FF7197D9075
Content-Length: %I64d, xrefs: 00007FF7197D9497
%s%s%s%s%s%s%s%s, xrefs: 00007FF7197D9396
Referer: %s, xrefs: 00007FF7197D91E2
User-Agent, xrefs: 00007FF7197D911E, 00007FF7197D914D
Content-Type, xrefs: 00007FF7197D94C3, 00007FF7197D94F9
%s %s RTSP/1.0CSeq: %ld, xrefs: 00007FF7197D92D7
Failed sending RTSP request, xrefs: 00007FF7197D95A1
Session ID cannot be set as a custom header., xrefs: 00007FF7197D929D
Session: %s, xrefs: 00007FF7197D930D
Content-Type: text/parameters, xrefs: 00007FF7197D94D7
Transport, xrefs: 00007FF7197D8FEE
Content-Type: application/sdp, xrefs: 00007FF7197D950D
Session, xrefs: 00007FF7197D9289
Range: %s, xrefs: 00007FF7197D9233
Content-Length, xrefs: 00007FF7197D947C
CSeq, xrefs: 00007FF7197D925C
CSeq cannot be set as a custom header., xrefs: 00007FF7197D9270
Accept-Encoding: %s, xrefs: 00007FF7197D90E9
Range, xrefs: 00007FF7197D9207
Accept-Encoding, xrefs: 00007FF7197D90B4
Referer, xrefs: 00007FF7197D91C7
Accept, xrefs: 00007FF7197D9098
Refusing to issue an RTSP request [%s] without a session ID., xrefs: 00007FF7197D8FC3
Accept: application/sdp, xrefs: 00007FF7197D90AA
OPTIONS, xrefs: 00007FF7197D8F40

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s %s RTSP/1.0CSeq: %ld$%s%s%s%s%s%s%s%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: application/sdp$CSeq$CSeq cannot be set as a custom header.$Content-Length$Content-Length: %I64d$Content-Type$Content-Type: application/sdp$Content-Type: text/parameters$Failed sending RTSP request$OPTIONS$Range$Range: %s$Referer$Referer: %s$Refusing to issue an RTSP SETUP without a Transport: header.$Refusing to issue an RTSP request [%s] without a session ID.$Session$Session ID cannot be set as a custom header.$Session: %s$Transport$Transport: %s$User-Agent
API String ID: 1294909896-2200874227
Opcode ID: a40f233960876ef576a7ddbd7bcd06506a2316c435e9cdff5a83187961fdf089
Instruction ID: 0dfca784bfa0cf477631d565637aa1601f1e197d4686c818303fbe4c9ced74ac
Opcode Fuzzy Hash: a40f233960876ef576a7ddbd7bcd06506a2316c435e9cdff5a83187961fdf089
Instruction Fuzzy Hash: A2025575A0AF8285EA54BF15A4503BAA3F1AF487E8F840035DE5E47795EF3CE54E8320

Function 00007FF7197D29E0 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 297stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D2A3E
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D2A72
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D2AF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D2B0B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D2B1A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D2B67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D2B78

Strings

MAIL FROM:%s%s%s%s%s%s, xrefs: 00007FF7197D2E0C
Mime-Version: 1.0, xrefs: 00007FF7197D2CD4
Mime-Version, xrefs: 00007FF7197D2CB9
SMTPUTF8, xrefs: 00007FF7197D2DCA
<%s>, xrefs: 00007FF7197D2AF9, 00007FF7197D2C3D
<%s@%s>, xrefs: 00007FF7197D2AD6, 00007FF7197D2C1A
SIZE=, xrefs: 00007FF7197D2DE1
%I64d, xrefs: 00007FF7197D2D2E
AUTH=, xrefs: 00007FF7197D2DD5

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree$strpbrk
String ID: AUTH=$ SIZE=$ SMTPUTF8$%I64d$<%s>$<%s@%s>$MAIL FROM:%s%s%s%s%s%s$Mime-Version$Mime-Version: 1.0
API String ID: 2737852498-2994854565
Opcode ID: 7883361c1b58450adb40d46f80fdc1d64b6fc8705fed8b763f7d4c395d0d0150
Instruction ID: 026afad340aa71667ce339781c6dd9b821c4304d34140875cfa089fde4a7ea92
Opcode Fuzzy Hash: 7883361c1b58450adb40d46f80fdc1d64b6fc8705fed8b763f7d4c395d0d0150
Instruction Fuzzy Hash: 6DD14721A09F5284FB51AF22A8546B9A3B0AF49BF8F844431DD5E17795EF2CE54FC320

Function 00007FF7197E4B20 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7197E4C09
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4C50
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4EA6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E4EBD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4ED8
htons.WS2_32 ref: 00007FF7197E4F37

Strings

DOH: %s type %s for %s, xrefs: 00007FF7197E4C84
DOH AAAA: , xrefs: 00007FF7197E4D52
bad error code, xrefs: 00007FF7197E4C68
%s%02x%02x, xrefs: 00007FF7197E4D9E
CNAME: %s, xrefs: 00007FF7197E4E33
DOH Host name: %s, xrefs: 00007FF7197E4CD1
TTL: %u seconds, xrefs: 00007FF7197E4CE5
DOH A: %u.%u.%u.%u, xrefs: 00007FF7197E4D1E
Could not DOH-resolve: %s, xrefs: 00007FF7197E4B76
AAAA, xrefs: 00007FF7197E4C76
%s, xrefs: 00007FF7197E4DF3

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: calloc$_strdupfreehtonsmemset
String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
API String ID: 130798683-4053692942
Opcode ID: 27ac65ade6a49855d15a0d887e95371f6df9889a03383c231eb6b08653a7f7a4
Instruction ID: 8b86e27471e84214771b42d31f923fe057d9fb0da26774e548efdeda6d597fdc
Opcode Fuzzy Hash: 27ac65ade6a49855d15a0d887e95371f6df9889a03383c231eb6b08653a7f7a4
Instruction Fuzzy Hash: A1E17F32A08E868AEB60AF21D4403A9B7B0FF49BA8F884135DA4D57654DF3CD55EC750

Function 00007FF7197DFBC0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 257stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFC46
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFC6C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFC7D
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFCEB
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFD1C
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFD3C
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFD4E
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFDB0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFE21
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFE38
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFEF3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFF67
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7197DF37F), ref: 00007FF7197DFF70

Strings

LDAP, xrefs: 00007FF7197DFC06
one, xrefs: 00007FF7197DFE53
sub, xrefs: 00007FF7197DFEA4
base, xrefs: 00007FF7197DFE79
onetree, xrefs: 00007FF7197DFE66
subtree, xrefs: 00007FF7197DFEB7

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$free$_strdupcalloc
String ID: LDAP$base$one$onetree$sub$subtree
API String ID: 112326314-884163498
Opcode ID: 7457ec10a7863926a73970fb80d2f266a049ecbafc5bdee017a16620ab069567
Instruction ID: 54181b66a78311903690da7e126c1713121139be75911a58d32d21f83e245d96
Opcode Fuzzy Hash: 7457ec10a7863926a73970fb80d2f266a049ecbafc5bdee017a16620ab069567
Instruction Fuzzy Hash: 41B17D22A19F8286EA51AF159410279A3F0FF4DBE8F884431DE4D47B95EF3CE55E8720

Function 00007FF7197DDD90 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 175stringCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF7197DDDF1
memchr.VCRUNTIME140 ref: 00007FF7197DDE27
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197DDEAB
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197DDF3B

Strings

%s (%ld), xrefs: 00007FF7197DDFA2
tsize, xrefs: 00007FF7197DDF1F
%s (%d) %s (%d), xrefs: 00007FF7197DDEFD
blksize, xrefs: 00007FF7197DDE8F
tsize parsed from OACK, xrefs: 00007FF7197DDF44
blksize is larger than max supported, xrefs: 00007FF7197DDFE1
blksize is smaller than min supported, xrefs: 00007FF7197DDFBE
requested, xrefs: 00007FF7197DDEEA
got option=(%s) value=(%s), xrefs: 00007FF7197DDE6C
invalid blocksize value in OACK packet, xrefs: 00007FF7197DDFFE
invalid tsize -:%s:- value in OACK packet, xrefs: 00007FF7197DE017
server requested blksize larger than allocated, xrefs: 00007FF7197DDF98
%s (%ld), xrefs: 00007FF7197DDF4B
Malformed ACK packet, rejecting, xrefs: 00007FF7197DE02A
blksize parsed from OACK, xrefs: 00007FF7197DDEE3
%s (%d), xrefs: 00007FF7197DDFC5, 00007FF7197DDFE8

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memchrstrtol
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 1626215102-895336422
Opcode ID: 616d3ad0d74c5b29ab7257f440df8e7a03a6e9cb897c17770af368ebb8476fcb
Instruction ID: f22b10520bd38d10c531f8829f292dcabf195a880ae180995e2485b8c3d4191f
Opcode Fuzzy Hash: 616d3ad0d74c5b29ab7257f440df8e7a03a6e9cb897c17770af368ebb8476fcb
Instruction Fuzzy Hash: 44619E60B08E4295EA14AF11A4142B9E2B0AF497F8FD44631D96E577D5EE3CE10FC3A0

Function 00007FF7197AEEC0 Relevance: 34.9, APIs: 6, Strings: 17, Instructions: 352COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8827
Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8833

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AF154
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AF15C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AF183
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AF18C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AF210
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AF219

Strings

text/plain, xrefs: 00007FF7197AF02C
Content-Type: %s%s%s, xrefs: 00007FF7197AF23D
multipart/, xrefs: 00007FF7197AF0F7
Content-Type, xrefs: 00007FF7197AEF48
; filename=", xrefs: 00007FF7197AF1A1
Content-Disposition, xrefs: 00007FF7197AF081
Content-Transfer-Encoding: %s, xrefs: 00007FF7197AF3A1
form-data, xrefs: 00007FF7197AF3C6
multipart/mixed, xrefs: 00007FF7197AEFB5
multipart/form-data, xrefs: 00007FF7197AF317
Content-Disposition: %s%s%s%s%s%s%s, xrefs: 00007FF7197AF1D9
; boundary=, xrefs: 00007FF7197AF233
8bit, xrefs: 00007FF7197AF39A
application/octet-stream, xrefs: 00007FF7197AEFE6
attachment, xrefs: 00007FF7197AF10B, 00007FF7197AF112
; name=", xrefs: 00007FF7197AF1AF
Content-Transfer-Encoding, xrefs: 00007FF7197AF281

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
API String ID: 1294909896-1595554923
Opcode ID: 570bb8296e1f2627a6445f9f05a289e92b3df1b2c3371be4d9f2f65be19f9100
Instruction ID: a26e44c411893ea95b76b80a35ee7fd77cd82cbb29c3e2172749c8c87f37e7ef
Opcode Fuzzy Hash: 570bb8296e1f2627a6445f9f05a289e92b3df1b2c3371be4d9f2f65be19f9100
Instruction Fuzzy Hash: 23E15B22B08E5295EAA5AF1595002B9A7B0FF08FE8FCC4435DE4D57681DF3CE95E8320

Function 00007FF71979716B Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 379COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7197971AB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719797314
memset.VCRUNTIME140 ref: 00007FF719797340
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF719797368
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00007FF719797388
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7197973C8

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00007FF7197975C9
, xrefs: 00007FF71979744C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@D@std@@@1@@V?$basic_streambuf@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: $Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message:
API String ID: 1294974349-927317299
Opcode ID: 410f36a4870d238e05208bbdbcc36e2d00af9211a10ad3981071c9aadfc18226
Instruction ID: e411707d812f736267625fd577b51fb04ac4f180aa6cc3bb70f98c9e54cb5655
Opcode Fuzzy Hash: 410f36a4870d238e05208bbdbcc36e2d00af9211a10ad3981071c9aadfc18226
Instruction Fuzzy Hash: D9027062A15AC285EB10EF35D8443E9A771FF89BE8F804232D65D17699EF68D18EC310

Function 00007FF71979ED30 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF71979ED87
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979EEAD
__std_exception_destroy.VCRUNTIME140 ref: 00007FF71979EEDB
__std_exception_destroy.VCRUNTIME140 ref: 00007FF71979EEE8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979EF21
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979EF73
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F0F7
__std_exception_destroy.VCRUNTIME140 ref: 00007FF71979F124
__std_exception_destroy.VCRUNTIME140 ref: 00007FF71979F131
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F16B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F1BE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979F2A7
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979F2C4
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979F2D5
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z.MSVCP140 ref: 00007FF71979F2F8
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979F306

Part of subcall function 00007FF71979B8A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979B9F7

Part of subcall function 00007FF719799AD0: memcpy.VCRUNTIME140 ref: 00007FF719799BAB

Part of subcall function 00007FF71979C1F0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,00007FF71979BAB2), ref: 00007FF71979C2CF

Strings

mw1 chair, xrefs: 00007FF71979ED38
value, xrefs: 00007FF71979EE06, 00007FF71979F054

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$D@std@@@std@@U?$char_traits@__std_exception_destroy$?gptr@?$basic_streambuf@memcpy$?eback@?$basic_streambuf@?gbump@?$basic_streambuf@memset
String ID: mw1 chair$value
API String ID: 1588778072-2545578270
Opcode ID: f4837b6ca7ddc26443359525ecf6f66fc6156b3506967fc058f36f18416aeb88
Instruction ID: 90091dbcde305994c2f89bf24ebe41ff1ff9ba0ad1b61fec854d7b7a71a8b65a
Opcode Fuzzy Hash: f4837b6ca7ddc26443359525ecf6f66fc6156b3506967fc058f36f18416aeb88
Instruction Fuzzy Hash: F4029322A18E8185E710AF74D4443ADA771EF897F8F944331EAAD12AD9DF6CD48EC710

Function 00007FF7197ACAE0 Relevance: 31.8, APIs: 21, Instructions: 269stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197ADA30: _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197ADA53
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAA9
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAB3
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADABD
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAC7
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAD1
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADADB
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAE5
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAEF
Part of subcall function 00007FF7197ADA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAF8

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACBD7
strchr.VCRUNTIME140 ref: 00007FF7197ACBF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACC1B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACC28
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACC52
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACC66
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACC73
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACC8C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACC9A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACCA8
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACCC3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACCDF
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACCFB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACD17
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACD33
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACD4F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACD6B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACD83
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACE1B
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7197ACE52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACE93

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup$_time64callocmallocqsortstrchrstrncmp
String ID:
API String ID: 1087521380-0
Opcode ID: 7f1a20b7f97d444a339020af2ee787f49430f9708660ea9bab881476ffcce99f
Instruction ID: 3e654c96350454a462ead100df65b5fb3efac1e80250688f8858e5667d7be3f0
Opcode Fuzzy Hash: 7f1a20b7f97d444a339020af2ee787f49430f9708660ea9bab881476ffcce99f
Instruction Fuzzy Hash: 4FB16021E0AF4295EB5AAF259510278A6B0AF49FF8F8C0535CE5D46791DF2CE49EC320

Function 00007FF7197E02F0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 214stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0300
strstr.VCRUNTIME140 ref: 00007FF7197E032F
strchr.VCRUNTIME140 ref: 00007FF7197E035B
strrchr.VCRUNTIME140 ref: 00007FF7197E0375
strchr.VCRUNTIME140 ref: 00007FF7197E038A
strrchr.VCRUNTIME140 ref: 00007FF7197E03EA

Strings

., xrefs: 00007FF7197E03CA
/, xrefs: 00007FF7197E0403
?, xrefs: 00007FF7197E0368
/, xrefs: 00007FF7197E0345
/, xrefs: 00007FF7197E03BE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchrstrrchr$_strdupstrstr
String ID: .$/$/$/$?
API String ID: 2325335452-1821401756
Opcode ID: 3f58e7fa9ad400dc24d95ef4fcd050962103d863482cf5ca1810015a8c4a0303
Instruction ID: 3367aefdc49b430998241c040b1f4c77a6b67047a630fdfd26004780649f400a
Opcode Fuzzy Hash: 3f58e7fa9ad400dc24d95ef4fcd050962103d863482cf5ca1810015a8c4a0303
Instruction Fuzzy Hash: 1081A311A0CB824AFB676F119500379EAA16F5E7E8F884035DE4D267C6EE7CE44F8320

Function 00007FF7197DB1F0 Relevance: 31.7, APIs: 9, Strings: 12, Instructions: 208stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7197DB2C3
strchr.VCRUNTIME140 ref: 00007FF7197DB31A
strchr.VCRUNTIME140 ref: 00007FF7197DB332
strchr.VCRUNTIME140 ref: 00007FF7197DB34D
strchr.VCRUNTIME140 ref: 00007FF7197DB3C9
strchr.VCRUNTIME140 ref: 00007FF7197DB3E1
strchr.VCRUNTIME140 ref: 00007FF7197DB3FC
strchr.VCRUNTIME140 ref: 00007FF7197DB417
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197DB4A4

Strings

/M:, xrefs: 00007FF7197DB245
CLIENT libcurl 7.70.0MATCH %s %s %sQUIT, xrefs: 00007FF7197DB485
Failed sending DICT request, xrefs: 00007FF7197DB4B1
CLIENT libcurl 7.70.0%sQUIT, xrefs: 00007FF7197DB2FA
CLIENT libcurl 7.70.0DEFINE %s %sQUIT, xrefs: 00007FF7197DB3AA
/D:, xrefs: 00007FF7197DB296
/FIND:, xrefs: 00007FF7197DB260
/DEFINE:, xrefs: 00007FF7197DB27B
/LOOKUP:, xrefs: 00007FF7197DB2AD
lookup word is missing, xrefs: 00007FF7197DB364, 00007FF7197DB42E
/MATCH:, xrefs: 00007FF7197DB22A
default, xrefs: 00007FF7197DB373, 00007FF7197DB43D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$free
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.70.0%sQUIT$CLIENT libcurl 7.70.0DEFINE %s %sQUIT$CLIENT libcurl 7.70.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
API String ID: 3578582447-31095704
Opcode ID: f801abd978ecd1412e547588e09c2bc2775defbf52bfc87cce94f67bf4fe725f
Instruction ID: e246cfc410bf161f449e16676e49433d2b3976f8d7b48ff647a5356d4c3fe7aa
Opcode Fuzzy Hash: f801abd978ecd1412e547588e09c2bc2775defbf52bfc87cce94f67bf4fe725f
Instruction Fuzzy Hash: 9A815D21B08E8244FB61AF1195502B9E7E1AF4DBE8FC84431DE5D57796EE2CE50FC221

Function 00007FF7197B8230 Relevance: 30.1, APIs: 24, Instructions: 137COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B824C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8262
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8276
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8283

Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2121
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2131
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B213F
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B214D
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B215B
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2169
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2177
Part of subcall function 00007FF7197B2110: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2185

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B82BF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B82D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8326
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B833A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B834E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8362
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B83CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B83DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B83F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8406
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B846A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B84AA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B84BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B84D2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B84E6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B84FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B850E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8522
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8536
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8558

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bd80bba0149a04594dff721a1e7c8e4fb3a5c9d356bb0993ff73abd8baa79332
Instruction ID: 72bd2f505cd936729fbcc78b04ec22c68cdde3ff0984e839c501072d5a72223c
Opcode Fuzzy Hash: bd80bba0149a04594dff721a1e7c8e4fb3a5c9d356bb0993ff73abd8baa79332
Instruction Fuzzy Hash: 2291A636A15F81D6E7499F21D9902AC73A8F749F68F440135EF9D47264CF34A2BA8320

Function 00007FF7197D5A60 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 284stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D5AAD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D5B9F
strchr.VCRUNTIME140 ref: 00007FF7197D5AE1

Part of subcall function 00007FF7197ADBE0: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197ADC24

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D5D07
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D5ED1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D5EF3

Part of subcall function 00007FF7197C1160: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C119E

Strings

Bad PASV/EPSV response: %03d, xrefs: 00007FF7197D5F1E
Couldn't interpret the 227-response, xrefs: 00007FF7197D5C4E
Can't resolve proxy host %s:%hu, xrefs: 00007FF7197D5DB3
%c%c%c%u%c, xrefs: 00007FF7197D5B1B
Connecting to %s (%s) port %d, xrefs: 00007FF7197D5EAA
Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 00007FF7197D5CDB
Can't resolve new host %s:%hu, xrefs: 00007FF7197D5E1E
%u.%u.%u.%u, xrefs: 00007FF7197D5D13
%u,%u,%u,%u,%u,%u, xrefs: 00007FF7197D5C2B
Illegal port number in EPSV reply, xrefs: 00007FF7197D5B5F
Weirdly formatted EPSV reply, xrefs: 00007FF7197D5BBF

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree$__stdio_common_vsscanfstrchr
String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
API String ID: 3103143820-2414412286
Opcode ID: 2423ba592fad11dd6ce8bcff85e10349de27c45fe07d5c8b5c86b3b9066ac229
Instruction ID: d1efe74c2281cf26115d957b51aa6ad26ad79149f7676eb881c61bec420d89c3
Opcode Fuzzy Hash: 2423ba592fad11dd6ce8bcff85e10349de27c45fe07d5c8b5c86b3b9066ac229
Instruction Fuzzy Hash: 0CD1A621608E8292EA58AF21E4506B9E7B0FF497E8F840032DB5D07659DF3CE55EC711

Function 00007FF7197B7300 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 219COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7622

Strings

Unsupported proxy scheme for '%s', xrefs: 00007FF7197B7431
socks4, xrefs: 00007FF7197B73F6
Unsupported proxy syntax in '%s', xrefs: 00007FF7197B760A
socks5, xrefs: 00007FF7197B73C0
socks, xrefs: 00007FF7197B740A
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 00007FF7197B7464
socks5h, xrefs: 00007FF7197B73A2
http, xrefs: 00007FF7197B741E
https, xrefs: 00007FF7197B7384
socks4a, xrefs: 00007FF7197B73DB

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 1294909896-874090715
Opcode ID: 16a049045801d535978009a31b065c83d94e7eaf32c36e6bf7f3fd082b557e32
Instruction ID: 519e321d4add4b1574663eb85a4940903f9d0645e1c0ebadd3b96cbdc7c49e6b
Opcode Fuzzy Hash: 16a049045801d535978009a31b065c83d94e7eaf32c36e6bf7f3fd082b557e32
Instruction Fuzzy Hash: A2A18C22E08E4285FB50EF51D8405BDA7B4AF587E8F884531DE0E57A95EF38E64E8360

Function 00007FF7197D4F10 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 208stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197A2010: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A203E

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D4FE6
strchr.VCRUNTIME140 ref: 00007FF7197D5004
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D5034
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D504F
strchr.VCRUNTIME140 ref: 00007FF7197D5079
strrchr.VCRUNTIME140 ref: 00007FF7197D5095
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D50BF
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D50DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D50FE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D5116
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D5155
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D5190
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D522C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D5251

Strings

Uploading to a URL without a file name!, xrefs: 00007FF7197D517C
Request has same path as previous transfer, xrefs: 00007FF7197D5236

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: calloc$free$strchrstrncpy$_strdupmallocstrncmpstrrchr
String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
API String ID: 2243338858-131330169
Opcode ID: 3e79fc39ca36edf3a3601a0182a0fa2abbcb9301044b36530f9349d19e401801
Instruction ID: 80dfb99dd4c16ee2a574f256704245b9c5b4944874cf660ce854c811103dda8e
Opcode Fuzzy Hash: 3e79fc39ca36edf3a3601a0182a0fa2abbcb9301044b36530f9349d19e401801
Instruction Fuzzy Hash: 6A91B121B08E8287EA54AF259844279A3F0FF4ABE8F944031DA5D07798DF3DE45E8721

Function 00007FF7197AD460 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD4C3
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD53D
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD561
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7197AD5B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD5EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD5FC
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD60F
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7197AD62A
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD640
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD649

Strings

%s.%s.tmp, xrefs: 00007FF7197AD4FA
# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00007FF7197AD536
%s, xrefs: 00007FF7197AD5DB
## Fatal libcurl error, xrefs: 00007FF7197AD677

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$fclose$__acrt_iob_func_unlinkcallocfputsqsort
String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
API String ID: 1368378007-4087121635
Opcode ID: 7f335d89e45aa7785110ff86ac1c6c45b52a68bd15c63e38a18cd000c1d92f49
Instruction ID: c65bcf7b5c1e0266104f5f14d6b9f9190123bdb654c195e0657d5877bc2ab9b6
Opcode Fuzzy Hash: 7f335d89e45aa7785110ff86ac1c6c45b52a68bd15c63e38a18cd000c1d92f49
Instruction Fuzzy Hash: B7516351B1DE4286EA65BF1198542B9A2B0AF4DFECFC84431DD5E46790EE3CE44F8320

Function 00007FF7197CD460 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 241encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7197CD747
CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7197CD7B7
CertFreeCertificateContext.CRYPT32 ref: 00007FF7197CD7F5
CertFreeCertificateContext.CRYPT32 ref: 00007FF7197CD808

Strings

schannel: failed to retrieve ALPN result, xrefs: 00007FF7197CD57B
schannel: failed to retrieve remote cert context, xrefs: 00007FF7197CD827
schannel: failed to setup stream orientation, xrefs: 00007FF7197CD530
schannel: ALPN, server accepted to use %.*s, xrefs: 00007FF7197CD5A8
schannel: failed to store credential handle, xrefs: 00007FF7197CD6AC
schannel: failed to setup sequence detection, xrefs: 00007FF7197CD4BA
schannel: failed to setup memory allocation, xrefs: 00007FF7197CD511
schannel: failed to setup confidentiality, xrefs: 00007FF7197CD4F2
ALPN, server did not agree to a protocol, xrefs: 00007FF7197CD5D5
http/1.1, xrefs: 00007FF7197CD5BB
schannel: failed to setup replay detection, xrefs: 00007FF7197CD4D6

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Cert$CertificateCertificatesContextEnumFreeStore
String ID: ALPN, server did not agree to a protocol$http/1.1$schannel: ALPN, server accepted to use %.*s$schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle
API String ID: 2572311694-3353508759
Opcode ID: 2095c90b888cff0ce89bc4102fb6157118959c8da0a2b5e28958842bd02a3143
Instruction ID: ebbf3fdfbca27657c862bcadc32cf8a2726910bc80216eaa3f6dfebf6ecb1aa2
Opcode Fuzzy Hash: 2095c90b888cff0ce89bc4102fb6157118959c8da0a2b5e28958842bd02a3143
Instruction Fuzzy Hash: F1B18F61A18E8385EA60AF15D8143B9A3B1EF88BFCF844031DA4E57694DF3CE54EC760

Function 00007FF7197C3C80 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 218stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7197C3D38
strchr.VCRUNTIME140 ref: 00007FF7197C3D4F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197C3D9B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3F67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3FB6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3FBF

Strings

Content-Type:, xrefs: 00007FF7197C3E3F, 00007FF7197C3E65
Transfer-Encoding:, xrefs: 00007FF7197C3ED8
Authorization:, xrefs: 00007FF7197C3EF1
Content-Length:, xrefs: 00007FF7197C3E8B
Host:, xrefs: 00007FF7197C3E19
Connection:, xrefs: 00007FF7197C3EB1
1.1, xrefs: 00007FF7197C3C9B
%s, xrefs: 00007FF7197C3F4C
Cookie:, xrefs: 00007FF7197C3F0B

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$strchr$_strdup
String ID: %s$1.1$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
API String ID: 1922034842-2519073162
Opcode ID: 58e342e576d99e2e0d0836eccb8b590fdcfbc66147d025145704a752b4f4fdfd
Instruction ID: 4b2841989f4d8302581ab813d62893191e874db8bca6a121a4719c4f6f6cdd6b
Opcode Fuzzy Hash: 58e342e576d99e2e0d0836eccb8b590fdcfbc66147d025145704a752b4f4fdfd
Instruction Fuzzy Hash: 59916021A18E8385FB61BE1198003B9E7B0AF49BFCF844431DE5D46795EE2DE64EC721

Function 00007FF7197EEF70 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7197E1DDF), ref: 00007FF7197EEF9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0000000100000000,?,00007FF7197E1DDF), ref: 00007FF7197EEFBF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7197E1DDF), ref: 00007FF7197EEFD0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7197E1DDF), ref: 00007FF7197EEFFE

Strings

/./, xrefs: 00007FF7197EF08C
../, xrefs: 00007FF7197EF069
/.., xrefs: 00007FF7197EF102
/../, xrefs: 00007FF7197EF0CB

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: ../$/..$/../$/./
API String ID: 111713529-456519384
Opcode ID: ccac1b9e9287efd9444afb8238d63996b585ec354a197a44d8b8f163bbca949e
Instruction ID: ecc21e3c8fa0f0d252ae7b030f255563d237ba5920751623ab72a11a687d82c6
Opcode Fuzzy Hash: ccac1b9e9287efd9444afb8238d63996b585ec354a197a44d8b8f163bbca949e
Instruction Fuzzy Hash: A171B822E0DE8685FB626F159510279EBB0AF1ABF8F844131CA5D12AD5DE3CE45FC321

Function 00007FF7197E9B71 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E9BA2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA21A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA258

Strings

Signature, xrefs: 00007FF7197EA03F
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7197EA0FC
FALSE, xrefs: 00007FF7197E9B8D
-----END CERTIFICATE-----, xrefs: 00007FF7197EA1A7
TRUE, xrefs: 00007FF7197E9B94
Cert, xrefs: 00007FF7197EA22E
%s, xrefs: 00007FF7197EA246
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Signature: %s$%s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$FALSE$Signature$TRUE
API String ID: 111713529-3006446216
Opcode ID: dcc0e28efd5639a4029cff43ac2cf5110c44896d766acd556051481ea37538c5
Instruction ID: 0f92c5c1976aa41e0ee5e5532142fcd3839d5b372ef6a363f96ca2cbb5542b1f
Opcode Fuzzy Hash: dcc0e28efd5639a4029cff43ac2cf5110c44896d766acd556051481ea37538c5
Instruction Fuzzy Hash: C471A466A0DBC285EB15AF2594102B9BBB0EF497ECF984072CA4D52261DE3DD54FC321

Function 00007FF7197E3BE0 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3CA2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3CDA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3CED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3D21
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3D2C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3DE2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3DEB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3DF6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3EE1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3EEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3EF5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3F6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3F74
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E3F7F

Part of subcall function 00007FF7197E4370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4380
Part of subcall function 00007FF7197E4370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4391
Part of subcall function 00007FF7197E4370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E43A3

Strings

DIGEST-MD5 handshake failure (empty challenge message), xrefs: 00007FF7197E3F8C
WDigest, xrefs: 00007FF7197E3C8C, 00007FF7197E3DA4

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: DIGEST-MD5 handshake failure (empty challenge message)$WDigest
API String ID: 2190258309-1086287758
Opcode ID: 61df0cd0fd5ffcd58d3581005d215a63fb8c56d6a798115e226da23dc31d156c
Instruction ID: 8f7636afaf6c1b800bb6012842f4d019a4bf9d480dea1f00381b2d23b5b37d27
Opcode Fuzzy Hash: 61df0cd0fd5ffcd58d3581005d215a63fb8c56d6a798115e226da23dc31d156c
Instruction Fuzzy Hash: 5BB11F76A08F428AEB50AF65E8442ADB7B4FB48BA8F800035DA4D57B64DF3CD55EC710

Function 00007FF7197EA930 Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 179COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EAA43

Strings

RSA Public Key, xrefs: 00007FF7197EAA2F
RSA Public Key (%lu bits), xrefs: 00007FF7197EA9FE
dhpublicnumber, xrefs: 00007FF7197EAB66
dsa(p), xrefs: 00007FF7197EAADD
rsa(e), xrefs: 00007FF7197EAA7B
dh(g), xrefs: 00007FF7197EABD0
dsa, xrefs: 00007FF7197EAAA5
rsa(n), xrefs: 00007FF7197EAA50
dsa(q), xrefs: 00007FF7197EAB0C
dh(pub_key), xrefs: 00007FF7197EABE6
rsaEncryption, xrefs: 00007FF7197EA975
dsa(pub_key), xrefs: 00007FF7197EAB52
dh(p), xrefs: 00007FF7197EAB9F
%lu, xrefs: 00007FF7197EAA18
dsa(g), xrefs: 00007FF7197EAB3C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: RSA Public Key (%lu bits)$%lu$RSA Public Key$dh(g)$dh(p)$dh(pub_key)$dhpublicnumber$dsa$dsa(g)$dsa(p)$dsa(pub_key)$dsa(q)$rsa(e)$rsa(n)$rsaEncryption
API String ID: 1294909896-1220118048
Opcode ID: 12e8450aae44aecd2915e7e3fd89310d281b1443ee42efbc8dd65cb203dc3a3c
Instruction ID: 405988c41792150e758f861d96ed8d23eda9807e0a592deb231ab374cc05976a
Opcode Fuzzy Hash: 12e8450aae44aecd2915e7e3fd89310d281b1443ee42efbc8dd65cb203dc3a3c
Instruction Fuzzy Hash: D2714D65A08F4645EB64BF5195401F9A3B1FF89BE8F884032EE4D17789DE3CD60EC6A0

Function 00007FF7197E0E4C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 254COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E10B8
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E1110
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E111D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1211
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E121F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E126E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1286

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloctolower
String ID: %%%02x
API String ID: 1244608590-4020994737
Opcode ID: 4304f011963a291b5022b5287124f6b59f2eb77fbcfcaea88a7cf8ac2137bda7
Instruction ID: df818519ab072ab45e26c0fdaac0be3f71a4a9945c5725986da5793a31a13d5b
Opcode Fuzzy Hash: 4304f011963a291b5022b5287124f6b59f2eb77fbcfcaea88a7cf8ac2137bda7
Instruction Fuzzy Hash: 19A1B711A0DA8245FB61AF21A4113B9ABF0AF49BECF884071DA8D562D5DE3DE54F8330

Function 00007FF7197AD0D0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 161fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD13D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AD15D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD191
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD1B2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD1D5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD1E6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD208
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AD2BF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197AD2D4

Strings

ignoring failed cookie_init for %s, xrefs: 00007FF7197AD212
Set-Cookie:, xrefs: 00007FF7197AD246
-, xrefs: 00007FF7197AD184
none, xrefs: 00007FF7197AD152

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: -$Set-Cookie:$ignoring failed cookie_init for %s$none
API String ID: 4109794434-3368278292
Opcode ID: 2c913e53c431cad10cc60873120bcae64eaa2d6f776dbdc73628fa919b1aa852
Instruction ID: 3e6af34345b96f357d993729bf7e6c4e96fa226cc33f64e488e5ad8c71297f35
Opcode Fuzzy Hash: 2c913e53c431cad10cc60873120bcae64eaa2d6f776dbdc73628fa919b1aa852
Instruction Fuzzy Hash: 35619F21A0DE8282EA55AF2594042B9A7B4AF5DFE8F8C4034DE8D07795DE3CE44EC720

Function 00007FF7197CF130 Relevance: 22.8, APIs: 1, Strings: 14, Instructions: 321COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF7197CF188

Strings

CAPABILITY, xrefs: 00007FF7197CF550
PREA, xrefs: 00007FF7197CF1C4
UID, xrefs: 00007FF7197CF4B7
EXAMINE, xrefs: 00007FF7197CF457
Unexpected continuation response, xrefs: 00007FF7197CF5CE
LIST, xrefs: 00007FF7197CF36C
FETCH, xrefs: 00007FF7197CF2FC, 00007FF7197CF412
EXPUNGE, xrefs: 00007FF7197CF487
SELECT, xrefs: 00007FF7197CF43F
SEARCH, xrefs: 00007FF7197CF29C, 00007FF7197CF46F
LSUB, xrefs: 00007FF7197CF49F
STORE, xrefs: 00007FF7197CF3BA
NOOP, xrefs: 00007FF7197CF4CF
, xrefs: 00007FF7197CF191

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcmp
String ID: $CAPABILITY$EXAMINE$EXPUNGE$FETCH$LIST$LSUB$NOOP$PREA$SEARCH$SELECT$STORE$UID$Unexpected continuation response
API String ID: 1475443563-555813803
Opcode ID: af6e3256e8de3ca922875de9d61c64c9627a73b0c8b11df895c0859135768475
Instruction ID: 8b5f5233d9169014e057ca82da017ac44154d5f446518b6618f466d75804e644
Opcode Fuzzy Hash: af6e3256e8de3ca922875de9d61c64c9627a73b0c8b11df895c0859135768475
Instruction Fuzzy Hash: A3D15D61E28A4361FB25BE25D5043B8E6B1AF197FCFC84032DA1D46585EE6CE94FC321

Function 00007FF7197CAB30 Relevance: 22.7, APIs: 15, Instructions: 160COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,00007FF7197CADE6), ref: 00007FF7197CAB4B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197CAB6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CAB8C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CAB95

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID:
API String ID: 111713529-0
Opcode ID: 046c08a381a9ff15b06ac0f62b3d4518ee0341a711aa81c08be52ec43276c146
Instruction ID: 8c8068b1631a3023d7cba18ce14f731fbc41a374521f071e0a9e1e23809d1e73
Opcode Fuzzy Hash: 046c08a381a9ff15b06ac0f62b3d4518ee0341a711aa81c08be52ec43276c146
Instruction Fuzzy Hash: 14615A26A15B42C6E729EF16A844529B3B4FF4CBAAB854035DE4D43760EF3CE49AC710

Function 00007FF7197D3A80 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 279COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D3BA0

Strings

Failure sending ABOR command: %s, xrefs: 00007FF7197D3CC1
Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 00007FF7197D3E76
Received only partial file: %I64d bytes, xrefs: 00007FF7197D3EAE
Remembering we are in dir "%s", xrefs: 00007FF7197D3C38
No data was received!, xrefs: 00007FF7197D3EDC
server did not report OK, got %d, xrefs: 00007FF7197D3E0E
control connection looks dead, xrefs: 00007FF7197D3D92
ABOR, xrefs: 00007FF7197D3C9B
partial download completed, closing connection, xrefs: 00007FF7197D3DD3

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$No data was received!$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
API String ID: 1294909896-2312071747
Opcode ID: 5143c24113489db69a17f24ed2df36d92f8a309dcef420bbcd250db6b6dbb452
Instruction ID: 16d3d0bec8d28cf8bb881bad182f191aa20f76c2716339cbf67d9b592ff2a27d
Opcode Fuzzy Hash: 5143c24113489db69a17f24ed2df36d92f8a309dcef420bbcd250db6b6dbb452
Instruction Fuzzy Hash: F3D17421A08E8255EA64AF2594403B9E2B1FF497FCFC40235DA6E436C2DF7CE45E8321

Function 00007FF7197A2AD0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7197A2AF2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2AFA
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2B19
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2B25
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A2B34
strrchr.VCRUNTIME140 ref: 00007FF7197A2B85
strrchr.VCRUNTIME140 ref: 00007FF7197A2BA6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2BCA
GetLastError.KERNEL32 ref: 00007FF7197A2BD3
SetLastError.KERNEL32 ref: 00007FF7197A2BDF

Strings

Unknown error %d (%#x), xrefs: 00007FF7197A2B67

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_nerrstrerrorstrncpy
String ID: Unknown error %d (%#x)
API String ID: 4262108436-2414550090
Opcode ID: ae376228017f6d9df3f8ad0e570797e3ac83267cd8e81d061c6f7288d7f522bb
Instruction ID: b24a534d25c2f48ea663684b208cdd877feb9223fa988dd34cb67a951fd1b04b
Opcode Fuzzy Hash: ae376228017f6d9df3f8ad0e570797e3ac83267cd8e81d061c6f7288d7f522bb
Instruction Fuzzy Hash: 5F315021B0DE5287EA157F11A814279E671AF88FE8F884035D95E17795FE3CE40F8720

Function 00007FF7197DBDD0 Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 151stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7197DBE3B
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197DBF65

Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8827
Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8833

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197DBF1F

Part of subcall function 00007FF7197A8760: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A8770

Strings

%127[^= ]%*[ =]%255s, xrefs: 00007FF7197DBEE0
BINARY, xrefs: 00007FF7197DC00E
%hu%*[xX]%hu, xrefs: 00007FF7197DBFE9
XDISPLOC, xrefs: 00007FF7197DBF3B
Unknown telnet option %s, xrefs: 00007FF7197DC05D
USER,%s, xrefs: 00007FF7197DBE60
Syntax error in telnet option: %s, xrefs: 00007FF7197DC076
TTYPE, xrefs: 00007FF7197DBEF5
NEW_ENV, xrefs: 00007FF7197DBF81

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freestrncpy$_strdupmemset
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 3826632026-748038847
Opcode ID: defb278e5fb43f9904040db865061a664c89e5a75ffd3507e4d4b7f87a7d24a0
Instruction ID: f2de7b36df9b6b449b4d4043cdccbf908cc4dcd3be2fb722df27db914d71bdb0
Opcode Fuzzy Hash: defb278e5fb43f9904040db865061a664c89e5a75ffd3507e4d4b7f87a7d24a0
Instruction Fuzzy Hash: 9B714D32A08EC294EB21AF14D4417E9A3B0FF887E8F884032DA4D47255EF39D55EC7A1

Function 00007FF7197DEED0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 222networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF7197DF043
sendto.WS2_32 ref: 00007FF7197DF0FC
WSAGetLastError.WS2_32 ref: 00007FF7197DF10A

Strings

Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF7197DEF3D
tftp_tx: giving up waiting for block %d ack, xrefs: 00007FF7197DF0B4
tftp_tx: internal error, event: %i, xrefs: 00007FF7197DEF28
Received ACK for block %d, expecting %d, xrefs: 00007FF7197DF095

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: sendto$ErrorLast
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 4042023021-4197595102
Opcode ID: e6d3354479b08fe46eb171804f2bc85acfc2093ed9cf5445a9fede18adf3ff93
Instruction ID: 3d937f116f840edefd980c1933ead1d8c64691c230e0ad9106734b189f0ab631
Opcode Fuzzy Hash: e6d3354479b08fe46eb171804f2bc85acfc2093ed9cf5445a9fede18adf3ff93
Instruction Fuzzy Hash: 61B17D76618A82C6E721AF25D4442ADB7B0FF89BDCF844032DE4D4B758DE38E54AC760

Function 00007FF7197DE2B0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF7197DE428
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197DE443
sendto.WS2_32 ref: 00007FF7197DE4AA
sendto.WS2_32 ref: 00007FF7197DE561
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197DE599

Strings

tftp_rx: internal error, xrefs: 00007FF7197DE2FE
Received unexpected DATA packet block %d, expecting block %d, xrefs: 00007FF7197DE5A1
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF7197DE322
Received last DATA packet block %d again., xrefs: 00007FF7197DE4F5

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: sendto$_time64
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 2327272419-1785996722
Opcode ID: ca74b5d797968b145f31a942eebc3c3538b7aaa53208e05d582363c840217583
Instruction ID: f883651be552195c9e4e886d9a9b5d4dc44d9227a010fab3835350fbf6c654df
Opcode Fuzzy Hash: ca74b5d797968b145f31a942eebc3c3538b7aaa53208e05d582363c840217583
Instruction Fuzzy Hash: EE912A72618A81C6D7129F29D4543A9BBB0FB8CBD8F848132DA4D47758EE39E50AC760

Function 00007FF7197B6EB0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6EED
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6F6F
strchr.VCRUNTIME140 ref: 00007FF7197B6FEE
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197B701C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B703D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B704F

Strings

Invalid IPv6 address format, xrefs: 00007FF7197B6FD7
No valid port number in connect to host string (%s), xrefs: 00007FF7197B707B
%25, xrefs: 00007FF7197B6F65
Please URL encode %% as %%25, see RFC 6874., xrefs: 00007FF7197B6F79

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$freestrchrstrncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 2070079882-2404041592
Opcode ID: b35e776140a5d9f5433d624f7ea13c1f864f6255c1cd16bf594779d63c7b5ad1
Instruction ID: ba1595661c9d656e907fd5730af5807415c437b84a920b5d153c4dd2e5b13ddf
Opcode Fuzzy Hash: b35e776140a5d9f5433d624f7ea13c1f864f6255c1cd16bf594779d63c7b5ad1
Instruction Fuzzy Hash: 4951D651A0CE9249EB51AF259420379E7F19F59BFCF884032DB5E06681EE2CE64F8321

Function 00007FF7197ACEC0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACEFE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ACF1E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197ACF50
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197ACF6D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACF8B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACF9C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197ACFBC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7197A4880), ref: 00007FF7197AD06F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7197A4880), ref: 00007FF7197AD085

Strings

Set-Cookie:, xrefs: 00007FF7197ACFF6
none, xrefs: 00007FF7197ACF13

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$none
API String ID: 4109794434-3629594122
Opcode ID: 6c807f11d440087a69fe8ac8c8c949c781a5c189116f017ecbe976bfbf3d813b
Instruction ID: 41e37ad562d90e121faf1d946ee79e5e5ea2b096ac28bf40f2716adfe8047173
Opcode Fuzzy Hash: 6c807f11d440087a69fe8ac8c8c949c781a5c189116f017ecbe976bfbf3d813b
Instruction Fuzzy Hash: BA519621A0DF8292EA55AF21551027AA6B0AF4DFE8F8C4434DE5E06791DF2CE54FC324

Function 00007FF7197ADA30 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197ADA53
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAA9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAB3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADABD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADADB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAE5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAEF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ADAF8

Strings

mw1 chair, xrefs: 00007FF7197ADA46

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_time64
String ID: mw1 chair
API String ID: 3087401894-2267673244
Opcode ID: 438e2d16cbbf680f8aaa732edc43dd016b5c5608ec2873bf47d827aae19b89fa
Instruction ID: 4402657c8592fb78a8b43e9c20512a749a97ad38a8a05e357837b87ec376b818
Opcode Fuzzy Hash: 438e2d16cbbf680f8aaa732edc43dd016b5c5608ec2873bf47d827aae19b89fa
Instruction Fuzzy Hash: E221C926A09E41C6DB54AF21E844129A3B4FB4CFF8F484431DE4E47764DE38D99EC750

Function 00007FF7197BDC50 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7197BDFE6

Strings

operation aborted by callback, xrefs: 00007FF7197BDDBD
Unable to allocate trailing headers buffer !, xrefs: 00007FF7197BDCC3
Read callback asked for PAUSE when not supported!, xrefs: 00007FF7197BDE49
operation aborted by trailing headers callback, xrefs: 00007FF7197BDDDD
Signaling end of chunked upload via terminating chunk., xrefs: 00007FF7197BDF7A
Signaling end of chunked upload after trailers., xrefs: 00007FF7197BE030
%zx%s, xrefs: 00007FF7197BDF07
read function returned funny value, xrefs: 00007FF7197BDE8B
Moving trailers state machine from initialized to sending., xrefs: 00007FF7197BDC91
Successfully compiled trailers., xrefs: 00007FF7197BDD2A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: %zx%s$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$Unable to allocate trailing headers buffer !$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 3510742995-1652449680
Opcode ID: 1d0e4f870c9275fc57c7f2d92d8c84fb70c3059963f5b244d831471b159a6669
Instruction ID: aa154133b6330450c5e935696eb75c937251fbe02beedf86913b2a012d58069c
Opcode Fuzzy Hash: 1d0e4f870c9275fc57c7f2d92d8c84fb70c3059963f5b244d831471b159a6669
Instruction Fuzzy Hash: 26A14371A08E8285E750AF2198503F9A371EF59BECF881131DE5E5B285EE3DE54EC321

Function 00007FF7197CFA90 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 207COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CFBC0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CFBD6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CFC39

Strings

Mime-Version: 1.0, xrefs: 00007FF7197CFCE1
Mime-Version, xrefs: 00007FF7197CFCC6
SELECT %s, xrefs: 00007FF7197CFC25
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_, xrefs: 00007FF7197CFAA8
Cannot APPEND with unknown input file size, xrefs: 00007FF7197CFD37
Cannot APPEND without a mailbox., xrefs: 00007FF7197CFC64
Cannot SELECT without a mailbox., xrefs: 00007FF7197CFBEF
APPEND %s (\Seen) {%I64d}, xrefs: 00007FF7197CFD6D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_$APPEND %s (\Seen) {%I64d}$Cannot APPEND with unknown input file size$Cannot APPEND without a mailbox.$Cannot SELECT without a mailbox.$Mime-Version$Mime-Version: 1.0$SELECT %s
API String ID: 1294909896-3146291949
Opcode ID: fcce8195664e008045b76721e0f5f56f01232a526dbbf4073a8fb32cf5b5ce04
Instruction ID: 009bf8e7103c2c9f31967364102a37e2beeff795ea5bb84f123962749bfd15f3
Opcode Fuzzy Hash: fcce8195664e008045b76721e0f5f56f01232a526dbbf4073a8fb32cf5b5ce04
Instruction Fuzzy Hash: 78915C21B18E4385FA64AF2195A03B9A6B0AF4DBFCF844435DE4D47681EF2CE54E8360

Function 00007FF719785E1A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 265sleepCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719786056
Sleep.KERNEL32 ref: 00007FF7197860CE
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197860D6
memset.VCRUNTIME140 ref: 00007FF7197860ED
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF719786118
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF71978614F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719786197
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978626C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719786273

Strings

mw1 chair, xrefs: 00007FF7197860B3

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$D@std@@@std@@U?$char_traits@$?setstate@?$basic_ios@?write@?$basic_ostream@SleepV12@exitmemset
String ID: mw1 chair
API String ID: 469218636-2267673244
Opcode ID: e9d69940daeca3089da93960d06864f2c159207c53fc6d4e26000cc3f19c9224
Instruction ID: ed894f1eaea8a0a7fc5e6a94ba60129eacf9d6d60829314ef79f23064dab3cf9
Opcode Fuzzy Hash: e9d69940daeca3089da93960d06864f2c159207c53fc6d4e26000cc3f19c9224
Instruction Fuzzy Hash: 4EB1A0B2B14E8582EB14EF25E4593BDA371EF49BDCF804035D64D0AAAADF6DD48D8310

Function 00007FF7197C03E0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C0471
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C04B8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C0554
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C056A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C058B
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197C05DA
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197C062A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C065F

Strings

Shuffling %i addresses, xrefs: 00007FF7197C045A
:%u, xrefs: 00007FF7197C05EE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$_time64calloctolower
String ID: :%u$Shuffling %i addresses
API String ID: 133842801-338667637
Opcode ID: 5d00e41b3b0ad582ab8dbb05fea8c198c055f6760d7905ee3da7e34754aed76e
Instruction ID: 779b32bdd1e5ca3ab00110d873502d62a2b2c58b0982619f9038966b3005f4d4
Opcode Fuzzy Hash: 5d00e41b3b0ad582ab8dbb05fea8c198c055f6760d7905ee3da7e34754aed76e
Instruction Fuzzy Hash: 21717C72A19E4286EB51AF11E5007A9A2B1FF49BF8F844131DE4E07794EE3CE54EC360

Function 00007FF7197BE050 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BE0CA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197BE0E5
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197BE162
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BE1EC

Strings

Maximum (%ld) redirects followed, xrefs: 00007FF7197BE1B7
Switch from POST to GET, xrefs: 00007FF7197BE2B6
HEAD, xrefs: 00007FF7197BE257
Issue another request to this URL: '%s', xrefs: 00007FF7197BE1F7
Switch to %s, xrefs: 00007FF7197BE277
GET, xrefs: 00007FF7197BE25E

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
API String ID: 1865132094-1312055526
Opcode ID: 9907b23e1b6f092e0006c1e13a0917ba08d20805789ae0a57308112c53d3db7b
Instruction ID: c9b7bae7e1bb8cce3c0d08bdd0030b77d6c6610596a69890ffa62a55fd80ec8c
Opcode Fuzzy Hash: 9907b23e1b6f092e0006c1e13a0917ba08d20805789ae0a57308112c53d3db7b
Instruction Fuzzy Hash: 1D71B461A08E8384E760AF2494402BDA6B1EF59BECF980431DE4E47795DE3CE58FC361

Function 00007FF7197B4030 Relevance: 17.6, APIs: 14, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40AD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B40FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4117
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B413A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B414E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4162
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4188
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B419C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B41B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B41FF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B420C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4235

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6cefe85152018310b758b62e3db5e15f79b41bcbb26ea0b419b40de666a00e07
Instruction ID: f12230cc6a35c6757aa79a734e8949449bf690e11746f0e52ff56212862c26fe
Opcode Fuzzy Hash: 6cefe85152018310b758b62e3db5e15f79b41bcbb26ea0b419b40de666a00e07
Instruction Fuzzy Hash: 7D51BD35A09E8285EB54AF21D8912FD63B0EF98FE8F884035DE0F4B655CE39955E8360

Function 00007FF719785D40 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43libraryloaderwindowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00007FF719785D6F
LoadLibraryA.KERNEL32 ref: 00007FF719785D7C
GetProcAddress.KERNEL32 ref: 00007FF719785D8C
GetModuleHandleA.KERNEL32 ref: 00007FF719785D9C
GetProcAddress.KERNEL32 ref: 00007FF719785DAC

Strings

ntdll.dll, xrefs: 00007FF719785D75, 00007FF719785D92
Detection., xrefs: 00007FF719785D66
| Woofer, xrefs: 00007FF719785D5F
NtRaiseHardError, xrefs: 00007FF719785DA5
RtlAdjustPrivilege, xrefs: 00007FF719785D85

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadMessageModule
String ID: | Woofer$Detection.$NtRaiseHardError$RtlAdjustPrivilege$ntdll.dll
API String ID: 433497748-3965849657
Opcode ID: fb54dbda07cf8bc06856ed5105a12d84837f352485b1eccd2071a13943dd5e3c
Instruction ID: 02387886f371336ae04d7c33e4d8efd883b9c69a33b04166d306783c6c953fe4
Opcode Fuzzy Hash: fb54dbda07cf8bc06856ed5105a12d84837f352485b1eccd2071a13943dd5e3c
Instruction Fuzzy Hash: CE118F61B18E4282EB40AF20F8545A6B3B0FF88BE8FC51036E95E17624EE7CD15E8710

Function 00007FF7197E12A1 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1211
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E121F
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E131D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1386
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E139E

Part of subcall function 00007FF7197E02F0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0300

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E13C6
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E13DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1402
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E144F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1464

Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15AC
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15B6
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15C0
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15CA
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15D4
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15DE
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15E8
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15F2
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E15FC
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1606
Part of subcall function 00007FF7197E15A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E1610

Strings

,, xrefs: 00007FF7197E12E4
:, xrefs: 00007FF7197E12C7

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$calloc$_strdup
String ID: ,$:
API String ID: 2460172880-4193410690
Opcode ID: 45e6e0631cfad8b1a7283d808e92a888af468885c436e9bac817c975c4aea011
Instruction ID: 79d76c543df486fd47fb268b85ae5f3534b02fb3a60877f629119e1f2e8d4633
Opcode Fuzzy Hash: 45e6e0631cfad8b1a7283d808e92a888af468885c436e9bac817c975c4aea011
Instruction Fuzzy Hash: 4C515312E18E8682E711AF35A9112B9A370BF59BECF445234DE8D65652EF3CF1DE8310

Function 00007FF7197AF9F0 Relevance: 16.6, APIs: 11, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7197AFA37
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7197AFA47
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AFA5E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AFADA
strrchr.VCRUNTIME140 ref: 00007FF7197AFAF7
strrchr.VCRUNTIME140 ref: 00007FF7197AFB07
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AFB37
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AFB43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AFB52
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AFB63
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AFB79

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$free$strrchr$_access_stat64
String ID:
API String ID: 2557200964-0
Opcode ID: 7c3cff2b3ef456d16800c9b9f9038c5d8787ff223932a89e2d26e378143c9103
Instruction ID: a60decb6918b5000011082db6b9c5c9d337b433364af5884fa54619e0b422d60
Opcode Fuzzy Hash: 7c3cff2b3ef456d16800c9b9f9038c5d8787ff223932a89e2d26e378143c9103
Instruction Fuzzy Hash: FE413121B09F4289EA54AF12A450279A2B0FF4DFE8F984134DA5D47B90EF3CE55F8350

Function 00007FF7197B4D20 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7197B4D58
strchr.VCRUNTIME140 ref: 00007FF7197B4D7F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4E34
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4E5A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4E7B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4E8C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4E95
memcpy.VCRUNTIME140 ref: 00007FF7197B4EB3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4EC7
memcpy.VCRUNTIME140 ref: 00007FF7197B4EE4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4EF9
memcpy.VCRUNTIME140 ref: 00007FF7197B4F11
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B4F26

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy$strchr
String ID:
API String ID: 1615377186-0
Opcode ID: 1b3443cf87eed5acae2277f64f1068bfd47a751939e274cd3a55bae2d505e066
Instruction ID: 1d8565a9f4f9a9f8d7743095f7251454c01f653e57eb7f14cedb9510adc19afa
Opcode Fuzzy Hash: 1b3443cf87eed5acae2277f64f1068bfd47a751939e274cd3a55bae2d505e066
Instruction Fuzzy Hash: C251A226B09F8585EA65AF15A504279E2B1BF5CFE8F884430DE4E47754DF3CE51E8320

Function 00007FF7197B6C40 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6C84
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6C98
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6CBC
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6CC9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6CF2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6CFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6D30
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6D3D

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF7197B6DC9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: c5967fc71555211af66f93549368ac0787aff9712fcd8b1ec61bcbc1da8be470
Instruction ID: a8186d70a1ae3287f5fbe228ed32ea091e72fae0dd4733f467f703fcc1e9119e
Opcode Fuzzy Hash: c5967fc71555211af66f93549368ac0787aff9712fcd8b1ec61bcbc1da8be470
Instruction Fuzzy Hash: BF716025A08F8286EB65AF25D454369A7B0FF98BB8F440031DB5E47290DF3DE65EC720

Function 00007FF7197B6BE8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6C84
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6C98
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6CBC
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6CC9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6CF2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6CFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B6D30
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B6D3D

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF7197B6DC9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: d490d36abb045a0d646bf9579259c763c452da942bdf1d247ca7e4215ccab2cf
Instruction ID: a9c6d264038dc1be9704e5b0a74aec1fc969923553d6e50bdecd9f72a5c2017a
Opcode Fuzzy Hash: d490d36abb045a0d646bf9579259c763c452da942bdf1d247ca7e4215ccab2cf
Instruction Fuzzy Hash: 16519062A09F8286EB55AF21D854369A7B0FF58BA8F850031DB4E47390DF3DE55EC720

Function 00007FF7197A2C10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7197A2C2C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2C34
FormatMessageA.KERNEL32 ref: 00007FF7197A2C6E
strchr.VCRUNTIME140 ref: 00007FF7197A2C83
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2CCC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2CD6
GetLastError.KERNEL32 ref: 00007FF7197A2CDE
SetLastError.KERNEL32 ref: 00007FF7197A2CEA

Strings

Unknown error %u (0x%08X), xrefs: 00007FF7197A2CBA

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchr
String ID: Unknown error %u (0x%08X)
API String ID: 1897771742-1058733786
Opcode ID: 828dffa4292e285c7d5c59183524564e138454dc45eadcbfa36f0b9c43bcb2a7
Instruction ID: 1405021499c15ce6cba12cc8e2b5667e14e1917585b13428ac9d510b0fbdcb71
Opcode Fuzzy Hash: 828dffa4292e285c7d5c59183524564e138454dc45eadcbfa36f0b9c43bcb2a7
Instruction Fuzzy Hash: 86215532A0CF9186E7216F21A80422AFAB1BF5CFE8F894434DE5A13755DE3CD54E8720

Function 00007FF7197F01B0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197F027A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197F02C8
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197F032B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197F0469

Part of subcall function 00007FF7197E4210: strchr.VCRUNTIME140(00000000,?,?,00007FF7197E37CF), ref: 00007FF7197E4256
Part of subcall function 00007FF7197E4210: strchr.VCRUNTIME140(00000000,?,?,00007FF7197E37CF), ref: 00007FF7197E4266
Part of subcall function 00007FF7197E4210: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00007FF7197E37CF), ref: 00007FF7197E4290
Part of subcall function 00007FF7197E4210: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E42C5
Part of subcall function 00007FF7197E4210: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E42EA
Part of subcall function 00007FF7197E4210: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E430C

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197F04F4

Strings

Kerberos, xrefs: 00007FF7197F0243, 00007FF7197F02E5
GSSAPI handshake failure (empty challenge message), xrefs: 00007FF7197F0373
GSSAPI, xrefs: 00007FF7197F01B3

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$callocmallocstrchr$freestrncpy
String ID: GSSAPI$GSSAPI handshake failure (empty challenge message)$Kerberos
API String ID: 370574955-353107822
Opcode ID: cb9a99615fade19466be043fa1b3104e54943aae220dedc29c1bf24f12d4554c
Instruction ID: d1352c8825b5cad2164d6e8192ba3fdfa94e9e47c4bf2bbeeb57361260f6a171
Opcode Fuzzy Hash: cb9a99615fade19466be043fa1b3104e54943aae220dedc29c1bf24f12d4554c
Instruction Fuzzy Hash: 8BA11832B08F418AEB519F65E44066DB3B5FB48BA8F800036DE5D67B58EF38E45AC750

Function 00007FF7197AC275 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC2BA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC2DA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC32B

Part of subcall function 00007FF7197ADB40: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197ADB46

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC431

Strings

FALSE, xrefs: 00007FF7197AC40B
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF7197AC6D7
Added, xrefs: 00007FF7197AC6CD
Replaced, xrefs: 00007FF7197AC6C1

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: 7f2fdd6674d5bb714ed88ad96ccbfa3a30a8a17a8f74412af12df730ef2673ce
Instruction ID: 42eb4e693e61d5fe1513367165ea996ced623b9bb28781bc5ac22220b049c708
Opcode Fuzzy Hash: 7f2fdd6674d5bb714ed88ad96ccbfa3a30a8a17a8f74412af12df730ef2673ce
Instruction Fuzzy Hash: B4916161E08B8295EF71AF15D540379A7B4EF5DBE8F8C0035DA8E46791EE2CE44E8360

Function 00007FF719782FD0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71978BF80: memcpy.VCRUNTIME140(?,?,?,00007FF71978165A), ref: 00007FF71978C073

Part of subcall function 00007FF71978BF80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF71978165A), ref: 00007FF71978C052
Part of subcall function 00007FF71978BF80: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978C08F

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF7197816F3), ref: 00007FF719783257
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF7197816F3), ref: 00007FF71978325E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF7197816F3), ref: 00007FF719783265
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF7197816F3), ref: 00007FF71978326C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF7197816F3), ref: 00007FF719783273

Strings

mw1 chair, xrefs: 00007FF719783026
1.0, xrefs: 00007FF71978305D
Y0rrtC1OKt, xrefs: 00007FF71978303D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmemcpy
String ID: 1.0$Y0rrtC1OKt$mw1 chair
API String ID: 2318677668-3633289234
Opcode ID: 705248eb33d8f3939465d25023a88a91d75f94263a864732848d90439f3a2b19
Instruction ID: a8213f7641a6470651668530ab223d24b6fe7d49d0de7dd248e535d1abba2369
Opcode Fuzzy Hash: 705248eb33d8f3939465d25023a88a91d75f94263a864732848d90439f3a2b19
Instruction Fuzzy Hash: 4D716962A08E8685EB00EF25E849378B371FF19BE8F814031CA5C07666DF3DE49E8354

Function 00007FF719793970 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197949D2
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7197949FE
__std_exception_destroy.VCRUNTIME140 ref: 00007FF719794A0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719794A45
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719794A98

Strings

mw1 chair, xrefs: 00007FF719793978
value, xrefs: 00007FF719794935

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: mw1 chair$value
API String ID: 1346393832-2545578270
Opcode ID: 57e3dbda99839a8dc92583b0fcac46b78f087c55e55c3b4e767ec8f40a75702c
Instruction ID: 6077d87c681a21f6e2491f5c45aae747dd6f38b63370b9ff20da716d8805b9d5
Opcode Fuzzy Hash: 57e3dbda99839a8dc92583b0fcac46b78f087c55e55c3b4e767ec8f40a75702c
Instruction Fuzzy Hash: 75618362A18E9185EB00DF79E4453ADA371FF497F8F904721EA6C12AD9DF6CD08A8314

Function 00007FF7197B70B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B718C
strchr.VCRUNTIME140 ref: 00007FF7197B71C0
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197B71E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B7264

Strings

anonymous, xrefs: 00007FF7197B70C0
Connecting to hostname: %s, xrefs: 00007FF7197B723B
%s%s%s, xrefs: 00007FF7197B714F
Connecting to port: %d, xrefs: 00007FF7197B7280

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$strchrstrtol
String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d$anonymous
API String ID: 137861075-1224060940
Opcode ID: 6c949b7d4b1aa729aeef2ffb47019a417abc63240e34f692c98d61cdc8fc0b42
Instruction ID: 44f813657221e681f6abb27c3ecd92d502254fcc066ea2d1cb9397e89ad54a8f
Opcode Fuzzy Hash: 6c949b7d4b1aa729aeef2ffb47019a417abc63240e34f692c98d61cdc8fc0b42
Instruction Fuzzy Hash: 1E517421A09E8644EB21AF15A8502E9E7B0BF59BECF984135ED5E07B94DE3CD64EC310

Function 00007FF7197A02CA Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A09BF
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197A09E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A09F2

Strings

invalid number; expected digit after '.', xrefs: 00007FF7197A071E
invalid number; expected '+', '-', or digit after exponent, xrefs: 00007FF7197A07F4

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _errno$strtoull
String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '.'
API String ID: 642117244-808606891
Opcode ID: 8902456e66217ee55b860f8d8cb4530046c5afb76a7645c78c19ab9c290671e8
Instruction ID: 076a957cd2f026c9c838caa6e83c80cbb1cef61939d3b5254c4aae8644ac2e88
Opcode Fuzzy Hash: 8902456e66217ee55b860f8d8cb4530046c5afb76a7645c78c19ab9c290671e8
Instruction Fuzzy Hash: 26611D32A09E0186EB51AF25D444238A3B1FF4AFACF944531C65E42298DF3CE85EC761

Function 00007FF7197D8421 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140 ref: 00007FF7197D8433
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D844E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D847A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D849F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D857C

Strings

Wildcard - Parsing started, xrefs: 00007FF7197D8517

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$callocfreestrrchr
String ID: Wildcard - Parsing started
API String ID: 2641349667-2274641867
Opcode ID: 0e526262335314e114e3f39f03f5603044f14b716cc47db1ef4ee5b0bd1b9aa3
Instruction ID: 42cbc1c0ab9401ffb65124ce6277ae2dca563a1f0d017596cc38b4bfdac74ffa
Opcode Fuzzy Hash: 0e526262335314e114e3f39f03f5603044f14b716cc47db1ef4ee5b0bd1b9aa3
Instruction Fuzzy Hash: A8514B36A08F42C5EB51EF15A4401B8A7F5EF88BA8F854435DA5E4B350EF38E55EC321

Function 00007FF7197E8A0C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E8A33
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
FALSE, xrefs: 00007FF7197E8A28
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: Serial Number: %s$ Signature Algorithm: %s$FALSE$Serial Number$Signature Algorithm
API String ID: 2653869212-3672398475
Opcode ID: 9d8f891f3f41c8b3d74b0a738b1040c2e8b4441d78403fd54293a66e47e57d10
Instruction ID: 3b7cd7356f3904fa01864e9e034fa58c4bd2cf4a24b116fb834e7efe37f2a556
Opcode Fuzzy Hash: 9d8f891f3f41c8b3d74b0a738b1040c2e8b4441d78403fd54293a66e47e57d10
Instruction Fuzzy Hash: 61418D65B08B8284EB11BF2594142F9A7B1BF49BECF880431DE0E27755DE3CE54E8321

Function 00007FF7197A1BD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1C1C
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1C2A
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1C36
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1C5A
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1C6B
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1C79
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1C85

Strings

mw1 chair, xrefs: 00007FF7197A1BD7

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?eback@?$basic_streambuf@?egptr@?$basic_streambuf@?epptr@?$basic_streambuf@?gptr@?$basic_streambuf@?pbase@?$basic_streambuf@
String ID: mw1 chair
API String ID: 2869409680-2267673244
Opcode ID: 33b730ec946e25ee1ae6e1b27b3f443e6e38ab79d18b85c3af218aa3595ea471
Instruction ID: 86ef66b49f72091adaf01389b884a2305fab7a4ee6757cc98fe648c30ed10c44
Opcode Fuzzy Hash: 33b730ec946e25ee1ae6e1b27b3f443e6e38ab79d18b85c3af218aa3595ea471
Instruction Fuzzy Hash: 84218162A08F8282E715AF21B844279A7B0BF88FD8F585131DD5E17754EF3CD48E8310

Function 00007FF7197E0990 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0AE5
memcpy.VCRUNTIME140 ref: 00007FF7197E0B02

Strings

%ld, xrefs: 00007FF7197E0A4E
%%25%s], xrefs: 00007FF7197E0B12
file://%s%s%s, xrefs: 00007FF7197E09DE
file, xrefs: 00007FF7197E09AB
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF7197E0CD2
https, xrefs: 00007FF7197E0A20

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: mallocmemcpy
String ID: %%25%s]$%ld$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 4276657696-1832275178
Opcode ID: 42f83696d0159135b283b10c28c722ee0fb1c877429ee7a9aece8cec63422160
Instruction ID: 474278780db0822482ffdf27345f920d1f7966c574f1b5465d3eec209a32d53d
Opcode Fuzzy Hash: 42f83696d0159135b283b10c28c722ee0fb1c877429ee7a9aece8cec63422160
Instruction Fuzzy Hash: 98A14D65A0DF8684EA65AF11A5403A9A3B4FF48BE8F844135DA5D23758EF3CE45EC320

Function 00007FF7197EC470 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 211COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7197EC518
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EC529
memcpy.VCRUNTIME140 ref: 00007FF7197EC669
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EC6C4
memcpy.VCRUNTIME140 ref: 00007FF7197EC6E1

Strings

cached response data too big to handle, xrefs: 00007FF7197EC761
Excessive server response line length received, %zd bytes. Stripping, xrefs: 00007FF7197EC641
8, xrefs: 00007FF7197EC713
response reading failed, xrefs: 00007FF7197EC701

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$freemalloc
String ID: 8$Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed
API String ID: 3313557100-1003742340
Opcode ID: 6ae7493d0d287ab86c28a57523b331cd9134d1f8e52e52b0a441fe4f4243fe1b
Instruction ID: 91d16ebcc41c0007653673b18c27dde7f0b2f41c2c0d83bf97ee601b696ff744
Opcode Fuzzy Hash: 6ae7493d0d287ab86c28a57523b331cd9134d1f8e52e52b0a441fe4f4243fe1b
Instruction Fuzzy Hash: 5581B026A08F8186DA54AF26D4403AAA7B0FF587D8F885432DF4E57741DF3CE5AE8350

Function 00007FF7197E8D46 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 169COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8D7F
memcpy.VCRUNTIME140 ref: 00007FF7197E8DAA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: 823f5664b5a20b934c369fde119dcb886468fcd45bb0881e8f87818417b82615
Instruction ID: 2e3bf1939ce05cd8b3247d1d9948cd63b1c4d89a610ed4c2647ee0d61b7406cd
Opcode Fuzzy Hash: 823f5664b5a20b934c369fde119dcb886468fcd45bb0881e8f87818417b82615
Instruction Fuzzy Hash: 6A610951B09E8245EB18BF2584142F997B1BF5DBECF880535D90E2B795DE3CA44F8321

Function 00007FF7197E2DF0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF7197C6768), ref: 00007FF7197E2F80
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF7197C6768), ref: 00007FF7197E2FB7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF7197C6768), ref: 00007FF7197E2FDE

Strings

NTLM, xrefs: 00007FF7197E2DF6
%sAuthorization: NTLM %s, xrefs: 00007FF7197E2F98, 00007FF7197E3044
HTTP, xrefs: 00007FF7197E2E06
Proxy-, xrefs: 00007FF7197E2F8E, 00007FF7197E303A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1294909896-3948863929
Opcode ID: e1cf8f286b731ce99fe9b24acb44f2b98678ab5b919b1287ce6d2f2dbce21d3d
Instruction ID: 9399cbb9262d1b20711b11a9b5bea9f75d06b1a66362aef7445ed48cadfb7dcd
Opcode Fuzzy Hash: e1cf8f286b731ce99fe9b24acb44f2b98678ab5b919b1287ce6d2f2dbce21d3d
Instruction Fuzzy Hash: 30618C32A09F8185E760AF05E8483AAB3B5FB48BE8F804036DA8D57754DF3CD54AC710

Function 00007FF71979EBA0 Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979EBD7
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979EBE3
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 00007FF71979EBF9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?epptr@?$basic_streambuf@?pptr@?$basic_streambuf@Pninc@?$basic_streambuf@
String ID:
API String ID: 4060314879-0
Opcode ID: 4afa7f34cd9e26f79f4dbc3299f72e9d4baef5c441eb6fb6f37cd78b21d0f8d7
Instruction ID: b4f8c5d98d635944fbe9da51d1b6c81cf54a11312d51236ba4f14db0cfdf5503
Opcode Fuzzy Hash: 4afa7f34cd9e26f79f4dbc3299f72e9d4baef5c441eb6fb6f37cd78b21d0f8d7
Instruction Fuzzy Hash: DB418522B08E5182EA12AF66A5441B996A1FF49FF8F840531DF5D177D1EE3CE49F8310

Function 00007FF7197D9BC0 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197ADBE0: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197ADC24

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D9CDD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D9D35
memcpy.VCRUNTIME140 ref: 00007FF7197D9D5A

Strings

Session:, xrefs: 00007FF7197D9C4E
: %ld, xrefs: 00007FF7197D9C01
Got a blank Session ID, xrefs: 00007FF7197D9C87
Unable to read the CSeq header: [%s], xrefs: 00007FF7197D9C32
Got RTSP Session ID Line [%s], but wanted ID [%s], xrefs: 00007FF7197D9CEE
CSeq:, xrefs: 00007FF7197D9BDD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: __stdio_common_vsscanfmallocmemcpystrncmp
String ID: : %ld$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Unable to read the CSeq header: [%s]
API String ID: 1392894463-1168109407
Opcode ID: 32cb8aa95daa1064cf183b66ff02640f4bcef308a2ac88c228e8176922a25966
Instruction ID: 25c465fe5c8122777f43d062cdb37b127618074e3c936f3d4bfb1a24d8e226e2
Opcode Fuzzy Hash: 32cb8aa95daa1064cf183b66ff02640f4bcef308a2ac88c228e8176922a25966
Instruction Fuzzy Hash: F741A771A09E8285FA50AF2594402B9E7F1AF49BE8FC84531DA5D572C5EF2CE50EC330

Function 00007FF7197DFFA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197DFFE7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E004B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E017F

Part of subcall function 00007FF7197A2010: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A203E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E007E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E01BD

Strings

%s?%s, xrefs: 00007FF7197DFFD9
Failed sending Gopher request, xrefs: 00007FF7197E0185

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: %s?%s$Failed sending Gopher request
API String ID: 111713529-132698833
Opcode ID: b5e8de33f13dda6d60085bd712c1e23513799ab72515e7ff86022098712bd6ed
Instruction ID: ab94a0f5ca80cf90a9341952b49ec01bd4fb21e497d86073c782be4ede97e17f
Opcode Fuzzy Hash: b5e8de33f13dda6d60085bd712c1e23513799ab72515e7ff86022098712bd6ed
Instruction Fuzzy Hash: 09519621B0DE4286E651AF25A8141AAE3B0AF8DBF8F840231DE6E577D5DE3CD54F8710

Function 00007FF7197D8C70 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7197D8CA6
_open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7197D8CFB
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7197D8D6C
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7197D8D79
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7197D8E8B

Strings

Can't get the size of %s, xrefs: 00007FF7197D8D82
Can't open %s for writing, xrefs: 00007FF7197D8D0B

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _close$_fstat64_openstrchr
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 423814720-3544860555
Opcode ID: f5dd3d097861bcb5e91f21d1f6e260dd3d46c1d75a931296157783224ca03b39
Instruction ID: 3c9977ff8e30392a264a2b54cfd2142fe251815399ce44f9421c9f3a8ef9b990
Opcode Fuzzy Hash: f5dd3d097861bcb5e91f21d1f6e260dd3d46c1d75a931296157783224ca03b39
Instruction Fuzzy Hash: 28516361708E4282EA14AF2594402F9A3F1BF9CBE8F844435DA5E57395EF3CE40F8711

Function 00007FF7197E0EE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7197E0EF0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdupstrtol
String ID: %%%02x
API String ID: 2999891020-4020994737
Opcode ID: cf76301357e9a89500bd231cfbad3bd141f6d0a8f25058811b9f58142cc1c263
Instruction ID: 9ba89d3bc7a0de0f8ce95527447453c3fd3c5b3c9a839712263eb06f65fc19f7
Opcode Fuzzy Hash: cf76301357e9a89500bd231cfbad3bd141f6d0a8f25058811b9f58142cc1c263
Instruction Fuzzy Hash: E551B711E0DAC145FB62AF1174153B9AAA1AF4ABE8F880171DA9E167C1DE3DE54FC320

Function 00007FF7197E0EB6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0EC3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$_strdup
String ID: %%%02x
API String ID: 1496848336-4020994737
Opcode ID: 3c1b8dcdea6f64c2fc1cbae04e36418582f402feb9f9cffc67aa4e9888169843
Instruction ID: 15e9b83b60ec14c7684455b60d579bdc57c8d88b775893643608464ae4059481
Opcode Fuzzy Hash: 3c1b8dcdea6f64c2fc1cbae04e36418582f402feb9f9cffc67aa4e9888169843
Instruction Fuzzy Hash: F641C711E0DAC245FB62AF1174153B9ABA1AF497F8F880171DA8E167C1DE3DE54F8320

Function 00007FF7197E8ADE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E8AE1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Part of subcall function 00007FF7197B3300: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 111713529-517259162
Opcode ID: dff4bc487c394e45db7e62952345c91d0b2d70ceded360e19f8a1a6053f1f4d7
Instruction ID: 735bbdca6d0ed71fbf46c4726b0d52cc5600142cca1a431fded34a6ff0cf3fcb
Opcode Fuzzy Hash: dff4bc487c394e45db7e62952345c91d0b2d70ceded360e19f8a1a6053f1f4d7
Instruction Fuzzy Hash: 18319E55B09F8248EB04BF6594101F9A7B1AF4D7ECF880435DE0E2B756EE3CA54E8321

Function 00007FF7197E8BCD Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7197E8CF1
GMT, xrefs: 00007FF7197E8C7E
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Serial Number$Signature Algorithm
API String ID: 1294909896-599393795
Opcode ID: 7b6e06541063b9514d198dceaa034673a329d857379d0c9e23e07ff4b8319424
Instruction ID: d9ba1a6f78a081fce9ecf13be4c4ec8de1f11584f5292ced3d94a7a3502199c9
Opcode Fuzzy Hash: 7b6e06541063b9514d198dceaa034673a329d857379d0c9e23e07ff4b8319424
Instruction Fuzzy Hash: B561D061B09E8244EB50AF2495041F9EBB1BF0A7E8FC84436DA4D27B94DE3CE54EC321

Function 00007FF7197E9EC5 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E9F08
memcpy.VCRUNTIME140 ref: 00007FF7197E9F2E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA002
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Strings

Signature, xrefs: 00007FF7197EA03F
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$memcpy
String ID: Signature: %s$Signature
API String ID: 901724546-1663925961
Opcode ID: caed441ec9b239e4de89a2cf525abb4a4089d8269db949938733dfa7816769dd
Instruction ID: 0aee728daa171aef8d8610e5b2109b64bf62aaff1ccef3e0cd9c430c7315f498
Opcode Fuzzy Hash: caed441ec9b239e4de89a2cf525abb4a4089d8269db949938733dfa7816769dd
Instruction Fuzzy Hash: 47511422B09E8245EF18AE1590143B9A7B1EF49BF8F840135DA5F17B95EE3CE54F8320

Function 00007FF7197A6C80 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7197A6D4C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A6D98
memcpy.VCRUNTIME140 ref: 00007FF7197A6DCA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A6DFC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A6E07
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A6E85
memcpy.VCRUNTIME140 ref: 00007FF7197A6EA8

Strings

mw1 chair, xrefs: 00007FF7197A6C85

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$freemalloc
String ID: mw1 chair
API String ID: 3313557100-2267673244
Opcode ID: 0e444acdc1fddeb2ef98b7c78bb87d813779746983a4e7921a9e8eadfa9a1b59
Instruction ID: 7a8017d91213c855d9e886165fee4cce2f6edb6432d2c2de0d1ebb7b8880d57e
Opcode Fuzzy Hash: 0e444acdc1fddeb2ef98b7c78bb87d813779746983a4e7921a9e8eadfa9a1b59
Instruction Fuzzy Hash: 4B612112D18FC586E7119F38D9012F9A330FBA978CF45A325EF8D16956EF68E2D98310

Function 00007FF71978E0B0 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF71978E1BA
memcpy.VCRUNTIME140 ref: 00007FF71978E1CA
memcpy.VCRUNTIME140 ref: 00007FF71978E1DA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978E20E
memcpy.VCRUNTIME140 ref: 00007FF71978E218
memcpy.VCRUNTIME140 ref: 00007FF71978E228
memcpy.VCRUNTIME140 ref: 00007FF71978E237
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978E269

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 8d1d66176d33fe0a594d304f33f0b007853e0ea28bfef0c6bd4080b92891ba15
Instruction ID: 8022de7e57feb0292ffefd022214fd0e28f4266a80cee730d1b3b252648f11da
Opcode Fuzzy Hash: 8d1d66176d33fe0a594d304f33f0b007853e0ea28bfef0c6bd4080b92891ba15
Instruction Fuzzy Hash: 7041CE72B09E4680EE10BF16E4452A9E361BF09BE8F944631DE6D0B785DF3CE54E8310

Function 00007FF7197B1F60 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B1FA6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B1FD2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197B1FFE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID:
API String ID: 1169197092-0
Opcode ID: ed7beec92574d523255fe90d19800622871b48be5f6ac39d8234697a343c6577
Instruction ID: 2ff6ff146951a8ef21c603735498d0d56971adb6ec90e30cdcfd44b67add5158
Opcode Fuzzy Hash: ed7beec92574d523255fe90d19800622871b48be5f6ac39d8234697a343c6577
Instruction Fuzzy Hash: 9E515D2261BF8086EB95DF56B040128B7B4FF58B98B481135EF5E03B59EF28D5EAC710

Function 00007FF7197E8B07 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7197E8BB9
Serial Number: %s, xrefs: 00007FF7197E8EDC
GMT, xrefs: 00007FF7197E8B66

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Serial Number$Signature Algorithm
API String ID: 1294909896-3876350232
Opcode ID: 17f28427e4357b20144aa88d0823b1f09a84473b80f235364f0d61e3d4f345f4
Instruction ID: 6f4076e16c4fe984b1bdc47d2a85827ed2e7bc86a3e87be4710da5f193f8e06e
Opcode Fuzzy Hash: 17f28427e4357b20144aa88d0823b1f09a84473b80f235364f0d61e3d4f345f4
Instruction Fuzzy Hash: A5519D65A09F8284EB14AF6494501F9A7B1BF49BECFC80431DA4D2B695DF3CE94EC321

Function 00007FF719795510 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979552D
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979553B
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF719795543
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979554F
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF71979555B
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP140 ref: 00007FF719795598
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z.MSVCP140 ref: 00007FF7197955A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197955CC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?epptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@?setp@?$basic_streambuf@D00@_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3548242540-0
Opcode ID: b1965f67e021290d9fede6b30619341af37f4965bcddc91e04bb2a45d3e4482b
Instruction ID: 5bc330cc942420b2006f34ce33b05d0514ebbfe1cb3c6c1165297ce5f0cba785
Opcode Fuzzy Hash: b1965f67e021290d9fede6b30619341af37f4965bcddc91e04bb2a45d3e4482b
Instruction Fuzzy Hash: 41110321B19E5243EA14AF75A819338A271AF4DFF9F940130DA6E576E5EE3C944E8210

Function 00007FF7197CE9E0 Relevance: 11.3, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEAAC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEABA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEAC8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEAD6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEAE4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEAF2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEB00
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEB0E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CEB1C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 454ed39f5efddf81be590f5c1386d5301f818907a2144b19a4f1cf09594b13cf
Instruction ID: 31bb34726fcb722fcf520ab04bceacd95f1c5689cf8430a99e66669450e547ce
Opcode Fuzzy Hash: 454ed39f5efddf81be590f5c1386d5301f818907a2144b19a4f1cf09594b13cf
Instruction Fuzzy Hash: E541FA26A18F43C6E761AF21944023DB7B4FF88BB8F844535DA4E53254CF38E99A8790

Function 00007FF7197AC930 Relevance: 11.3, APIs: 9, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9AA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9B4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9C8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9D2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9E6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AC9F9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1caf463e8bc9de7a94c6b13313498cda7f6ce1ab5cdc8f20cee183f3b868abfd
Instruction ID: c3e699a1116c5e1dd4d729d426043e0f16eee479be3bcfcebbf7ff2867490d7b
Opcode Fuzzy Hash: 1caf463e8bc9de7a94c6b13313498cda7f6ce1ab5cdc8f20cee183f3b868abfd
Instruction Fuzzy Hash: 7231D836A09E51C6E750AF12E944129A7B4FB88FE8F484031EE8D57B68CE3CD95B8750

Function 00007FF7197ACA50 Relevance: 11.3, APIs: 9, Instructions: 32COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACA69
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACA73
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACA7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACA87
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACA91
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACA9B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACAA5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACAAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ACAB8

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 47fc8a442dac342fb9b9df9c75e5d83f46145fb8fc92d1972bcfc51caf904a5a
Instruction ID: 4f3a52ce6c47e4d0333e3beb003cb15fbd38540154dfcebd947ffc51cbe95962
Opcode Fuzzy Hash: 47fc8a442dac342fb9b9df9c75e5d83f46145fb8fc92d1972bcfc51caf904a5a
Instruction Fuzzy Hash: E301792AB16E01C6DB44AF21ED54038A370EF8CFB9B441131DD4E83638CE2CD9AE8750

Function 00007FF7197E5E90 Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197AECC0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AECF6
Part of subcall function 00007FF7197AECC0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AED06
Part of subcall function 00007FF7197AECC0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AED14
Part of subcall function 00007FF7197AECC0: memset.VCRUNTIME140 ref: 00007FF7197AED4F

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E5F59
memcpy.VCRUNTIME140 ref: 00007FF7197E5F74
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E5F8E

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpymemset
String ID:
API String ID: 1579693990-0
Opcode ID: f762be633d9edb19ede4387fd90d51d802a5b45f3efeb1374245cd70dad51d13
Instruction ID: 424161b4ae224dd5bb32d742d8f09105eebed76f9570ed530904920b56ba41cf
Opcode Fuzzy Hash: f762be633d9edb19ede4387fd90d51d802a5b45f3efeb1374245cd70dad51d13
Instruction Fuzzy Hash: EC916D61B08F4246FE55BE26945437AA2A0AF49FE8F884435DE0D57786EF3CE41E8320

Function 00007FF7197A7460 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 217stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7197A7428), ref: 00007FF7197A7575
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7197A7428), ref: 00007FF7197A758F

Strings

Internal error removing splay node = %d, xrefs: 00007FF7197A7472
I32, xrefs: 00007FF7197A7565, 00007FF7197A75C5
I64, xrefs: 00007FF7197A7585, 00007FF7197A75EF

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strncmp
String ID: I32$I64$Internal error removing splay node = %d
API String ID: 1114863663-13178787
Opcode ID: 6adc963f91e20aa5404a4c28effe38bb647081ba7ab4554990913ed659e77b29
Instruction ID: f5f8647afedf1a57493fd98cf2949a5771149da6f26797effacf8f36ddb4a126
Opcode Fuzzy Hash: 6adc963f91e20aa5404a4c28effe38bb647081ba7ab4554990913ed659e77b29
Instruction Fuzzy Hash: 03A19332A18A4286E7219F14E45477DBBB4FB48BACF994135CA9E43255EF3CD20EC750

Function 00007FF7197CDF10 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CDFAE
memcpy.VCRUNTIME140 ref: 00007FF7197CE046
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197CE17C

Strings

select/poll on SSL socket, errno: %d, xrefs: 00007FF7197CE124
schannel: timed out sending data (bytes sent: %zd), xrefs: 00007FF7197CE144

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemcpy
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 3056473165-3891197721
Opcode ID: 656c5d837c1eef6f34eb7720f2b71371ee1db04f3e1e24156d0834031034f61b
Instruction ID: 228985f02fd87ea8ec20ca8cee205485084a6745cec8694d08aa878e5eaffe73
Opcode Fuzzy Hash: 656c5d837c1eef6f34eb7720f2b71371ee1db04f3e1e24156d0834031034f61b
Instruction Fuzzy Hash: A7715972B08A028AEB10DF65D8506ADB3B1AF48BBCF414635DE2D577D4EE38E41E8750

Function 00007FF7197B8980 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8AD0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8AEB
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C25
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C40

Strings

..., xrefs: 00007FF7197B8BA8
..., xrefs: 00007FF7197B8B92

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: fwrite
String ID: ...$...
API String ID: 3559309478-2253869979
Opcode ID: 3bb81341e0279ee0c41448f81f104d314a0583d887367d5672ca3e258ad2d616
Instruction ID: 07b5435b6f9849922a97b756f5dbc595a2249d41bc9699aeb8fbf9a324ae0f53
Opcode Fuzzy Hash: 3bb81341e0279ee0c41448f81f104d314a0583d887367d5672ca3e258ad2d616
Instruction Fuzzy Hash: 1571EE21A08E8185EB64EF21E4443FAA7B0FF98BA8F844131CA5E03694DF3DE15EC751

Function 00007FF7197C9B80 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00007FF7197AD7B7), ref: 00007FF7197C9B91
strchr.VCRUNTIME140(?,?,?,?,?,00007FF7197AD7B7), ref: 00007FF7197C9D33
strchr.VCRUNTIME140(?,?,?,?,?,00007FF7197AD7B7), ref: 00007FF7197C9D50

Strings

0123456789ABCDEF, xrefs: 00007FF7197C9D42, 00007FF7197C9D49
0123456789abcdef, xrefs: 00007FF7197C9D22, 00007FF7197C9D2C
TRUE, xrefs: 00007FF7197C9CBC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_errno
String ID: 0123456789ABCDEF$0123456789abcdef$TRUE
API String ID: 2644425738-1191287149
Opcode ID: 8103fd99ddb7e7022e7827c1e972a18de02d3e24e0de315afe8d9d6d5e56ee90
Instruction ID: 8513bd2d539b8b5fda531fc0790902688bfbcbc40544822359448431f4d061a5
Opcode Fuzzy Hash: 8103fd99ddb7e7022e7827c1e972a18de02d3e24e0de315afe8d9d6d5e56ee90
Instruction Fuzzy Hash: D451B522A2DA8781EAA1AF15944017AF2B0AF59BFCFE44031DA4E06755EE2CD54EC321

Function 00007FF7197AC23C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC242
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC431

Strings

FALSE, xrefs: 00007FF7197AC40B
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF7197AC6D7
Added, xrefs: 00007FF7197AC6CD
Replaced, xrefs: 00007FF7197AC6C1

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: f49be47f8c855f9c3cc320cb3889ef4a957f8451a0e5b7f6017c46c94148460a
Instruction ID: ea2a2def57dd58100ca813d35767c2db044edfc0a61bf50fb3fa2e5daa550043
Opcode Fuzzy Hash: f49be47f8c855f9c3cc320cb3889ef4a957f8451a0e5b7f6017c46c94148460a
Instruction Fuzzy Hash: E9615F61E08B8295FE71AF15D544379A7B4AF5CBE8F8C0036DA8D06791EF2CE44E8360

Function 00007FF7197AC3D9 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC3DC

Part of subcall function 00007FF7197C9970: strchr.VCRUNTIME140 ref: 00007FF7197C99A6

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC431

Strings

FALSE, xrefs: 00007FF7197AC40B
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF7197AC6D7
Added, xrefs: 00007FF7197AC6CD
Replaced, xrefs: 00007FF7197AC6C1

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$strchr
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 3404610657-2292467869
Opcode ID: 72c50b774de2dc0f3f0eac4ed1242e8a7b9fa46f8c411cca09fdf5befa4e93d8
Instruction ID: db45431353e0e0a344063c4eae24637d3dae07d90526404a84c94b2928c8071e
Opcode Fuzzy Hash: 72c50b774de2dc0f3f0eac4ed1242e8a7b9fa46f8c411cca09fdf5befa4e93d8
Instruction Fuzzy Hash: 9D613161E08B8295FF71AF15D544379A7B1AF58BE8F8C0035DA8D46791EF2CE44E8360

Function 00007FF7197D54B0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 146stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF7197D5573

Strings

bytes, xrefs: 00007FF7197D5569
Maxdownload = %I64d, xrefs: 00007FF7197D560C, 00007FF7197D56AB
, xrefs: 00007FF7197D5517
RETR response: %03d, xrefs: 00007FF7197D5508
Data conn was not available immediately, xrefs: 00007FF7197D5667
Getting file with size: %I64d, xrefs: 00007FF7197D5625

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strstr
String ID: $ bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
API String ID: 1392478783-2096918210
Opcode ID: 2f3984c8c42fe732cbca505ce1584099c41b274169359338c8557a425a3ad347
Instruction ID: 3169d2633459fd08f90ac1530b001f56db1fbf3637131773a95d8ac0601af542
Opcode Fuzzy Hash: 2f3984c8c42fe732cbca505ce1584099c41b274169359338c8557a425a3ad347
Instruction Fuzzy Hash: A051C962A08F4186EA15AF14A4442B9F3E2AF597F8FC40231DA6D066D9EF7CD48F8710

Function 00007FF7197E9D3B Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Strings

Signature, xrefs: 00007FF7197EA03F
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7197E9E5F
GMT, xrefs: 00007FF7197E9DEE
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Signature
API String ID: 2190258309-3231818857
Opcode ID: 463483374b140b9bf31e942be9f58a7d4740fb46218aba4546bc90d234dccca8
Instruction ID: 6a9e46d5fd2c475f3febffcbb87ca2d1e32abb2dfc128fe0c18b0b5f94edb13f
Opcode Fuzzy Hash: 463483374b140b9bf31e942be9f58a7d4740fb46218aba4546bc90d234dccca8
Instruction Fuzzy Hash: 13518E72A0CA9285EB65EF25A4041B9F7B4FF49BE8F840032DA4D53755DE3CD54E8320

Function 00007FF7197D5280 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 144networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF7197D5426

Part of subcall function 00007FF7197EC470: memcpy.VCRUNTIME140 ref: 00007FF7197EC518
Part of subcall function 00007FF7197EC470: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EC529

Strings

We got a 421 - timeout!, xrefs: 00007FF7197D5465
QUOT string not accepted: %s, xrefs: 00007FF7197D544F
*, xrefs: 00007FF7197D53F4
FTP response timeout, xrefs: 00007FF7197D5493
FTP response aborted due to select/poll error: %d, xrefs: 00007FF7197D5434

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastfreememcpy
String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout!
API String ID: 1248052217-2335292235
Opcode ID: aed357a4e0f2b390cfa0538acc3c615b70f8ee389ee6a976163f2c24e555d357
Instruction ID: 616c2c12bd183b055042b26cf87e84dd2cc5efe4584d4e093c47f7c5cf12cef2
Opcode Fuzzy Hash: aed357a4e0f2b390cfa0538acc3c615b70f8ee389ee6a976163f2c24e555d357
Instruction Fuzzy Hash: 54518E61A0CE8286FB64AE2595047F993A0AF497ECF844135DE5D872C9EF6CE44F8321

Function 00007FF7197DE060 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

recvfrom.WS2_32 ref: 00007FF7197DE0C0
memcpy.VCRUNTIME140 ref: 00007FF7197DE0E6
memchr.VCRUNTIME140 ref: 00007FF7197DE1E3

Strings

Received too short packet, xrefs: 00007FF7197DE112
TFTP error: %s, xrefs: 00007FF7197DE200
Internal error: Unexpected packet, xrefs: 00007FF7197DE188

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memchrmemcpyrecvfrom
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 3107918033-477593554
Opcode ID: a07882fc687146c6963024e51c5158e2cb6f8d6dea283c15ddc842985feaf8f1
Instruction ID: 35346540eecef8db20842235e9d29571f76678299d5c2d1231e292d76daf6d6c
Opcode Fuzzy Hash: a07882fc687146c6963024e51c5158e2cb6f8d6dea283c15ddc842985feaf8f1
Instruction Fuzzy Hash: 0E51B171A08D8286EB65AF2598503B9A3F0EF49BD8F844132DA5D87785DE3CF50EC720

Function 00007FF71978CA30 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978AB3B), ref: 00007FF71978CAC3
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978AB3B), ref: 00007FF71978CB16
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978AB3B), ref: 00007FF71978CB3F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978AB3B), ref: 00007FF71978CB66
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978AB3B), ref: 00007FF71978CBAC
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978AB3B), ref: 00007FF71978CBB3
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978AB3B), ref: 00007FF71978CBC0

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 73db44d97561db55e9e0a6d62b43c2a04491922c8efdaa8529ca0d72eaa14bfe
Instruction ID: fbef663d099daa2c2e4dea8304d6e2f12e99b43a491163c800bfb947a0e45d49
Opcode Fuzzy Hash: 73db44d97561db55e9e0a6d62b43c2a04491922c8efdaa8529ca0d72eaa14bfe
Instruction Fuzzy Hash: 9C510122A08E4182EB219F19E595238EB70EF89FE9F59C531CA5E437A0DF39D44F8210

Function 00007FF71978CC00 Relevance: 10.6, APIs: 7, Instructions: 130COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978ADB8), ref: 00007FF71978CC67
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978ADB8), ref: 00007FF71978CCD4
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978ADB8), ref: 00007FF71978CCFD
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978ADB8), ref: 00007FF71978CD2F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978ADB8), ref: 00007FF71978CD73
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978ADB8), ref: 00007FF71978CD7A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,00000000,?,0000006E00000006,00000000,00007FF71978ADB8), ref: 00007FF71978CD87

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 2331969452-0
Opcode ID: 7ae8c2e24003126f51691325907733536fe10436c955a7932dce4058eeb9a11c
Instruction ID: bf51ef766b81d8e5e51c73b7f74ef4786a761e658a788f3e24d48b3edde89a36
Opcode Fuzzy Hash: 7ae8c2e24003126f51691325907733536fe10436c955a7932dce4058eeb9a11c
Instruction Fuzzy Hash: 4B515032A08E4182EB209F19E594239E7B0FF88FE9B558531CE5E577A0CF39D44E8750

Function 00007FF7197E2AA0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF7197C6746), ref: 00007FF7197E2BFD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF7197C6746), ref: 00007FF7197E2C13
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E2C25

Strings

Negotiate, xrefs: 00007FF7197E2AA6, 00007FF7197E2B82
Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 00007FF7197E2B51
%sAuthorization: Negotiate %s, xrefs: 00007FF7197E2BDE
Proxy-, xrefs: 00007FF7197E2BCD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 1294909896-1255959952
Opcode ID: 7911d47d4fdfaeb91046c2be4e5d1cc1f970ec50b8a095c02327713cb0115608
Instruction ID: 8d08c43c99428ca7fe3cf41e83572395e439a176816c499f62e2015cc45e0883
Opcode Fuzzy Hash: 7911d47d4fdfaeb91046c2be4e5d1cc1f970ec50b8a095c02327713cb0115608
Instruction Fuzzy Hash: CA519362A08B4299FB51EF25D4802B9A7A1FF44BE8F844031DA4D57691EF3CE45FC360

Function 00007FF7197E0F37 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 92fb8d35e4be1840c2c10ae80b40b3318d35c6c8dd5972a6a2b472024f17441b
Instruction ID: a6fc76d3c6687d05372a470a81af791345e501194f74d6f568e7149cec8505c2
Opcode Fuzzy Hash: 92fb8d35e4be1840c2c10ae80b40b3318d35c6c8dd5972a6a2b472024f17441b
Instruction Fuzzy Hash: 7541C511A0DAD145EB62AF1174113B9AAA1BF4A7ECF880171DA8E167C1DE3DA54F8320

Function 00007FF7197E0F27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 5e8b89378db1afc15765f4e33dfc0ec6000b8feb96ee99a63a86642d1fc8989a
Instruction ID: 5d73e7b4a65451f21ba708b6bf0cb4c5d65880197ed0fec5b8c841d4b1497c48
Opcode Fuzzy Hash: 5e8b89378db1afc15765f4e33dfc0ec6000b8feb96ee99a63a86642d1fc8989a
Instruction Fuzzy Hash: 4F41D501E0DAC244FB62AF1174153B9AAA1AF4A7F8F880171DA8E167C1DE3DA44F8320

Function 00007FF7197E0E9A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: d37de19f4e04ce048ac25d9317c3adc66ffd4d11e38d0e5d50f045b05afea38b
Instruction ID: fd55a3a8fc13552a46e8a32f6f2737867529dca7f7b6d5cdd52352036f718307
Opcode Fuzzy Hash: d37de19f4e04ce048ac25d9317c3adc66ffd4d11e38d0e5d50f045b05afea38b
Instruction Fuzzy Hash: 8B41D601E0DAD245FB62AF1174153B9AAA16F0A7F8F880171DA9E167C1DE3DA54F8320

Function 00007FF7197E0EA8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 9aea7ed47725927f7b795c864a4851fd38c6499a9223f255fb4fe82095f330ff
Instruction ID: 62763ce5b9082eb84ea11edcd215372bec2d11dc2d97b3b22bc226d51efd2378
Opcode Fuzzy Hash: 9aea7ed47725927f7b795c864a4851fd38c6499a9223f255fb4fe82095f330ff
Instruction Fuzzy Hash: 7E41D601E0DAD245FB62AF1174153B9AAA16F0A7F8F880171DA9E167C1DE3DA54F8320

Function 00007FF7197E0ED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: bf9068647232c23270bb06824756632650ccea384f25d1b9994a83c676910035
Instruction ID: d438c7043e290f4e6689fd3080bcb2ceccfa439d436e90e8ac835e70257c310c
Opcode Fuzzy Hash: bf9068647232c23270bb06824756632650ccea384f25d1b9994a83c676910035
Instruction Fuzzy Hash: D441D701E0DAD244FB62AF1174153B9ABA16F4A7F8F880171DA9E167C1DE3DA44FC320

Function 00007FF7197E0E8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 240ef1b1f9facc9e65d5baa561c819f956be297c02644ee5a79b7c41297be8d0
Instruction ID: be4ba93c20f9ac498f6b9def7d460072e9d8acad3fe776a14106f210dd6de4a9
Opcode Fuzzy Hash: 240ef1b1f9facc9e65d5baa561c819f956be297c02644ee5a79b7c41297be8d0
Instruction Fuzzy Hash: A541D701E0DAD245FB62AF1174153B9ABA16F0A7F8F880171DA9E167C1DE3DE54F8320

Function 00007FF7197E0F5D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E0F9D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E0FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E10AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E119A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E11AB

Strings

%%%02x, xrefs: 00007FF7197E1053

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 28c38c2a337478f6eaa9afb4f0928c14d828c94ae3e90ada8e004c9695e32935
Instruction ID: a1b94cca3b81a325a50503cc05c0aa35040a8c4d2722c9dd060b407d35d5c312
Opcode Fuzzy Hash: 28c38c2a337478f6eaa9afb4f0928c14d828c94ae3e90ada8e004c9695e32935
Instruction Fuzzy Hash: 9D41C411E0DBD144FB62AF1174153B9ABA1AF4ABF8F880171DA9E167C1DE3DA44F8320

Function 00007FF7197DEBB0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197DEBC8
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197DED31

Strings

set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 00007FF7197DED0C
gfff, xrefs: 00007FF7197DECA8
Connection time-out, xrefs: 00007FF7197DEBEB
gfff, xrefs: 00007FF7197DEC3C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
API String ID: 1670930206-870032562
Opcode ID: b93b32ea752173c696f6b32425c6179706dd42c8cc666add30c7abec2cbc51ef
Instruction ID: 9631ecf7029b3c518f12ab2b9dc7c0ee6cb48e2d8147660e82157495a82c585a
Opcode Fuzzy Hash: b93b32ea752173c696f6b32425c6179706dd42c8cc666add30c7abec2cbc51ef
Instruction Fuzzy Hash: 7D41D176B24A1586DB24DF2AE000668A7B0FF9CFDCF905432DA0C87784EE39E54AC740

Function 00007FF7197C6210 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7197C62F6
strchr.VCRUNTIME140 ref: 00007FF7197C6309
strchr.VCRUNTIME140 ref: 00007FF7197C631B

Strings

Expect, xrefs: 00007FF7197C6277
Expect: 100-continue, xrefs: 00007FF7197C6378
100-continue, xrefs: 00007FF7197C6336
Expect:, xrefs: 00007FF7197C629E

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr
String ID: 100-continue$Expect$Expect:$Expect: 100-continue
API String ID: 2830005266-711804848
Opcode ID: 5e3be0d68d4a2175950e6ba9c090828c86d72cbc59a19f2a73c01601e4f7354c
Instruction ID: 4b0e41375e3663134da298a91a4bc303e450d850b7c6863ab4d99f4f41f1bea5
Opcode Fuzzy Hash: 5e3be0d68d4a2175950e6ba9c090828c86d72cbc59a19f2a73c01601e4f7354c
Instruction Fuzzy Hash: CA418621B2CE8785EA54AF1964501B9E7B09F497FCF885034DA4E47746EE1CF44F8B20

Function 00007FF7197E9C7E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Strings

Signature, xrefs: 00007FF7197EA03F
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7197E9D14
GMT, xrefs: 00007FF7197E9CD4
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Signature
API String ID: 2190258309-3662781045
Opcode ID: ab0d886c58c705babb3c2f495a4e6f11b6d721f0ce908f432582b2f546818fc3
Instruction ID: 97e7cc1996bafc170cc09a823c9fde0c209eeb746e547e5cfe0ca5a95e6ff511
Opcode Fuzzy Hash: ab0d886c58c705babb3c2f495a4e6f11b6d721f0ce908f432582b2f546818fc3
Instruction Fuzzy Hash: 61413026A08E8285EB54EF25A4401A9E7B1FF497E8F980432DA4D17765DE3CD54EC720

Function 00007FF7197E8A41 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
%s%lx, xrefs: 00007FF7197E8A96
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%s%lx$Serial Number$Signature Algorithm
API String ID: 1294909896-659367561
Opcode ID: bb31ab71e0d26586360e2024b33e7cbb9b52d9943c98938361c4390443f1005b
Instruction ID: 908c2938a8e6784f5126bae55adc36bd9e1abbc69532fcf91747a9b8e08ddfc7
Opcode Fuzzy Hash: bb31ab71e0d26586360e2024b33e7cbb9b52d9943c98938361c4390443f1005b
Instruction Fuzzy Hash: 4F417155B09A8248EB14BF6594141F9A7B1AF4DBECFC80431DE0E2B786DE3CA54E8321

Function 00007FF7197D1EC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D1EFD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D1F6E

Strings

., xrefs: 00007FF7197D1F67

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: .
API String ID: 1865132094-916926321
Opcode ID: 14c98bf93d53522ebcafbea39f0ef98a5e05c7352dbac540092c9aa5172eabc0
Instruction ID: cf16348ad707f12fcdb7cd487bf7a175f5b060ef3886b1fcd4286c0194bdd9b5
Opcode Fuzzy Hash: 14c98bf93d53522ebcafbea39f0ef98a5e05c7352dbac540092c9aa5172eabc0
Instruction Fuzzy Hash: 80417E22A09F8586E655AF11A840279A2F4FF49BE8F854031EA4E46650DF38E55FC7A0

Function 00007FF7197E8D4E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8D7F
memcpy.VCRUNTIME140 ref: 00007FF7197E8DAA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: 1c12d0456bb279d48f7b13bf8f096ecd373137648bed811bb097c30b77ece786
Instruction ID: 1092a98169264be2325d2dad2ab804ed4b9474ed07ec18505826b982c67d9975
Opcode Fuzzy Hash: 1c12d0456bb279d48f7b13bf8f096ecd373137648bed811bb097c30b77ece786
Instruction Fuzzy Hash: 9141A165B08F8244EB14BF2594142F9A7B1BF59BECF880435DD0E2B755EE3CA54E8321

Function 00007FF7197A1E11 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1E72
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1E87
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1EA8
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1ED0
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1EDC
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP140 ref: 00007FF7197A1EEE
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF7197A1EF7

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@?egptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
String ID:
API String ID: 1210260451-0
Opcode ID: 098dc9a533f512a288c442b3a7c3cde5c3d9588c6d967cb12034ca7cd18e8c04
Instruction ID: df401597cfd88875aac8976df241b3f5be0974c043f255630f649a0a4cf5226a
Opcode Fuzzy Hash: 098dc9a533f512a288c442b3a7c3cde5c3d9588c6d967cb12034ca7cd18e8c04
Instruction Fuzzy Hash: F5312456A0CAC042E7016F35A19417CABB0AF69FE4BCC4470DBD947B96EE2CD48F8301

Function 00007FF7197E23A0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197CE1C0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE1E8
Part of subcall function 00007FF7197CE1C0: GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE20E
Part of subcall function 00007FF7197CE1C0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE22F
Part of subcall function 00007FF7197CE1C0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE240

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E243F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E2488
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E2491

Strings

%s%s_netrc, xrefs: 00007FF7197E2454
%s%s.netrc, xrefs: 00007FF7197E23FF
HOME, xrefs: 00007FF7197E23D9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$realloc$EnvironmentVariable
String ID: %s%s.netrc$%s%s_netrc$HOME
API String ID: 4174189579-3384076093
Opcode ID: 88fc2429d984dbd1b98d541e6189830dc4416d1333af91ec037f3cdbf4a5c282
Instruction ID: 44ee8e1f9e2d8eead91c40ce711e772a9d1a9c05103b8d56fae16f92bb217449
Opcode Fuzzy Hash: 88fc2429d984dbd1b98d541e6189830dc4416d1333af91ec037f3cdbf4a5c282
Instruction Fuzzy Hash: E0316821A09F4286EA54EF16B800165E2B0BF8DBF8F940531ED4D57759DE3CE55F8710

Function 00007FF7197E9ECD Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E9F08
memcpy.VCRUNTIME140 ref: 00007FF7197E9F2E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Strings

Signature, xrefs: 00007FF7197EA03F
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$memcpy
String ID: Signature: %s$Signature
API String ID: 3519880569-1663925961
Opcode ID: 6fc690665e3c960f521598fd9cb65c7cbd4b7b7c7eae56d7b332e8ce4af7c09d
Instruction ID: 8eeb43aed52a3b3b7a4e1a09d644664d39612cd925d3b10d1e47b5281325ad35
Opcode Fuzzy Hash: 6fc690665e3c960f521598fd9cb65c7cbd4b7b7c7eae56d7b332e8ce4af7c09d
Instruction Fuzzy Hash: 8331B225B09F8285EE55EF16A4042B9A3B1BF89BF8F840531DE0D177A5EE3CE54E8310

Function 00007FF7197D09E6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197ADBE0: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197ADC24

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D0A24
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D0A36

Strings

Mailbox UIDVALIDITY has changed, xrefs: 00007FF7197D0A6E
OK [UIDVALIDITY %19[0123456789]], xrefs: 00007FF7197D0A08
Select failed, xrefs: 00007FF7197D0AC8

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: __stdio_common_vsscanf_strdupfree
String ID: Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
API String ID: 860312144-3309259123
Opcode ID: c0769d112c8980f0ba63fe22be37daa7c687dcefc037a702ecbe341ad1fbb48a
Instruction ID: 4570df543a813634316c4fb1affa017a851383a31515045a9042aa916cb0b6fb
Opcode Fuzzy Hash: c0769d112c8980f0ba63fe22be37daa7c687dcefc037a702ecbe341ad1fbb48a
Instruction Fuzzy Hash: 87314F26A09E4385EA51BF20944117DA3B0AF49BFCFD41432CA0D47255DF3DE55F83A1

Function 00007FF71978D150 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF71978C6C0), ref: 00007FF71978D17D
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF71978C6C0), ref: 00007FF71978D197
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF71978C6C0), ref: 00007FF71978D1C9
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF71978C6C0), ref: 00007FF71978D1F4
std::_Facet_Register.LIBCPMT ref: 00007FF71978D20D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF71978C6C0), ref: 00007FF71978D22C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978D257

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: cd2bdddb0596ab37e0527cdad35a1f99652aad3cfd6ce1b4799fe4c260516971
Instruction ID: d81f9bf278bede0bd4b9f3165d14bea902328fe2c0d9269e94402c2e49c03bde
Opcode Fuzzy Hash: cd2bdddb0596ab37e0527cdad35a1f99652aad3cfd6ce1b4799fe4c260516971
Instruction Fuzzy Hash: AD311C22A08E4186EA14AF11E444169E370FF8CFE8F880631EA5D577A4DF3CE55EC710

Function 00007FF7197E8FD8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E900C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E94F9

Strings

FALSE, xrefs: 00007FF7197E9001
Start Date: %s, xrefs: 00007FF7197E94E7
TRUE, xrefs: 00007FF7197E8FFA
Start Date, xrefs: 00007FF7197E94CD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: Start Date: %s$FALSE$Start Date$TRUE
API String ID: 1865132094-176635895
Opcode ID: c27b45235923359540d0cdd1a3e729ebf80aec24c35f02631c5a53f0515d5fa0
Instruction ID: 2eb52d9159ff8ebd1096353d8a8be5a08cd5ac8abdb2c68881b7e07d83354983
Opcode Fuzzy Hash: c27b45235923359540d0cdd1a3e729ebf80aec24c35f02631c5a53f0515d5fa0
Instruction Fuzzy Hash: FF219D62B08AC285EB21AF15A4542FAA771BF4A7ECF880031CA4D17755DF3CE59EC321

Function 00007FF7197E9C55 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E9C58
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Part of subcall function 00007FF7197B3300: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352

Strings

Signature, xrefs: 00007FF7197EA03F
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: Signature: %s$Signature
API String ID: 1941130848-1663925961
Opcode ID: 8513038bd166b144c7c6de9462af77b3610b9ba8311f5d3a2c0567a3e7933561
Instruction ID: 3e18c21aee1cf8aafa73fefec7cdb02dc447fd1c37069f2684943fe2e67fa6b0
Opcode Fuzzy Hash: 8513038bd166b144c7c6de9462af77b3610b9ba8311f5d3a2c0567a3e7933561
Instruction Fuzzy Hash: 58215066B08F8286EB54AF15A4542AAA3B0FF897E8F840431DE4D17725EE3CD54FC710

Function 00007FF7197B2110 Relevance: 10.0, APIs: 8, Instructions: 33COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2121
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2131
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B213F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B214D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B215B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2169
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2177
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B2185

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 47e5e66416f6e86833811b1b48d9b8c6facdeb4214a28e40684f1d25e079749c
Instruction ID: 822ab5198293c78cc131275ab5fb14d1a9589e353f602671ba10c7a038de7588
Opcode Fuzzy Hash: 47e5e66416f6e86833811b1b48d9b8c6facdeb4214a28e40684f1d25e079749c
Instruction Fuzzy Hash: B001603AA09F01C6D744AF21E99413CB3B4FB8CFA97501125DE4E82728CF38D5AAC750

Function 00007FF7197C3990 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3A28
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3A31
memcpy.VCRUNTIME140 ref: 00007FF7197C3A4C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3BAC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3BB5

Strings

1.1, xrefs: 00007FF7197C399F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$memcpy
String ID: 1.1
API String ID: 4107583993-2150719395
Opcode ID: 60af61f91e59ca4e4c8fb60a03de03d5eb3d223a4cbae19e6d8d79e3442697c0
Instruction ID: e5a636135018b99b973bea0305f2e2892259297d24934b04b4d3cb44cb6f6dce
Opcode Fuzzy Hash: 60af61f91e59ca4e4c8fb60a03de03d5eb3d223a4cbae19e6d8d79e3442697c0
Instruction Fuzzy Hash: 77516E72618F8686D6659F22E4403AAA3B0FB48BE8F444031DE9E47754DF3CE16E8710

Function 00007FF719794E60 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF719794EEC
memcpy.VCRUNTIME140 ref: 00007FF719794F2F
memcpy.VCRUNTIME140 ref: 00007FF719794F47
memcpy.VCRUNTIME140 ref: 00007FF719794FC9
memcpy.VCRUNTIME140 ref: 00007FF719794FE3

Strings

mw1 chair, xrefs: 00007FF719794E60

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: mw1 chair
API String ID: 3510742995-2267673244
Opcode ID: 887072a94038dda60cac739dff8bf3d92874356afa2a20b2490d19fdac95f829
Instruction ID: 044fb78bb4e33dd7e6d9e5b0cfa50b1e0799146200988787cb4dc2bc5300765f
Opcode Fuzzy Hash: 887072a94038dda60cac739dff8bf3d92874356afa2a20b2490d19fdac95f829
Instruction Fuzzy Hash: 7641C232604F9192EB10AF29E504269A362FB19FE8F544631DF6D17795DF38E1DAC340

Function 00007FF7197E4210 Relevance: 9.1, APIs: 6, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,?,?,00007FF7197E37CF), ref: 00007FF7197E4256
strchr.VCRUNTIME140(00000000,?,?,00007FF7197E37CF), ref: 00007FF7197E4266
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00007FF7197E37CF), ref: 00007FF7197E4290
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E42C5
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E42EA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E430C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupstrchr$mallocstrncpy
String ID:
API String ID: 2121287944-0
Opcode ID: c055f92e1f15aea81c3b26e3b0f0f3e77bedbc71fc8cc29143d5940d84ca2064
Instruction ID: 5b461b58fe9e01cb6793fed8b3f6aecc5895186bd91154b5b69588aeef9d4813
Opcode Fuzzy Hash: c055f92e1f15aea81c3b26e3b0f0f3e77bedbc71fc8cc29143d5940d84ca2064
Instruction Fuzzy Hash: 65317721B09F418AEA55FF126550279B7B0AF4DBE4F884634DE5E17791EF3CE04A8710

Function 00007FF7197E8D0F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: 202b28cd6889865a983d6f628ccc58a140af8ab33d0ef0544c3ca3d4949ad514
Instruction ID: 038837bf2ecce8a61bebda7b0e72f5bdb75a643e9f2ee3ef88764d4acf589553
Opcode Fuzzy Hash: 202b28cd6889865a983d6f628ccc58a140af8ab33d0ef0544c3ca3d4949ad514
Instruction Fuzzy Hash: 00417F65B08B8248EB14BF6594141F9A7B1BF49BECF880435DE0E27795DE38E54E8321

Function 00007FF7197D19E1 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D1A66
memcpy.VCRUNTIME140 ref: 00007FF7197D1A81
strchr.VCRUNTIME140 ref: 00007FF7197D1A9D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D1AAE

Strings

Got unexpected pop3-server response, xrefs: 00007FF7197D1A01
CAPA, xrefs: 00007FF7197D1AC4

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: callocfreememcpystrchr
String ID: CAPA$Got unexpected pop3-server response
API String ID: 2887963327-1591402739
Opcode ID: ec5f52dcdbad0dc49807fad57b4c1495d81065116b4d0d22bd6cdc754149304d
Instruction ID: 0f638055b4abe28d4d8d180b2d497873e6d5fff4d842d04bd04dbb6bfc9986e0
Opcode Fuzzy Hash: ec5f52dcdbad0dc49807fad57b4c1495d81065116b4d0d22bd6cdc754149304d
Instruction Fuzzy Hash: 40319F65B09B8281FA1DAF11A0452B9A6F4BF497E8F840535CA2E133D1DF3CE46EC321

Function 00007FF7197E9BB0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Strings

Signature, xrefs: 00007FF7197EA03F
%s%lx, xrefs: 00007FF7197E9C0D
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%s%lx$Signature
API String ID: 2190258309-1406629954
Opcode ID: c4bcb139ca479e16397d9b76d97ff7c67916c63ff4a99b4fb65222f06c47e04a
Instruction ID: 0719c85e562ebfbc41f934b5c7c5af82205d1bb6dbee0453970dae60a14c8c73
Opcode Fuzzy Hash: c4bcb139ca479e16397d9b76d97ff7c67916c63ff4a99b4fb65222f06c47e04a
Instruction Fuzzy Hash: 5431A226B09E8285EB64AF25A4442B9A7B0FF49BECF840431DA4D57755EE3DE40E8720

Function 00007FF7197E8AB1 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: 817019609291619c52b7da555dfe91ea85f173e23d286e0574096de28b30c2b4
Instruction ID: ca28fcbff4c730a5b17993aebc4ccd3c95862b8e69fe6aa425aab38724885235
Opcode Fuzzy Hash: 817019609291619c52b7da555dfe91ea85f173e23d286e0574096de28b30c2b4
Instruction Fuzzy Hash: E7318D55B09F8244EB14BF6594101F9A7B1AF4DBECF880435DE0E2B796EE3CA54E8321

Function 00007FF7197D9D80 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D9D91
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D9DFD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D9E0F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupcallocfree
String ID:
API String ID: 1236595397-0
Opcode ID: 2a2af77d4e7b8a978fac17d3c678f712a50c9d7934e228e445caa259c7bde1bf
Instruction ID: f9fadaa46b38ba5614437ade3f8ffb15d89924ab10b48e625bb5e18ccc7bb05f
Opcode Fuzzy Hash: 2a2af77d4e7b8a978fac17d3c678f712a50c9d7934e228e445caa259c7bde1bf
Instruction Fuzzy Hash: A3319032A09E8582EB419F14E4503A9B7F1EF89B98FA80030DE4D47795EF3DD59E8720

Function 00007FF7197E8AEF Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197EA770: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA7BC

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Part of subcall function 00007FF7197B3300: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: 2e075935b3b11092963faec1eff85a83b69540f76d31e102e28012f47b0b9f08
Instruction ID: 8936d5a41ca931c614b1ddffc778f5e920c955479c3d400a86a6e7c3383182d4
Opcode Fuzzy Hash: 2e075935b3b11092963faec1eff85a83b69540f76d31e102e28012f47b0b9f08
Instruction Fuzzy Hash: 90315D55B09F8248EB14BF6594101F9A7B1AF497ECF880435DE0E2B756EE3CA54E8321

Function 00007FF7197E8AC9 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197EC280: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EC2B5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8EEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E8F93

Part of subcall function 00007FF7197B3300: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352

Strings

Signature Algorithm, xrefs: 00007FF7197E8F67
Serial Number, xrefs: 00007FF7197E8EC2
Signature Algorithm: %s, xrefs: 00007FF7197E8F81
Serial Number: %s, xrefs: 00007FF7197E8EDC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: 133de6af75a53c72fa457d0f648588528f608e09a9007c1c6225ebac0986f126
Instruction ID: 057a8a8cbebc1fc018027e9d59791a23a007acb10532d73c6a4f8df3828386e9
Opcode Fuzzy Hash: 133de6af75a53c72fa457d0f648588528f608e09a9007c1c6225ebac0986f126
Instruction Fuzzy Hash: C9316B55B09F8248EB04BF6594101F9A7B1AF497ECF880435DE0E2B796EE3CA54E8321

Function 00007FF7197D7A13 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D7A2F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D7AAB

Strings

SITE NAMEFMT 1, xrefs: 00007FF7197D7A8C
OS/400, xrefs: 00007FF7197D7A79

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID: OS/400$SITE NAMEFMT 1
API String ID: 3061335427-2049154998
Opcode ID: 42ee40ad401ca76902203d257c29206fa0bef6c97fb5a22deb1a22658e4e961d
Instruction ID: edab95f0ee8244fa595dc7eba27fad375070a9d836dddbe1ca3e344fdb5b5979
Opcode Fuzzy Hash: 42ee40ad401ca76902203d257c29206fa0bef6c97fb5a22deb1a22658e4e961d
Instruction Fuzzy Hash: AF317062A09AC285F760AF25A4513B8E3B0AF8D7E8FD44031CA8D57755DE3CE64F8720

Function 00007FF71979E490 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979E6A2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979E6F1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979E730
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71979E77F

Strings

[json.exception., xrefs: 00007FF71979E552

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: [json.exception.
API String ID: 3668304517-791563284
Opcode ID: ebe7fc72045d5b8f1cfc3d6e0f9283bbab7822993c331b0c9b34373ed142483d
Instruction ID: 3b127d4b77dc9c016cfcc58f81af34d7d219f6613609820e079d8a24160068b6
Opcode Fuzzy Hash: ebe7fc72045d5b8f1cfc3d6e0f9283bbab7822993c331b0c9b34373ed142483d
Instruction Fuzzy Hash: 54918D62F18E4685FB04DF78D4053ACA371EF99BA8F904631DA6C12695EF78E18EC350

Function 00007FF7197AC25D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197C9970: strchr.VCRUNTIME140 ref: 00007FF7197C99A6

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197AC431

Strings

FALSE, xrefs: 00007FF7197AC40B
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF7197AC6D7
Added, xrefs: 00007FF7197AC6CD
Replaced, xrefs: 00007FF7197AC6C1

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupstrchr
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 3727083984-2292467869
Opcode ID: 3fb02eea091f81e3db2e34af5e737cf43fe4a3436e1a432cf7b9012c40b37308
Instruction ID: 6a51125bb701fd2f6803f39f4a771394f43e13a49cda05e68ff7c91e8231681d
Opcode Fuzzy Hash: 3fb02eea091f81e3db2e34af5e737cf43fe4a3436e1a432cf7b9012c40b37308
Instruction Fuzzy Hash: 68615061E08B8295FF71AF15D544379A7B5AF58BE8F8C0036DA8D06791EF2CE44E8360

Function 00007FF7197C4420 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C462D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197C4645

Strings

Forcing HTTP/1.1 for NTLM, xrefs: 00007FF7197C44E9
The requested URL returned error: %d, xrefs: 00007FF7197C45CE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: Forcing HTTP/1.1 for NTLM$The requested URL returned error: %d
API String ID: 1865132094-1204028548
Opcode ID: 9fad2532ab848c8d53990e5781de57f025d867347be9e3b0f2db17eec2151417
Instruction ID: f022f870c7af7734c3729b638f7e16a20c6d96ff75d18a6687a1109d4727175d
Opcode Fuzzy Hash: 9fad2532ab848c8d53990e5781de57f025d867347be9e3b0f2db17eec2151417
Instruction Fuzzy Hash: 8D519471A18E8395FB64AE2490402B9B7B1EF49BFCF980035DA4D466D5CE2CF45E8331

Function 00007FF7197C11D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197C123A
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197C12AB
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197C130B

Strings

Hostname in DNS cache was stale, zapped, xrefs: 00007FF7197C1332
:%u, xrefs: 00007FF7197C124E, 00007FF7197C12B4

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: tolower$_time64
String ID: :%u$Hostname in DNS cache was stale, zapped
API String ID: 4068448496-2924501231
Opcode ID: be462bc681f294b846ec8b6f7bafb28f8b3c9e723aede0127f877f0f853eacff
Instruction ID: 27c623fa6036157311f6b56bcd142ae133fb3ad6100a278834749ee032b9663d
Opcode Fuzzy Hash: be462bc681f294b846ec8b6f7bafb28f8b3c9e723aede0127f877f0f853eacff
Instruction Fuzzy Hash: 4F418162618E8285EA21AF11E4507A9A774FF89BFCF844232DE5D47795DE2CE50FC320

Function 00007FF71978D020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF71978D08D

Strings

mw1 chair, xrefs: 00007FF71978D020

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: mw1 chair
API String ID: 3510742995-2267673244
Opcode ID: 5ce03e0e51cd0d82179c633c46743d7f3b6b9d839c2c0a275ca7238250c9bd13
Instruction ID: 4d91eee24d523ebb19fe5a25ab17181daf5f37323c3d72173ba276af936e2016
Opcode Fuzzy Hash: 5ce03e0e51cd0d82179c633c46743d7f3b6b9d839c2c0a275ca7238250c9bd13
Instruction Fuzzy Hash: B131B022B15B8285FA15BF65B5413B8E1609F49BF8F640231DE2C077D5EE7C95CB8320

Function 00007FF7197D8AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197A2010: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A203E

_open.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197D8B7F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D8BCB
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197D8BE2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D8BFB

Strings

Couldn't open file %s, xrefs: 00007FF7197D8BA9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_close_openmalloc
String ID: Couldn't open file %s
API String ID: 3412525164-447283422
Opcode ID: fd079b85187223a1e7896735e7694e13f078ca340770976b25a70d49167bffd7
Instruction ID: f38411d70389c029cbc6c9df94d8bddac348f374be4e938adf0aaabe1aa70b8a
Opcode Fuzzy Hash: fd079b85187223a1e7896735e7694e13f078ca340770976b25a70d49167bffd7
Instruction Fuzzy Hash: A4417161A08E8185EB149F25E8042BAE7F1FF49BE8F888131DA9D47694DF7CE44E8711

Function 00007FF7197B8D90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7197B8E0E

Part of subcall function 00007FF7197A2AD0: GetLastError.KERNEL32 ref: 00007FF7197A2AF2
Part of subcall function 00007FF7197A2AD0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197A2AFA

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B8E2C
recv.WS2_32 ref: 00007FF7197B8E57
WSAGetLastError.WS2_32 ref: 00007FF7197B8E69

Strings

Recv failure: %s, xrefs: 00007FF7197B8E95

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_errnofreememcpyrecv
String ID: Recv failure: %s
API String ID: 267823591-4276829032
Opcode ID: f2881a5ebb85d8107934ac4dab30561c607821c9b70506d701cc9b9afa656eb5
Instruction ID: 9aa69d4625ed3710ed9c70a0447614d1372a896cb062f82395257a5e080697d7
Opcode Fuzzy Hash: f2881a5ebb85d8107934ac4dab30561c607821c9b70506d701cc9b9afa656eb5
Instruction Fuzzy Hash: 0931AC72B05B4185EB20AF22E8842A9A3A0BB58FECF844135DE1E07784DE3CD56E8350

Function 00007FF7197BEA90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197BEB85
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BEBE4

Strings

REFUSED_STREAM, retrying a fresh connect, xrefs: 00007FF7197BEB1B
Connection died, retrying a fresh connect, xrefs: 00007FF7197BEB6F
Connection died, tried %d times before giving up, xrefs: 00007FF7197BEB48

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: Connection died, retrying a fresh connect$Connection died, tried %d times before giving up$REFUSED_STREAM, retrying a fresh connect
API String ID: 1865132094-195851662
Opcode ID: 41605b012d6dd3b6376cb0e83c02b400ff94753f3b61c37dc6fcf554858e740d
Instruction ID: 4d33b495c9325116156c01ebc0ec074fa11217134f4d376e35172dccd3395e5c
Opcode Fuzzy Hash: 41605b012d6dd3b6376cb0e83c02b400ff94753f3b61c37dc6fcf554858e740d
Instruction Fuzzy Hash: CB41C322B08E8281EB559F25E0543A9A7A0EF88BDCF484031DB4E47396DF3CE59EC750

Function 00007FF7197BBEE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BBF69
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197BBFFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BC027

Strings

identity, xrefs: 00007FF7197BBF23, 00007FF7197BBF93, 00007FF7197BBFF8
Unrecognized content encoding type. libcurl understands %s content encodings., xrefs: 00007FF7197BC015

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: Unrecognized content encoding type. libcurl understands %s content encodings.$identity
API String ID: 3985033223-1703240927
Opcode ID: 7e6651c2bb5565efb712aade9b4f841ef0da1f18a5a6eb31ccd53c7e723c7609
Instruction ID: 44589729b099067b110805389208b73b78cf8cb1c3919f43d44120ed8d88dda8
Opcode Fuzzy Hash: 7e6651c2bb5565efb712aade9b4f841ef0da1f18a5a6eb31ccd53c7e723c7609
Instruction Fuzzy Hash: BF418021E09E5685EB11AF15D440378A770EF58BF8F884231DE6E47794EE2CE51F8710

Function 00007FF7197D2E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D2EBB
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D2F01
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D2F66

Strings

RCPT TO:<%s>, xrefs: 00007FF7197D2F4B
RCPT TO:<%s@%s>, xrefs: 00007FF7197D2F3D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreestrpbrk
String ID: RCPT TO:<%s>$RCPT TO:<%s@%s>
API String ID: 1812939018-579818044
Opcode ID: 6305e402a6e4e1e9a463381f710f6db912d5dfcb830bcf8b5c7718380814cc19
Instruction ID: 3c72abd47896dde6bfe38eb3181a3ac0cc1c26ffa6bc5e62747396f463650a75
Opcode Fuzzy Hash: 6305e402a6e4e1e9a463381f710f6db912d5dfcb830bcf8b5c7718380814cc19
Instruction Fuzzy Hash: 0A314F62A18F8181EB01EF15E4402B9E7A1EF99BE8F884231EA5E03795DF7CD54EC310

Function 00007FF7197AAEC8 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AB018
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AB05F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AB08A

Part of subcall function 00007FF7197A9DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A9E1E
Part of subcall function 00007FF7197A9DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A9E35

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AB0BF

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF7197AA406

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Resolving timed out after %I64d milliseconds
API String ID: 1294909896-3343404259
Opcode ID: 57ffa41478984245528955a39b0ac88fe16b075f418efc0be5853ba86c9022a2
Instruction ID: 3a262d8c106c22303d32ca56cfbad17d47685b1ec7052f74e76dfddec366f0ab
Opcode Fuzzy Hash: 57ffa41478984245528955a39b0ac88fe16b075f418efc0be5853ba86c9022a2
Instruction Fuzzy Hash: 49D19161A08A4285FB54AF2994443BDA3B1FF48FECF884432DE0E57695DF38E54E8360

Function 00007FF7197E62A0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197E6200: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6226
Part of subcall function 00007FF7197E6200: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6247
Part of subcall function 00007FF7197E6200: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6262
Part of subcall function 00007FF7197E6200: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6270
Part of subcall function 00007FF7197E6200: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6282

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6326

Strings

NTLM, xrefs: 00007FF7197E62DE, 00007FF7197E6390
HTTP, xrefs: 00007FF7197E62AA

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: HTTP$NTLM
API String ID: 2190258309-4188377180
Opcode ID: e1bf4c8166a8a75f28689fb73979db9686edb6aec639b8e6d768db82bce69aeb
Instruction ID: 1d71d26d45cd9e719de67bb375081a36cd3d4f4746852b6b012f576a55f0f22f
Opcode Fuzzy Hash: e1bf4c8166a8a75f28689fb73979db9686edb6aec639b8e6d768db82bce69aeb
Instruction Fuzzy Hash: 23612F32608F8586E760AF15E44466EB3B4FB88B98F944135DE8D53B58EF3CD45ACB10

Function 00007FF7197D3AEB Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D3BA0

Strings

Failure sending ABOR command: %s, xrefs: 00007FF7197D3CC1
Remembering we are in dir "%s", xrefs: 00007FF7197D3C38
control connection looks dead, xrefs: 00007FF7197D3D92
ABOR, xrefs: 00007FF7197D3C9B

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$Remembering we are in dir "%s"$control connection looks dead
API String ID: 1294909896-1891748601
Opcode ID: db0bab37b2fd77417df0febdb6e61c96d5d80683ff20995e8f75c9cc5a29661c
Instruction ID: 4956778e39ddc3e813cdaae31f91e8e7c5b424a47dffb14147bbdbc152ffe647
Opcode Fuzzy Hash: db0bab37b2fd77417df0febdb6e61c96d5d80683ff20995e8f75c9cc5a29661c
Instruction Fuzzy Hash: 0651856190CE8245E664BF3590503B9A2B1AF597FCF840235DA6E076C2DF7DE54F8321

Function 00007FF7197BD950 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7197BD9F8
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BDA78
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BDB22

Strings

allocate connect buffer!, xrefs: 00007FF7197BDA9F
CONNECT phase completed!, xrefs: 00007FF7197BDB63

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: callocfreememset
String ID: CONNECT phase completed!$allocate connect buffer!
API String ID: 3505321882-591125384
Opcode ID: 03d6e6cf566f35901d91cb824c607f6b2c99800fcb04ac3beae7ac0d88ac1593
Instruction ID: 95e3338e84d885da47b3fdeada133a0b36aef0bac3aeecea2cf13881f6224c6a
Opcode Fuzzy Hash: 03d6e6cf566f35901d91cb824c607f6b2c99800fcb04ac3beae7ac0d88ac1593
Instruction Fuzzy Hash: 3E51A362A08E8296E714AF21D5543BAB3A4FF587DCF444035CB5D4B281DF78EA6EC311

Function 00007FF7197E91C3 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 125COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E94F9

Strings

Start Date: %s, xrefs: 00007FF7197E94E7
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7197E92F1
Start Date, xrefs: 00007FF7197E94CD
GMT, xrefs: 00007FF7197E927E

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Start Date: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Start Date
API String ID: 1294909896-619256714
Opcode ID: c2cc8a4e2921442434964406f6f80384de2b80e7e19b3ecb70c501f697a76c69
Instruction ID: 3b7b47782207074a3c99c3888d1c5f52f02391dcd9bf181ebdf4699a1585426d
Opcode Fuzzy Hash: c2cc8a4e2921442434964406f6f80384de2b80e7e19b3ecb70c501f697a76c69
Instruction Fuzzy Hash: 5651B072B0CA9245EF24AF1595041B9F7B9BF0A7E8FC84031DA4D26A54DE3CE55EC320

Function 00007FF71978D950 Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF71978DA45
memcpy.VCRUNTIME140 ref: 00007FF71978DA53
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978DA8C
memcpy.VCRUNTIME140 ref: 00007FF71978DAA4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978DAD9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: eaef5b74a2b5aef34d803256b4b6bcee660f146c696fb202dc674434e1d08a92
Instruction ID: 0a3ddca9b1ad673c1a85d299453b9d34f5593f0cd8a490a912156b9b35903e92
Opcode Fuzzy Hash: eaef5b74a2b5aef34d803256b4b6bcee660f146c696fb202dc674434e1d08a92
Instruction Fuzzy Hash: E441B262B08E4191EE10BF16A406369E365FF48BE8F944631DE6D07B95DE7CD44E8321

Function 00007FF7197D0500 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197C9A20: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7197C9A41

memcpy.VCRUNTIME140 ref: 00007FF7197D0671
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D067F

Strings

Written %zu bytes, %I64u bytes are left for transfer, xrefs: 00007FF7197D063D
Failed to parse FETCH response., xrefs: 00007FF7197D055E
Found %I64d bytes to download, xrefs: 00007FF7197D05D2

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _errnofreememcpy
String ID: Failed to parse FETCH response.$Found %I64d bytes to download$Written %zu bytes, %I64u bytes are left for transfer
API String ID: 738009125-4268564757
Opcode ID: 3517baa6f819c332b961255ff01911a11ae2d3ff234f9926fbd770ff3261afff
Instruction ID: 965ceb9f0ac459f8a9543ae2f45519b5978b181bf5ec48808a9115f935c99df0
Opcode Fuzzy Hash: 3517baa6f819c332b961255ff01911a11ae2d3ff234f9926fbd770ff3261afff
Instruction Fuzzy Hash: 4E519262A0CE8682EA15AE25D4006EDE3B0FF897E8F844031DA9E17A55DF7CE15F8710

Function 00007FF7197E9100 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E94F9

Strings

Start Date: %s, xrefs: 00007FF7197E94E7
Start Date, xrefs: 00007FF7197E94CD
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7197E91AF
GMT, xrefs: 00007FF7197E915C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Start Date: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Start Date
API String ID: 1294909896-2752585153
Opcode ID: 552777525a44fbdf1f3d2193506851acc5bb04e93bc6d42e9093410d159f814e
Instruction ID: 21b8a897ed008ea66fe9cad1948e4ff3a6b04eed8d8e47ec02f0c72b8c44b675
Opcode Fuzzy Hash: 552777525a44fbdf1f3d2193506851acc5bb04e93bc6d42e9093410d159f814e
Instruction Fuzzy Hash: A5317E62A0CE8285EB20AF6194441F9E7B1BF09BECFC84031D64D2A255DF3CD65EC320

Function 00007FF71978B000 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF71978B03B
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF71978B05A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF71978B08C
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF71978B0A7
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF71978B0ED

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1830095303-0
Opcode ID: bfb136ae2ab69f61ef84cdff7f97bd1ab895b6aab3db558f3df58f414e52c596
Instruction ID: deb0892de21782f7d0e2bfaf61e5f44c2bd2cfe63f72705759c515f8e0c00758
Opcode Fuzzy Hash: bfb136ae2ab69f61ef84cdff7f97bd1ab895b6aab3db558f3df58f414e52c596
Instruction Fuzzy Hash: EC317632605B8286EB109F2AEA94329B7B0FB89FD9F448131CA5D53724DF38C16AC750

Function 00007FF7197E9E8E Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Strings

Signature, xrefs: 00007FF7197EA03F
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: cba224acf09d27c61e77cd823e1b02bda2a9f6312e22c2ca3b22bf55de9e9ff6
Instruction ID: b0177326831097e9c45d45a51d1b1b7cf9deb28c2e63b200dbf323dcea25adce
Opcode Fuzzy Hash: cba224acf09d27c61e77cd823e1b02bda2a9f6312e22c2ca3b22bf55de9e9ff6
Instruction Fuzzy Hash: 3E21C226B08AC285EB14EF25A4442E9A7A0FF48BF8F880132DE5D53795EE3CD54AC710

Function 00007FF7197D4040 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D410B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D4124
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D4138

Strings

QUIT, xrefs: 00007FF7197D406F
Failure sending QUIT command: %s, xrefs: 00007FF7197D4093

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Failure sending QUIT command: %s$QUIT
API String ID: 1294909896-1162443993
Opcode ID: 1ca65809ba5d3ff0e0ffbc3f4e64941a58253cf71e040ad689861268439afa50
Instruction ID: 5129d429f411386c8898eefc4306cf2be05d5e9854b28c43c51aeaf865412bc4
Opcode Fuzzy Hash: 1ca65809ba5d3ff0e0ffbc3f4e64941a58253cf71e040ad689861268439afa50
Instruction Fuzzy Hash: 41314C36A08B8281EB50EF21D4442B9A7B4EF89FE8F884035DA5E47695DF38D05E8361

Function 00007FF7197CAE10 Relevance: 7.6, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B8030), ref: 00007FF7197CAE45
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B8030), ref: 00007FF7197CAE5A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B8030), ref: 00007FF7197CAE6F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B8030), ref: 00007FF7197CAE9C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B8030), ref: 00007FF7197CAEA5
memcpy.VCRUNTIME140(?,?,?,00007FF7197B8030), ref: 00007FF7197CAED9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$calloc$memcpy
String ID:
API String ID: 3478730034-0
Opcode ID: 111d6ed67368218d3dd675a749a234356278db575fe078b726617bf82643b03b
Instruction ID: b21cbfba763a834ffe3bd06154996c2c1c92ab5f39255d3838bcd7db4f3da187
Opcode Fuzzy Hash: 111d6ed67368218d3dd675a749a234356278db575fe078b726617bf82643b03b
Instruction Fuzzy Hash: 3921A161A18F8286E714EF55A810229B7B0FF4CBF8F844234DA5E5B794DF3CD45A8350

Function 00007FF7197D9EB0 Relevance: 7.6, APIs: 5, Instructions: 62stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D9EE1
strchr.VCRUNTIME140 ref: 00007FF7197D9F0D
strchr.VCRUNTIME140 ref: 00007FF7197D9F24
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197D9F43

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupmalloc
String ID:
API String ID: 4236146995-0
Opcode ID: d5445c2f3e4fd82d7024e3c80f156bd967658c961cf783a108597ef3bd6f5d8b
Instruction ID: 2ac2d145f70bc2d9f2c81507cb04d3716c2e56c5bc3c89258dc4b76500c98aba
Opcode Fuzzy Hash: d5445c2f3e4fd82d7024e3c80f156bd967658c961cf783a108597ef3bd6f5d8b
Instruction Fuzzy Hash: AC215C72B16F8185EB81DF2194403A863E2EF89BA8F481134DE4D4B758EF29D59AC720

Function 00007FF7197E9C28 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Strings

Signature, xrefs: 00007FF7197EA03F
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: 97c81e3377b7e5ffb2f5752948f8a23bdb01db794371187708127e8464dd9482
Instruction ID: cad60574b36ce6b4b2998c14de7f23d7ded5aa95069274e5cfa5c575a4b054c9
Opcode Fuzzy Hash: 97c81e3377b7e5ffb2f5752948f8a23bdb01db794371187708127e8464dd9482
Instruction Fuzzy Hash: 5C217F66B09E8285EB54AF25A4402EAA3B0FF887E8F840431DE4D17725EE3CD54F8710

Function 00007FF7197AE010 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7197AE163
LeaveCriticalSection.KERNEL32 ref: 00007FF7197AE177
CloseHandle.KERNEL32 ref: 00007FF7197AE184
closesocket.WS2_32 ref: 00007FF7197AE1C4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE1DD

Part of subcall function 00007FF7197CB020: WaitForSingleObjectEx.KERNEL32 ref: 00007FF7197CB038
Part of subcall function 00007FF7197CB020: CloseHandle.KERNELBASE ref: 00007FF7197CB048

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWaitclosesocketfree
String ID:
API String ID: 768628753-0
Opcode ID: 3fba53d2dfbaa3a40788f2cb421903d592e2f32359e050d0e5d03964d6f97957
Instruction ID: d919f0e9ee877f323f2febf39f678b923a63be9469a9aa81f57a2498d3147820
Opcode Fuzzy Hash: 3fba53d2dfbaa3a40788f2cb421903d592e2f32359e050d0e5d03964d6f97957
Instruction Fuzzy Hash: DD213636A09A4186E724AF52E494269A370FF9DFA8F584030DF8D47741DF39E4AA8720

Function 00007FF7197E9C66 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197EA770: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA7BC

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Part of subcall function 00007FF7197B3300: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352

Strings

Signature, xrefs: 00007FF7197EA03F
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: 374f31f02c22e5b03c7cc77e96ec3c5654cb7060cf178e8f8d3fab42a0431982
Instruction ID: db2ed1f7b1c4707344a4d9f4c716648ce7748a77cba2dcc4c72d9610042f8ef3
Opcode Fuzzy Hash: 374f31f02c22e5b03c7cc77e96ec3c5654cb7060cf178e8f8d3fab42a0431982
Instruction Fuzzy Hash: D0213E66B08E8285EB54AF15A4542EAA3B0FF897E8F840432DE4D17725EE3DD54B8710

Function 00007FF7197E9C40 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197EC280: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EC2B5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA069
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EA0BC

Part of subcall function 00007FF7197B3300: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352

Strings

Signature, xrefs: 00007FF7197EA03F
Signature: %s, xrefs: 00007FF7197EA057

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: fb5eabcf671d18d99c030c68fee6fcb880a50d39f0ffce816dc708311095d2aa
Instruction ID: bf30be3b167955d1bfd613cb0d4f881c7b54e51b47651382e2675e9ba7cf2b71
Opcode Fuzzy Hash: fb5eabcf671d18d99c030c68fee6fcb880a50d39f0ffce816dc708311095d2aa
Instruction Fuzzy Hash: 0F216066B08E8285EB54AF25E4442EAA3B0FF887E8F840432DE4D17725EE3CD54E8710

Function 00007FF7197A3210 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7197A2B49), ref: 00007FF7197A34AF

Strings

Host not found, try again, xrefs: 00007FF7197A34A5
No data record of requested type, xrefs: 00007FF7197A3493
Unrecoverable error in call to nameserver, xrefs: 00007FF7197A349C
Host not found, xrefs: 00007FF7197A3478

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strncpy
String ID: Host not found$Host not found, try again$No data record of requested type$Unrecoverable error in call to nameserver
API String ID: 3301158039-3625861382
Opcode ID: ab1af6f3f5c9f8886410f58ef438b31858af9ea9bf8521fa188e47fdd6b36138
Instruction ID: a0cef06548d35ca1f0a0fbead4883844523adddc42644f09377198c29ad013cd
Opcode Fuzzy Hash: ab1af6f3f5c9f8886410f58ef438b31858af9ea9bf8521fa188e47fdd6b36138
Instruction Fuzzy Hash: A311A051E0CD4291EE5A6F28F5542789270AF0DBFCFCC5075D51E07665DD9CE98E8230

Function 00007FF7197C7A10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00007FF7197C7D62

Strings

** Resuming transfer from byte position %I64d, xrefs: 00007FF7197C7A98
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00007FF7197C7AAB
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 00007FF7197C7CF5

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: fflush
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 497872470-664487449
Opcode ID: 15ac94929da7fc9ea2bba90fd063a65de8b59d0f1290994f5f9f8a1cb3057f6e
Instruction ID: fa9963bcdaa8e20457842b127008fed71fba042090b1699fb7af114dafbb04ff
Opcode Fuzzy Hash: 15ac94929da7fc9ea2bba90fd063a65de8b59d0f1290994f5f9f8a1cb3057f6e
Instruction Fuzzy Hash: 5B919162616B8785DA60EF05E544BAAE374FB88BE4F821032DE5D47B55FF38D04AD700

Function 00007FF71978F3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,?,?,?,?,mw1 chair,00000000,?,?,?,?,00007FF71979DF28), ref: 00007FF71978F46C
memcmp.VCRUNTIME140(?,?,?,?,?,?,?,mw1 chair,00000000,?,?,?,?,00007FF71979DF28), ref: 00007FF71978F4E3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,mw1 chair,00000000), ref: 00007FF71978F5C9

Strings

mw1 chair, xrefs: 00007FF71978F3AC

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcmp$_invalid_parameter_noinfo_noreturn
String ID: mw1 chair
API String ID: 722167722-2267673244
Opcode ID: 46de5afb9243b64a451b49b7f12b4e6284b28dae7d34156707c287cc34a483a6
Instruction ID: 7419f05de27039c8b5cb7e6469237bacdd5509a88b8c4c44927737b4ae5f94cb
Opcode Fuzzy Hash: 46de5afb9243b64a451b49b7f12b4e6284b28dae7d34156707c287cc34a483a6
Instruction Fuzzy Hash: C871CE22A14A5185F700AF65D8052ACA775FF08BFCF984226DF6C27AC9DF78D48AC350

Function 00007FF719782480 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7197824F5

Part of subcall function 00007FF7197F1228: MultiByteToWideChar.KERNEL32 ref: 00007FF7197F1244
Part of subcall function 00007FF7197F1228: GetLastError.KERNEL32 ref: 00007FF7197F1252

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF719782591

Part of subcall function 00007FF71978D4B0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF719781080), ref: 00007FF71978D5B4

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978263B

Strings

Unknown exception, xrefs: 00007FF7197827F9

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ByteCharErrorLastMultiWide_invalid_parameter_noinfo_noreturnmemcpy
String ID: Unknown exception
API String ID: 882635279-410509341
Opcode ID: 23801b010b4e29e05f5b21e541ec3f33ff8e4e3321ae88d7a3ac5a48fe529986
Instruction ID: 7c63b38953447f0e6484357245cc63745aa9317c06de2e796f78974ff2eb36a0
Opcode Fuzzy Hash: 23801b010b4e29e05f5b21e541ec3f33ff8e4e3321ae88d7a3ac5a48fe529986
Instruction Fuzzy Hash: 1B41DFA1B04B4182EB18AF66A41526CA2A1FF08FECF945036DE5D47754DF3CE48E8340

Function 00007FF7197DDAF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99networkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197DDB31
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7197DDB70
WSAGetLastError.WS2_32 ref: 00007FF7197DDBC8

Strings

TFTP response timeout, xrefs: 00007FF7197DDB8A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _time64$ErrorLast
String ID: TFTP response timeout
API String ID: 3339832089-3820788777
Opcode ID: b50717e9cad3141e678a7a394a05bbd1da01f748d4dc3e60a6d87f2bf4924b80
Instruction ID: eeee4e3fd1ee14008cdba33b7ecdf7cd04a4d8a2ee9b7a348936ca00e21ad295
Opcode Fuzzy Hash: b50717e9cad3141e678a7a394a05bbd1da01f748d4dc3e60a6d87f2bf4924b80
Instruction Fuzzy Hash: 40419231608E4285EB60AF25D8042A9A7B1EF8DBF8F944235DE2D477C5EE7CD40E8760

Function 00007FF7197C63B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197C5DE9), ref: 00007FF7197C643D

Strings

Failed to alloc memory for big header!, xrefs: 00007FF7197C6448
Rejected %zu bytes header (max is %d)!, xrefs: 00007FF7197C63DB

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: realloc
String ID: Failed to alloc memory for big header!$Rejected %zu bytes header (max is %d)!
API String ID: 471065373-1365219457
Opcode ID: 3beeb65683480199b1bedaf6b7b6ffd1ea085df5eb7a802a328a46056de9cca4
Instruction ID: a203ae2fb13c7a82d1f5b5538e1fc17dc48bc5a6d320ab977225a42453a1f921
Opcode Fuzzy Hash: 3beeb65683480199b1bedaf6b7b6ffd1ea085df5eb7a802a328a46056de9cca4
Instruction Fuzzy Hash: E7214D32718E8596EB04AF15E5802A9A371FB49BD8F444031EB5D07B59DF3CE5AAC340

Function 00007FF7197A4B43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A4BD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A4BEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A4C0B

Strings

:, xrefs: 00007FF7197A4BC6

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: c45d2b5df72782fbe071d85433256f31729e5d9dc973456252a8fb31e586fa0f
Instruction ID: 1fce08cd559202ee8a96cd69835fbea9919c59a12fe0f78d239c1abeb9526539
Opcode Fuzzy Hash: c45d2b5df72782fbe071d85433256f31729e5d9dc973456252a8fb31e586fa0f
Instruction Fuzzy Hash: D4217126709F8585EB619F14A5403A9B3B0AF88FA8F884131DB9D43794EF3DD45E8720

Function 00007FF7197A4CC8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197A4BD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A4BEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A4C0B

Strings

:, xrefs: 00007FF7197A4BC6

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: 29095b0568130ff19574d37664a1f083c32f4ce82a8c982ca180f3e9a7676f0e
Instruction ID: 864ace19af9b8b4d3bf6cbf90f0f31f673eaf75582d9ca4de79b9c075b3b6bad
Opcode Fuzzy Hash: 29095b0568130ff19574d37664a1f083c32f4ce82a8c982ca180f3e9a7676f0e
Instruction Fuzzy Hash: 97115026A09F8585EB659F14E540369B3B0AF48FB8F984131CB9D42294EF39D45E8724

Function 00007FF7197CFF90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00007FF7197CFFC3
LIST "%s" *, xrefs: 00007FF7197D0017

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %s%s$LIST "%s" *
API String ID: 0-1744359683
Opcode ID: 1af52120106a868a9372dbe0ca81eb65224baaacbdbe3db127230b2b1f3d1b57
Instruction ID: 0a8203b11349dc984bd66ee56853a44393602ebfb48b841b677197f8e6a5eb45
Opcode Fuzzy Hash: 1af52120106a868a9372dbe0ca81eb65224baaacbdbe3db127230b2b1f3d1b57
Instruction Fuzzy Hash: 59115C21B09A4281EB55AF55E5402B8A3B0EF4CBE8F885032EA0D47755DF2CE59FC360

Function 00007FF7197E90D1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197E90D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E94F9

Part of subcall function 00007FF7197B3300: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352

Strings

Start Date: %s, xrefs: 00007FF7197E94E7
Start Date, xrefs: 00007FF7197E94CD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: Start Date: %s$Start Date
API String ID: 3985033223-2389359183
Opcode ID: d2b1c00b909e20b890fb4e0062d983d5fb97e338349e4fc37108598f20f61b8a
Instruction ID: 0f164ee2ac7872eeeb752b04d5afdb3b96bf85835f0eb5c932d98ab578eecba3
Opcode Fuzzy Hash: d2b1c00b909e20b890fb4e0062d983d5fb97e338349e4fc37108598f20f61b8a
Instruction Fuzzy Hash: 3D019251B0CA8245EB15BF1154101F5A7B2AF4E7ECFC80431D90E17651EF3CA55EC321

Function 00007FF7197C4310 Relevance: 6.3, APIs: 5, Instructions: 82stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7197C4374
strchr.VCRUNTIME140 ref: 00007FF7197C4387
strchr.VCRUNTIME140 ref: 00007FF7197C4399
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C43CB
memcpy.VCRUNTIME140 ref: 00007FF7197C43F5

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: strchr$mallocmemcpy
String ID:
API String ID: 320687583-0
Opcode ID: 43d33f69d7b46d77ad51b196039b478be65aab803770c5cab441e8a8604720a2
Instruction ID: 13938c949d8ef688b8cca73fc262348003fbca79ee49cef36b2012ebffdccc34
Opcode Fuzzy Hash: 43d33f69d7b46d77ad51b196039b478be65aab803770c5cab441e8a8604720a2
Instruction Fuzzy Hash: 64219111A1DE9241EE55AF1161502B9E6E19F88FECF8C8171EE9D277C6EE1CE40F8220

Function 00007FF7197E6200 Relevance: 6.3, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6226
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6247
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6262
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6270
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E6282

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2b03602e1434e0c29793a06970333b697ab7929545fddd4927f1f9923a5339dc
Instruction ID: 1d55ea3b0a4c8a8d086b507beaee5ecd58048924606a3b45810d9fb0d2ab2161
Opcode Fuzzy Hash: 2b03602e1434e0c29793a06970333b697ab7929545fddd4927f1f9923a5339dc
Instruction Fuzzy Hash: 99117236A05E41C6DB44AF25E99412CB3B4FF88FA9B444136DA4E46768CF38D8AAC750

Function 00007FF7197AA9FB Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF7197AA406

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Resolving timed out after %I64d milliseconds
API String ID: 0-3343404259
Opcode ID: 958c1c72430a9759cd60c7a8016d4a664ab8b5720951585b51dc72d3751e759c
Instruction ID: 17f0ca0615b27188b359b664851ef703a1db4b65375a3d548123377dbcf2ed47
Opcode Fuzzy Hash: 958c1c72430a9759cd60c7a8016d4a664ab8b5720951585b51dc72d3751e759c
Instruction Fuzzy Hash: E5B18631A08A4285FB68BE29945527DA3B1EF49FECF9C4432C90E476D5DE39E44EC360

Function 00007FF719782B10 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF719782C21
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719782C4D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF719782D7B
__std_exception_copy.VCRUNTIME140 ref: 00007FF719782DBD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: ef30f342f18779cefc098feeeec0a8cf56bb7c21243c1b935969be8fd67687eb
Instruction ID: e3c210e07568021a128dc16eb6102ae33a2a0b72488696af3d926c0195ccadfa
Opcode Fuzzy Hash: ef30f342f18779cefc098feeeec0a8cf56bb7c21243c1b935969be8fd67687eb
Instruction Fuzzy Hash: E1814CB2A04E8191EB04AF29E48436CA375FF48BDCF944032D64D06A69EF79D89EC350

Function 00007FF7197BC180 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BC2A0
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BC2E6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BC348

Strings

chunked, xrefs: 00007FF7197BC1FE

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: calloc$free
String ID: chunked
API String ID: 171065143-1066005980
Opcode ID: 08834f5897146e599e02c0f443a288e628c1ae88f281425fd47e4f998475c843
Instruction ID: 3b577a9452a178ea6f8c8c74d6efc6dff2c680d4c7bfc4dd42780b28777508ba
Opcode Fuzzy Hash: 08834f5897146e599e02c0f443a288e628c1ae88f281425fd47e4f998475c843
Instruction Fuzzy Hash: CD519521E08E5645FA61AF1999103B9A2B1AF18BE8FCC8031DE5E57785DF2CE55F8320

Function 00007FF71978D4B0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF719781080), ref: 00007FF71978D5B4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF719781080), ref: 00007FF71978D604
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF719781080), ref: 00007FF71978D60E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978D657

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: ef819783ac6dfb46507127db48b59a69ac1ddc65704f51fb471b12a656be0a33
Instruction ID: f36d00c9962bbf748d953ac67e493dd4bb5b089efa780a54dd680a62f93994bd
Opcode Fuzzy Hash: ef819783ac6dfb46507127db48b59a69ac1ddc65704f51fb471b12a656be0a33
Instruction Fuzzy Hash: F24179A1B04E4591EA14EF16A105169E2A1BF48BFCF944632DA7D17BD8EE3CE04EC310

Function 00007FF71978BB20 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d3acb32eebbc79a8bec8fd58dc6768f7c9206479ae4f4a2d70295e399ff8a4
Instruction ID: 863bce878dc439581178a034cc6ea248a07d35815a247324a050f1974e243c62
Opcode Fuzzy Hash: a2d3acb32eebbc79a8bec8fd58dc6768f7c9206479ae4f4a2d70295e399ff8a4
Instruction Fuzzy Hash: 2E514E32608E8185DB509F29E45536DF7B4FB88BE8F944136DA9D837A8EF28C44DC710

Function 00007FF71978EF20 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF71978EF50
memcpy.VCRUNTIME140 ref: 00007FF71978F012
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71978F065
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978F072

Part of subcall function 00007FF7197F1420: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF71978DA00), ref: 00007FF7197F143A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 9ae1c0818c19189228e5ea369b6cef65982f92858fa4cc59376554a8a1e91e6b
Instruction ID: 132cd2f4e5f0e17385d064a16e77292d770686d951b6dda3e2cf33a2d0e9f1cf
Opcode Fuzzy Hash: 9ae1c0818c19189228e5ea369b6cef65982f92858fa4cc59376554a8a1e91e6b
Instruction Fuzzy Hash: 31310362B19E8688FA14BE15A505378D261AF09FFCF940531DA2D077C5DE3CE48F8360

Function 00007FF7197A6260 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF7197A609F,?,?,00000010,00007FF7197A6B75), ref: 00007FF7197A6355
memset.VCRUNTIME140(?,?,?,?,?,?,?,00007FF7197A609F,?,?,00000010,00007FF7197A6B75), ref: 00007FF7197A635E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF7197A609F,?,?,00000010,00007FF7197A6B75), ref: 00007FF7197A6363
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF7197A609F,?,?,00000010,00007FF7197A6B75), ref: 00007FF7197A636F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 187659361-0
Opcode ID: 9dba31419a1e83dc60b0d81ee1b1de2dd0c47819ee3d89dbf19d3a9d81a6ed50
Instruction ID: 564a148e54da7ea7197b824225e50f20682fa40a4c79ef68d53f22b8220d9660
Opcode Fuzzy Hash: 9dba31419a1e83dc60b0d81ee1b1de2dd0c47819ee3d89dbf19d3a9d81a6ed50
Instruction Fuzzy Hash: 84415B36B09E4582DA04AF2AE44422DB7B0FB88FA8F598125DB6C03795CF3CD49AC750

Function 00007FF7197ECBE0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00007FF7197D02D0,?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?), ref: 00007FF7197ECC33
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197ECCBC

Strings

%s, xrefs: 00007FF7197ECC05

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: 1b2b18801062c11d61c8b2f7972cf702da7d30a9b1e5781ad466eae7cb750bbb
Instruction ID: 0b43e23c6de41ae38560d3951633b5d81520163e8b786eb9c77d0e78dce4945b
Opcode Fuzzy Hash: 1b2b18801062c11d61c8b2f7972cf702da7d30a9b1e5781ad466eae7cb750bbb
Instruction Fuzzy Hash: C7416226A08B4582E651EF15A4401AAB3A0FB49BE8F484134DF8E47BA5DF38E19A8710

Function 00007FF71978D260 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,?,00007FF71978BE19,?,?,00000004,00007FF7197829A4), ref: 00007FF71978D33C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,00007FF71978BE19,?,?,00000004,00007FF7197829A4), ref: 00007FF71978D370
memcpy.VCRUNTIME140(?,?,00000000,?,?,00007FF71978BE19,?,?,00000004,00007FF7197829A4), ref: 00007FF71978D37A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978D3A3

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 33cbdc669a6ecce8d7c4dfee12642a7b3cc1941b68a243084cfef76afc258c93
Instruction ID: b57eb14a97868eb93ee7e99d892b57df6f7822960039178a080587559f9b8b38
Opcode Fuzzy Hash: 33cbdc669a6ecce8d7c4dfee12642a7b3cc1941b68a243084cfef76afc258c93
Instruction Fuzzy Hash: 50319261B19E8195EE20BF16A1052ADE371AF09BF8F940631DA6D07BD5DE3CE14E8310

Function 00007FF71978CDC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF71978CE54
memcpy.VCRUNTIME140 ref: 00007FF71978CE62
memcpy.VCRUNTIME140 ref: 00007FF71978CE78

Strings

MW1 , xrefs: 00007FF71978CE20, 00007FF71978CE8F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: MW1
API String ID: 3510742995-937612318
Opcode ID: bc41e70c7875e4183203e2348137900ed34a528d02077f6f12296afcae3cecad
Instruction ID: 8656350104dba4fe68c612b67254bd186786febf121b6fb457cf74acf83786b4
Opcode Fuzzy Hash: bc41e70c7875e4183203e2348137900ed34a528d02077f6f12296afcae3cecad
Instruction Fuzzy Hash: CB316022A08F81C1E710AF25E5452A9E371FB48BD8F984521DF8D17B55DF7CE2AAC350

Function 00007FF7197D827D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D82B4

Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C25
Part of subcall function 00007FF7197B8980: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7197B8C40

Strings

Wildcard - START of "%s", xrefs: 00007FF7197D82BD
%s%s, xrefs: 00007FF7197D8284
Wildcard - "%s" skipped by user, xrefs: 00007FF7197D831D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: fwrite$free
String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
API String ID: 3468156532-1133524294
Opcode ID: ed0a054de22cf63fc2d2c0b0eea7833e907fe3d26c57b9f4fe24df54473951fc
Instruction ID: dc4834b9c5e496c57dc20701292997a9d2e90f6fd8a1f1d5145ef791f5cb1989
Opcode Fuzzy Hash: ed0a054de22cf63fc2d2c0b0eea7833e907fe3d26c57b9f4fe24df54473951fc
Instruction Fuzzy Hash: CC411A36A08E41C5E710AF26D4441EDA3B0EF48BE8F894032DE5E5B395EE39D44E8721

Function 00007FF71978D3B0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF719781080), ref: 00007FF71978D3E8
memcpy.VCRUNTIME140(?,?,?,?,00007FF719781080), ref: 00007FF71978D488
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71978D4A6

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: ad56ab1de2e68881b467226e3986e4b69e72f0cc5c4353fef94bbd3dec8be0f4
Instruction ID: 0aeda04b339676883528ecc9d0ff42bb59652e4ca6c1dffd4af3e3128e6cd14a
Opcode Fuzzy Hash: ad56ab1de2e68881b467226e3986e4b69e72f0cc5c4353fef94bbd3dec8be0f4
Instruction Fuzzy Hash: 8221B262A09F4685EA24BF52B5413B8D160AF097F8F980630DE6D077D6EE7CA58F8310

Function 00007FF7197B3300 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B3352
memcpy.VCRUNTIME140 ref: 00007FF7197B338D

Part of subcall function 00007FF7197A86F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A8705

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197B33C2

Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8827
Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8833

Strings

%s:, xrefs: 00007FF7197B336C

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$memcpy
String ID: %s:
API String ID: 901724546-64597662
Opcode ID: 5ad095337469a53f74b6dd5582fc58b64712b76ccb338d76d0a6d0b041f18508
Instruction ID: acfa73ea1c5c5491b03cc8d2fdc83f6645aae60a85a029ce93814232d460130d
Opcode Fuzzy Hash: 5ad095337469a53f74b6dd5582fc58b64712b76ccb338d76d0a6d0b041f18508
Instruction Fuzzy Hash: C6219122A09A8581DB00DF16E9401AAA3B4FF58FF8F880131EE5E47395DE38D54A8350

Function 00007FF7197E901A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E94F9

Strings

Start Date: %s, xrefs: 00007FF7197E94E7
%s%lx, xrefs: 00007FF7197E9075
Start Date, xrefs: 00007FF7197E94CD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Start Date: %s$%s%lx$Start Date
API String ID: 1294909896-3519493645
Opcode ID: d982a141fe4fd32179e51179128d4bd32ed23819d210d5562c0bcf4d9157b856
Instruction ID: 5c428f3c01066795a2c461ec49815693aae69b7503e7a020224259f1fabe3e48
Opcode Fuzzy Hash: d982a141fe4fd32179e51179128d4bd32ed23819d210d5562c0bcf4d9157b856
Instruction Fuzzy Hash: 0721C962B08A8245EB25BF2184102F9A7B2AF0E7ECFC84431D90E1B645DE3DA54E8320

Function 00007FF7197E50A0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197E5E09,00000000,?,?,00007FF7197E53C6), ref: 00007FF7197E50C9
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197E5E09,00000000,?,?,00007FF7197E53C6), ref: 00007FF7197E5100
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197E5E09,00000000,?,?,00007FF7197E53C6), ref: 00007FF7197E5112
memcpy.VCRUNTIME140(?,?,?,00007FF7197E5E09,00000000,?,?,00007FF7197E53C6), ref: 00007FF7197E513A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemcpyrealloc
String ID:
API String ID: 3881842442-0
Opcode ID: 4083f11bae88e74ee7beb669290e3ba3f7922def87a3684652b932b1c3c7254e
Instruction ID: 531aaec3729b639570c0502b8e9d3689e12637f750ee4a86b8935a96a6a878b6
Opcode Fuzzy Hash: 4083f11bae88e74ee7beb669290e3ba3f7922def87a3684652b932b1c3c7254e
Instruction Fuzzy Hash: A4213B26A0AF85C2DB44DF16E450229A3A0EB48FD8B888031EE5E57759EF38D49A8710

Function 00007FF7197F1270 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7197F12B9
GetLastError.KERNEL32 ref: 00007FF7197F12C7
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF71978C805), ref: 00007FF7197F12FC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF71978C805), ref: 00007FF7197F130A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 2049468764637b44ca22309fe5bdd45d4d164cd133c058965f5059536a419a51
Instruction ID: e84478045054759022c61b2f809d83e825f55d3ad2fefc127586d3aee58e5a3b
Opcode Fuzzy Hash: 2049468764637b44ca22309fe5bdd45d4d164cd133c058965f5059536a419a51
Instruction Fuzzy Hash: FA211A72A18B8187E7109F11A44432EB6B4FB99BE8F540134DB9963B54DF38D44A8B10

Function 00007FF7197CE1C0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE1E8
GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE20E
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE22F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197B3579,?,?,?,?,00007FF7197B291B), ref: 00007FF7197CE240

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: realloc$EnvironmentVariablefree
String ID:
API String ID: 2828309815-0
Opcode ID: 603f52401b7a4f94860c6ed5cd702b65138d4baa18c7164299371fc2fcd00788
Instruction ID: 94085b05221c9eb9940dd8fbfee2a34868d6aed10898890f9469fafdee86ceed
Opcode Fuzzy Hash: 603f52401b7a4f94860c6ed5cd702b65138d4baa18c7164299371fc2fcd00788
Instruction Fuzzy Hash: 45118F21B1EF4286EA65AF12658033AE1B5EF4CBE4F880534DD4D43B54DE2CE84A8710

Function 00007FF7197EF290 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7197EF2CD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EF2DD
WideCharToMultiByte.KERNEL32 ref: 00007FF7197EF30C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EF319

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 6856295598706f4aa715c36a2d27931428d5fbedd846ce095c910ddb88d20117
Instruction ID: f1fb206405a20d12f99a572e51b9e1c93ba91bf65908949f025b843540654376
Opcode Fuzzy Hash: 6856295598706f4aa715c36a2d27931428d5fbedd846ce095c910ddb88d20117
Instruction Fuzzy Hash: 1E115B35B09B418AE710AF62B80412DB7B0EF88FE4B884038DB8D53B14DF38E55A8750

Function 00007FF7197C3BE0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3C3A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3C5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197C3C63

Strings

Proxy-Connection: Keep-Alive, xrefs: 00007FF7197C3BF0

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Proxy-Connection: Keep-Alive
API String ID: 1294909896-2835282938
Opcode ID: a789077352957d17ab479c7fa7dd41f6bc0439dcd38ff40c2d6f07100b50b540
Instruction ID: a9375da1c4593adbbfc626f55ed078817efc6cba525b4421a6f9c222d12a3a8d
Opcode Fuzzy Hash: a789077352957d17ab479c7fa7dd41f6bc0439dcd38ff40c2d6f07100b50b540
Instruction Fuzzy Hash: 7F016162F05A4182FB156F55B8403A9A2A09F48BF5F444230DE6D067D4DF2C999E8750

Function 00007FF7197EF4C0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197EF4E6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197EF4F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EF526

Part of subcall function 00007FF7197EF550: strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7197EF510), ref: 00007FF7197EF5BF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197EF51D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree$strchr
String ID:
API String ID: 1739957132-0
Opcode ID: 8c331c07166a5d943bd5d990b51ea78ce36a87ccf8930224460ce54822e5a6f6
Instruction ID: e0ecaf4ad12b6a269be5d85bb71585c9aad58ada487ed17793245bf153aca46d
Opcode Fuzzy Hash: 8c331c07166a5d943bd5d990b51ea78ce36a87ccf8930224460ce54822e5a6f6
Instruction Fuzzy Hash: 34014061B0EB8146FF99AF1A755413892B09F5CBE8B880074E94E96B58DE2CD89F8710

Function 00007FF7197AE1F0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FF7197AE201
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE20A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AE214
closesocket.WS2_32 ref: 00007FF7197AE232

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalDeleteSectionclosesocket
String ID:
API String ID: 3086658127-0
Opcode ID: 6a3ebfb7eec6cce9feb8e27136b24de4a838a3b93fc4c870f4a2ff287389644f
Instruction ID: ed33f45c34b3549436f4311afca2ba4992d3fb31a782605a5ade699a319c933d
Opcode Fuzzy Hash: 6a3ebfb7eec6cce9feb8e27136b24de4a838a3b93fc4c870f4a2ff287389644f
Instruction Fuzzy Hash: A7015212E19E8283EB04EF31D8201786370FFEDF7CB456331DD6D011A5AF68A1D98210

Function 00007FF7197E3130 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7197B9586), ref: 00007FF7197E3144

Strings

%lx, xrefs: 00007FF7197E342A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _errno
String ID: %lx
API String ID: 2918714741-1448181948
Opcode ID: bcb3027899a3bd5b43b06c100c216ad3aab05f43c4f3940e8de3b1d6ed88832c
Instruction ID: 0f7f7fdacb6b9950b1c276b51cc1f2e9f3e44260cdae5fd261ebab7479229a66
Opcode Fuzzy Hash: bcb3027899a3bd5b43b06c100c216ad3aab05f43c4f3940e8de3b1d6ed88832c
Instruction Fuzzy Hash: B4814E22A0C5D285EB659E25945063DFBF0FF897E8F544239E69E622C0DE3CD44EC710

Function 00007FF7197CEF90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF7197CE973), ref: 00007FF7197CF062
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF7197CE973), ref: 00007FF7197CF0B3

Strings

(){ %*], xrefs: 00007FF7197CEFAD

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupmalloc
String ID: (){ %*]
API String ID: 3515966317-731572209
Opcode ID: 8f7694c9cd0a0ee4e450a6bbd6317877bd449a36409b03c2b89570ff87c8727f
Instruction ID: 0a6f6808944d849f673733a4f1308f45f2d03a867be913c928eff285abb87493
Opcode Fuzzy Hash: 8f7694c9cd0a0ee4e450a6bbd6317877bd449a36409b03c2b89570ff87c8727f
Instruction Fuzzy Hash: 4F31161291DE8744FB626F116040375ABE1AF5ABFCFD44131DA8E033C6CE2DA98F8221

Function 00007FF7197BC050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197BC0C9
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7197BC162

Strings

identity, xrefs: 00007FF7197BC084, 00007FF7197BC0F3, 00007FF7197BC15B

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: _strdupmalloc
String ID: identity
API String ID: 3515966317-1788209604
Opcode ID: feb86175fef0f71ebeacd7b899c94d9fd6ae3fb3f794f5a5b662746285d29ca7
Instruction ID: d3a08136fdb72cceeb286204bde92802c10c551952ac0c005ba2a3ed4cb8efcf
Opcode Fuzzy Hash: feb86175fef0f71ebeacd7b899c94d9fd6ae3fb3f794f5a5b662746285d29ca7
Instruction Fuzzy Hash: FF318361E09E9681EB119F19D940375A7B0EF58BFCF888231CE2E17795EE2CD51E8310

Function 00007FF7197A7170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A7190
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197A71EB

Strings

, xrefs: 00007FF7197A71A3

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: mallocrealloc
String ID:
API String ID: 948496778-3916222277
Opcode ID: a64c936502f876d28fb7be1aba1d87b64db1183e85868f469c01bb970dc8107f
Instruction ID: f8bdb5793011da36e37b2dd6274b272a8424fbea87ca2e3d341d31483d8fc3e6
Opcode Fuzzy Hash: a64c936502f876d28fb7be1aba1d87b64db1183e85868f469c01bb970dc8107f
Instruction Fuzzy Hash: D6119372A0AF8181DB459F15E550229B3B1FB4CFE8F884135EA5E47798EF38D89AC350

Function 00007FF7197BA020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FF7197BA09F
setsockopt.WS2_32 ref: 00007FF7197BA0CE

Strings

@, xrefs: 00007FF7197BA02F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: getsockoptsetsockopt
String ID: @
API String ID: 194641219-2726393805
Opcode ID: 69e0e99b5c37d9449c9aefcc0651eb50d32ebac4eec04080a766398f068a9fa9
Instruction ID: 1c3e865cfb0ea7d8029f6293c0683da6bcbaabd25b0a6c9d52cd2131b0badcca
Opcode Fuzzy Hash: 69e0e99b5c37d9449c9aefcc0651eb50d32ebac4eec04080a766398f068a9fa9
Instruction Fuzzy Hash: EB11637160854286F720AF50E405275F7B0EF99799F940030EA5D06694DB7DD55ECB10

Function 00007FF7197A7100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,mw1 chair,00007FF7197A221B), ref: 00007FF7197A7115
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,mw1 chair,00007FF7197A221B), ref: 00007FF7197A712B

Strings

mw1 chair, xrefs: 00007FF7197A710A

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: freerealloc
String ID: mw1 chair
API String ID: 786099813-2267673244
Opcode ID: def7c55abe833da2d1690067e4f316c47b7efd82955140958593ec220db22e25
Instruction ID: dff2a8660f14ed42a8acbd01bbcb865c9b58d27d44b9be88bcbf8a4fc9095add
Opcode Fuzzy Hash: def7c55abe833da2d1690067e4f316c47b7efd82955140958593ec220db22e25
Instruction Fuzzy Hash: E4E01211B1AB8181EE559F02B904025D2B0AF5CFE4F4C4070EE4D07B14DE2CD49B8710

Function 00007FF7197EF1E0 Relevance: 5.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7197E2318), ref: 00007FF7197EF211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7197E2318), ref: 00007FF7197EF224
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7197E2318), ref: 00007FF7197EF24B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7197E2318), ref: 00007FF7197EF258

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: d0f1642345a1695d252b89921160b6acbb798d8fdb281f30b466b378d28530ab
Instruction ID: aeb1bb20f9fe5b860ea72d36cbc7535ed392f2fa08c582bda65327567e59b5d6
Opcode Fuzzy Hash: d0f1642345a1695d252b89921160b6acbb798d8fdb281f30b466b378d28530ab
Instruction Fuzzy Hash: 56117725B08B4182EB10DF56F84003AE6B4EF8CBE8B880535DB5C57BA4DF3CD54A8710

Function 00007FF7197AECC0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8827
Part of subcall function 00007FF7197A8800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7197B2DF0), ref: 00007FF7197A8833

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AECF6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AED06
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197AED14
memset.VCRUNTIME140 ref: 00007FF7197AED4F

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 57cad7ea430cab819a1f346e04c4a5446da803304ae885c752c395315350f6f9
Instruction ID: 7048dac4d74e8a706ea47c9025616da71ad67a25365db551e35f592e6d64f878
Opcode Fuzzy Hash: 57cad7ea430cab819a1f346e04c4a5446da803304ae885c752c395315350f6f9
Instruction Fuzzy Hash: 1A210C32E14B9193E704DF22D6502A8A370FB99B54F559225EB9D43A51DF74F1FAC300

Function 00007FF7197ECD80 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197CED43), ref: 00007FF7197EFD16
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197CED43), ref: 00007FF7197EFD35
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197CED43), ref: 00007FF7197EFD4F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7197CED43), ref: 00007FF7197EFD5D

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0f232e06f22b44954997fabda13f018f6877ddd9f8c22ba8cc440ed84e9eb8b9
Instruction ID: d1c27a2e4455e32139918574e218d15919f992dbe9678063b3385d88f9bcd864
Opcode Fuzzy Hash: 0f232e06f22b44954997fabda13f018f6877ddd9f8c22ba8cc440ed84e9eb8b9
Instruction Fuzzy Hash: 9711EF36E09E4185EB54AF25E85023CA3B4FF98FA8F544031DA4E42764CE3CD85E8750

Function 00007FF7197D4CB0 Relevance: 5.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D4CE8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D4D0E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D4D2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197D4D3E

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9fc0dafa36eeb8547900e43abaec9d8ac2fa0d416f996b62de7c6423f221789
Instruction ID: e91409c2b04292c0d5718510f729f1f79dbab08e3608d4f33af3d94c85c9ecd2
Opcode Fuzzy Hash: d9fc0dafa36eeb8547900e43abaec9d8ac2fa0d416f996b62de7c6423f221789
Instruction Fuzzy Hash: D511E936A05E45C6D7409F25E580268B3B4FB88FA8F484035DF8E57628CF38E8AAC750

Function 00007FF7197E4150 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4160
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4186
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E4194
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7197E41A2

Memory Dump Source

Source File: 00000000.00000002.1699306057.00007FF719781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF719780000, based on PE: true

Associated: 00000000.00000002.1699290060.00007FF719780000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699353486.00007FF7197F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699386492.00007FF719810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699450541.00007FF719812000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff719780000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4d6ad8114966ce1c178f6473bb2adf4280ef40217638cbeed137c53cc562f174
Instruction ID: a3023e4145cb746e33259c52618a382f545a3b83c8a71aa099bc102c574e2d0d
Opcode Fuzzy Hash: 4d6ad8114966ce1c178f6473bb2adf4280ef40217638cbeed137c53cc562f174
Instruction Fuzzy Hash: A4F0B636A05F01C6DB449F25E994028B3B4FB98FA87514131DA5E42764CF38C5AAC750

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe

Function 00007FF7197BB8F0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191
libraryloadernetworkCOMMON

Function 00007FF7197BACD0 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357
networkCOMMON

Function 00007FF71979E120 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 217
COMMON

Function 00007FF71978A7C0 Relevance: 35.4, APIs: 14, Strings: 6, Instructions: 385
sleepprocesslibraryCOMMON

Function 00007FF7197A22E0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134
COMMON

Function 00007FF7197993B0 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 269
COMMON

Function 00007FF719798490 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 172
filememoryCOMMON

Function 00007FF7197BB5D0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128
librarystringloaderCOMMON

Function 00007FF7197C6CE0 Relevance: 24.1, APIs: 16, Instructions: 127
networkCOMMON

Function 00007FF7197B9990 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337
COMMON

Function 00007FF7197CCCD0 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415
encryptionCOMMON

Function 00007FF7197CBEF0 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348
libraryloaderCOMMON

Function 00007FF7197AE370 Relevance: 28.7, APIs: 19, Instructions: 165
COMMON