Edit tour

Windows Analysis Report
AimPrivStoreAtt117.exe

Overview

General Information

Sample name:	AimPrivStoreAtt117.exe
Analysis ID:	1590900
MD5:	199e093792c0a0c91233709796553e3c
SHA1:	3046ad48ef9e69c4482b58e89f2d6573e2e75793
SHA256:	cbb3e224ed616e62f2a81dedd1d88a7b1c3dfe318372506364662cadb73353c6
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found API chain indicative of debugger detection

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

AimPrivStoreAtt117.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\AimPrivStoreAtt117.exe" MD5: 199E093792C0A0C91233709796553E3C)

conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2656 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6564 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 4500 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4256 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6540 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5264 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1248 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 940 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5552 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1396 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3452 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 2464 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 904 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2820 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1784 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1600 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5840 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7156 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6416 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5536 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7116 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3184 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5804 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 5824 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5656 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1816 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 2724 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 3448 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 6532 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2804 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 6008 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6004 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 6632 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AimPrivStoreAtt117.exe	ReversingLabs: Detection: 63%
Source: AimPrivStoreAtt117.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Machine Learning detection for sample

Source: AimPrivStoreAtt117.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168A87D strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,_strdup,CertOpenStore,GetLastError,free,free,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,malloc,fread,fclose,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,calloc,CertFreeCertificateContext,fclose,free,CertFreeCertificateContext,free,calloc,	0_2_00007FF73168A87D
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316A6410 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,malloc,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,	0_2_00007FF7316A6410
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316AF870 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF7316AF870
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316AD780 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	0_2_00007FF7316AD780
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168CB00 CryptAcquireContextA,CryptCreateHash,	0_2_00007FF73168CB00
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731689C40 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF731689C40
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731689B70 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_00007FF731689B70
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168CB60 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF73168CB60
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168CB50 CryptHashData,	0_2_00007FF73168CB50
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316A6D30 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,malloc,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,free,	0_2_00007FF7316A6D30

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_00007FF73166FA20
Source: AimPrivStoreAtt117.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

0_2_00007FF731699440

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: AimPrivStoreAtt117.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Aim\x64\Release\EpicGames.pdb source: AimPrivStoreAtt117.exe
Source:	Binary string: 2D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Aim\x64\Release\EpicGames.pdb source: AimPrivStoreAtt117.exe

Source: global traffic

HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 74Content-Type: application/x-www-form-urlencoded

Source: Joe Sandbox View

IP Address: 172.67.72.57 172.67.72.57

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: 0_2_00007FF7316853A0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,

0_2_00007FF7316853A0

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: unknown

HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 74Content-Type: application/x-www-form-urlencoded

Source: AimPrivStoreAtt117.exe	String found in binary or memory: http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exe
Source: AimPrivStoreAtt117.exe	String found in binary or memory: http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exeC:
Source: AimPrivStoreAtt117.exe	String found in binary or memory: http://167.114.85.75/aimhvcionattprivatestore674.exe
Source: AimPrivStoreAtt117.exe	String found in binary or memory: http://167.114.85.75/aimhvcionattprivatestore674.exeC:
Source: AimPrivStoreAtt117.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: AimPrivStoreAtt117.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34BD8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135687514.0000019C34BD8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135595751.0000019C34BD8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34BB8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34BAA000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135595751.0000019C34BD4000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135687514.0000019C34BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.cc/panel/bronkzware/Loader
Source: AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/
Source: AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/aceEd
Source: AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/acev
Source: AimPrivStoreAtt117.exe, 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/rograad.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: 0_2_00007FF7316AD780 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

0_2_00007FF7316AD780

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316792C0	0_2_00007FF7316792C0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316772C0	0_2_00007FF7316772C0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731678600	0_2_00007FF731678600
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168A87D	0_2_00007FF73168A87D
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731661AD0	0_2_00007FF731661AD0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731661E70	0_2_00007FF731661E70
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73167FED0	0_2_00007FF73167FED0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316692D0	0_2_00007FF7316692D0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73167A180	0_2_00007FF73167A180
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316831D0	0_2_00007FF7316831D0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73165D340	0_2_00007FF73165D340
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731695330	0_2_00007FF731695330
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316A6410	0_2_00007FF7316A6410
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731688600	0_2_00007FF731688600
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73165959D	0_2_00007FF73165959D
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73165977B	0_2_00007FF73165977B
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316AD780	0_2_00007FF7316AD780
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731661780	0_2_00007FF731661780
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316AF800	0_2_00007FF7316AF800
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168A945	0_2_00007FF73168A945
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168A93C	0_2_00007FF73168A93C
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731673C70	0_2_00007FF731673C70
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73165EC60	0_2_00007FF73165EC60
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73165AC3D	0_2_00007FF73165AC3D
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73169DB60	0_2_00007FF73169DB60
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731699E60	0_2_00007FF731699E60
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73168CF10	0_2_00007FF73168CF10
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316A1EF0	0_2_00007FF7316A1EF0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73165DED0	0_2_00007FF73165DED0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316A0EC0	0_2_00007FF7316A0EC0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731685D20	0_2_00007FF731685D20
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731670F40	0_2_00007FF731670F40
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731651000	0_2_00007FF731651000

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF73167AC70 appears 33 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF73167ABE0 appears 37 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF731663970 appears 49 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF73167AD50 appears 34 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF7316B0B9C appears 47 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF7316762B0 appears 381 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF7316797C0 appears 36 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF731676430 appears 323 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF7316796F0 appears 46 times
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: String function: 00007FF731670B80 appears 70 times

Source: classification engine

Classification label: mal60.evad.winEXE@68/18@1/2

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: 0_2_00007FF731662650 GetLastError,_errno,FormatMessageA,strchr,strncpy,_errno,_errno,GetLastError,SetLastError,

0_2_00007FF731662650

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_03

Source: AimPrivStoreAtt117.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AimPrivStoreAtt117.exe	ReversingLabs: Detection: 63%
Source: AimPrivStoreAtt117.exe	Virustotal: Detection: 60%

Source: AimPrivStoreAtt117.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I32I64%ld.%ld$@

Source: unknown	Process created: C:\Users\user\Desktop\AimPrivStoreAtt117.exe "C:\Users\user\Desktop\AimPrivStoreAtt117.exe"
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: AimPrivStoreAtt117.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: AimPrivStoreAtt117.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AimPrivStoreAtt117.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AimPrivStoreAtt117.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AimPrivStoreAtt117.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AimPrivStoreAtt117.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AimPrivStoreAtt117.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AimPrivStoreAtt117.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: AimPrivStoreAtt117.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Aim\x64\Release\EpicGames.pdb source: AimPrivStoreAtt117.exe
Source:	Binary string: 2D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Aim\x64\Release\EpicGames.pdb source: AimPrivStoreAtt117.exe

Source: AimPrivStoreAtt117.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AimPrivStoreAtt117.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AimPrivStoreAtt117.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AimPrivStoreAtt117.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AimPrivStoreAtt117.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: 0_2_00007FF7316792C0 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,GetProcAddress,if_nametoindex,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoA,QueryPerformanceFrequency,

0_2_00007FF7316792C0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro

Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Window / User API: threadDelayed 2683			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2200			Jump to behavior

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-47798

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

API coverage: 5.2 %

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe TID: 1708

Thread sleep time: -134150s >= -30000s

Jump to behavior

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-47437

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: 0_2_00007FF7316B06AC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7316B06AC

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: 0_2_00007FF7316B0A48 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7316B0A48

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

0_2_00007FF7316792C0

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316B03B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7316B03B4
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316B06AC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7316B06AC
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316B0854 SetUnhandledExceptionFilter,	0_2_00007FF7316B0854

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Code function: 0_2_00007FF7316B08C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7316B08C4

Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF7316853A0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,	0_2_00007FF7316853A0
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731695330 calloc,strchr,strncpy,strchr,strncpy,strchr,strtoul,strchr,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,	0_2_00007FF731695330
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73169BE35 calloc,calloc,calloc,bind,WSAGetLastError,	0_2_00007FF73169BE35
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF73169C090 calloc,calloc,calloc,bind,WSAGetLastError,	0_2_00007FF73169C090
Source: C:\Users\user\Desktop\AimPrivStoreAtt117.exe	Code function: 0_2_00007FF731677F70 memset,strncmp,strncmp,strchr,htons,atoi,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	0_2_00007FF731677F70

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AimPrivStoreAtt117.exe	63%	ReversingLabs	Win64.Trojan.Generic
AimPrivStoreAtt117.exe	61%	Virustotal		Browse
AimPrivStoreAtt117.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://167.114.85.75/aimhvcionattprivatestore674.exe	0%	Avira URL Cloud	safe
http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exe	0%	Avira URL Cloud	safe
http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exeC:	0%	Avira URL Cloud	safe
https://keyauth.cc/panel/bronkzware/Loader	0%	Avira URL Cloud	safe
http://167.114.85.75/aimhvcionattprivatestore674.exeC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
keyauth.win	172.67.72.57	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.1/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exe	AimPrivStoreAtt117.exe	false	Avira URL Cloud: safe	unknown
http://167.114.85.75/aimhvcionattprivatestore674.exe	AimPrivStoreAtt117.exe	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.2/rograad.	AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://167.114.85.75/aimhvcionattprivatestore674.exeC:	AimPrivStoreAtt117.exe	false	Avira URL Cloud: safe	unknown
http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exeC:	AimPrivStoreAtt117.exe	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.1/aceEd	AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://keyauth.win/api/1.1/acev	AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	AimPrivStoreAtt117.exe	false		high
https://curl.haxx.se/docs/http-cookies.html#	AimPrivStoreAtt117.exe	false		high
https://keyauth.cc/panel/bronkzware/Loader	AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34BD8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135687514.0000019C34BD8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135595751.0000019C34BD8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34BB8000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34BAA000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135595751.0000019C34BD4000.00000004.00000020.00020000.00000000.sdmp, AimPrivStoreAtt117.exe, 00000000.00000003.2135687514.0000019C34BD4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.2/	AimPrivStoreAtt117.exe, 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmp, AimPrivStoreAtt117.exe, 00000000.00000002.3964803329.0000019C34B8B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.72.57	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590900
Start date and time:	2025-01-14 16:52:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AimPrivStoreAtt117.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@68/18@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 48 Number of non-executed functions: 231
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 52.165.164.15, 13.95.31.18, 13.107.253.45
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.72.57	SecuriteInfo.com.Win64.MalwareX-gen.31663.10814.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.11163.24254.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31663.10814.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.7443.30781.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.16016.24947.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exe	Get hash	malicious	Unknown	Browse
	lvXRlexBnb.exe	Get hash	malicious	Unknown	Browse
	flX5YA1C09.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	ak3o7AZ3mH.exe	Get hash	malicious	Babadeda, Conti, Mimikatz	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
bg.microsoft.map.fastly.net	email.eml	Get hash	malicious	unknown	Browse	199.232.214.172
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	final shipping documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.214.172
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	199.232.210.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	Mbda Us.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.210.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://biomed.acemlna.com/lt.php?x=3TZy~GE4J6XM5p79_du5VOds1H_TjdEjvPthjaTKJ3DP65RA_ky.0.Rv2Y2liNA~j-xAXHXFJFQNDb.y_ELGV.Fw3Hyoi8	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	email.eml	Get hash	malicious	unknown	Browse	172.64.41.3
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	http://brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	172.67.72.57
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.72.57
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.72.57
	http://vionicstore.shop	Get hash	malicious	Unknown	Browse	172.67.72.57
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	172.67.72.57
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	172.67.72.57

Process:	C:\Users\user\Desktop\AimPrivStoreAtt117.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	302
Entropy (8bit):	3.591458873507413
Encrypted:	false
SSDEEP:	3:rRRqmIEaGj3F/9Dqa+U4W42oJXTIFNBh2To3G3oJXTIFNBhWXqowvxOwVGt:H041lqABhHfABhwcV4
MD5:	2093ABDC1CC5C502980BCE5F4F8897A7
SHA1:	23552E512460D3CC05A91E5491BF3ADCD9AB8568
SHA-256:	6B1550C3CDBCADFC23C19F432C52168C41BF0B54784962910391352D800ECDA5
SHA-512:	6E6C2E4E350921C2F8070E2B47FF1B056AEC8102CDA839B7288B578F7C86791C50DAE291568948C6E759801018BDFF48023FD856DDF56FF1D07F7E8BD21402F3
Malicious:	false
Preview:	....##########################################################..[ Selecione uma opcao: ]..##########################################################....[1] Iniciar Valorant Aim (HVCI DESLIGADO): ..[2] Iniciar Valorant Aim (HVCI HABILITADO): ....[+] Selecione a opcao:

\Device\Null

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.003997527334849
Encrypted:	false
SSDEEP:	3:HnRthLK5a6eCMABe:HRoJPO
MD5:	DF5DC1ABC0D52F3C9E931E26A7C0065C
SHA1:	EE84123D3B3BC440C63DFE65FF5616BE2B0904D5
SHA-256:	F7167A2FACDE50428D8D2697A1CDFF075DE809323DD16D62B65CDD103B2A9A6D
SHA-512:	9B2253CE41880D22A2DDF4F886BB6CB22FF0C981400CD9D03A1FCA81DE5FAEB86C26B85B66ECEC960816D7BBE9740843890F2FCCD334B6D274295A32A8E6A4E9
Malicious:	false
Preview:	The system cannot find the file specified...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.418976746883596
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AimPrivStoreAtt117.exe
File size:	510'464 bytes
MD5:	199e093792c0a0c91233709796553e3c
SHA1:	3046ad48ef9e69c4482b58e89f2d6573e2e75793
SHA256:	cbb3e224ed616e62f2a81dedd1d88a7b1c3dfe318372506364662cadb73353c6
SHA512:	f59dc0b6b5df0889db3819bb57c71bf878ccefaf0107fc1fb0e54a49a161fcb35caadd8cb3995760cc9cf871656d5aa0b6f437d53a9c6a755e74f17167f53c0a
SSDEEP:	12288:GXDur8S9+8Qu/y9x2EpL5UcY+6cm3C/pk:6urP93v/C2E19Y+7/pk
TLSH:	8FB46D96A7A913E9D1A7C07CC547C603E7B6B4991311DBDB43A0CA791F137E22E3A720
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._...B...PHe.^...PH..v...PH..\...PH..R...PH..P.......A...V...x.......?...9H..T...9H..W...9Hg.W...9H..W...RichV..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140060398
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677DDF4C [Wed Jan 8 02:13:32 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	551e5f19de2baa264d46ee5c6718793c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5B70D972C8h
dec eax
add esp, 28h
jmp 00007F5B70D96C17h
int3
int3
jmp 00007F5B70D9757Eh
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00001D6Bh]
dec eax
mov ecx, ebx
call dword ptr [00001D5Ah]
call dword ptr [00001DB4h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00001DB0h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00001DA4h]
test eax, eax
je 00007F5B70D96DA9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00019462h]
call 00007F5B70D96F6Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00019549h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [000194D9h], eax
dec eax
mov eax, dword ptr [00019532h]
dec eax
mov dword ptr [000193A3h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [000194A7h], eax
mov dword ptr [0001937Dh], C0000409h
mov dword ptr [00019377h], 00000001h
mov dword ptr [00000081h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x77318	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7f000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7a000	0x405c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0x4ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x71080	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x71100	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x70f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x62000	0x858	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60718	0x60800	602f1089df07ef344959cfe41447af2c	False	0.5326414750647669	data	6.334775760528484	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x62000	0x16ec4	0x17000	34b296da2f473d4b9bd8f08336dcff29	False	0.37954313858695654	data	5.599267697230251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x79000	0xe08	0x400	5b070ba4bf716bd9abd9429588bdb3ed	False	0.21484375	data	2.448207517753268	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x7a000	0x405c	0x4200	12d13dd91b54cb2b26af3136bc3f645d	False	0.4738991477272727	data	5.697151102004698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7f000	0x1e8	0x200	9682c2bd23621eded0bee00be928ba8f	False	0.54296875	data	4.772037401703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0x4ec	0x600	43a6897ca7133ec62c7e8be294ec97b7	False	0.5162760416666666	data	4.831811206446416	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x7f060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	ReadFile, PeekNamedPipe, WaitForMultipleObjects, CreateFileA, GetFileSizeEx, WideCharToMultiByte, RtlCaptureContext, GetModuleHandleA, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FreeLibrary, GetSystemDirectoryA, QueryPerformanceFrequency, VerSetConditionMask, SleepEx, GetEnvironmentVariableA, EnterCriticalSection, FormatMessageA, SetLastError, CloseHandle, GetCurrentProcess, DeleteCriticalSection, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetModuleHandleW, GetCurrentProcessId, GetCurrentThreadId, GetFileType, MultiByteToWideChar, WaitForSingleObjectEx, MoveFileExA, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, LeaveCriticalSection, GetSystemTimeAsFileTime, GetProcAddress, GetLastError, InitializeCriticalSectionEx, GetConsoleWindow, SetConsoleTitleA, SetConsoleTextAttribute, SetConsoleScreenBufferInfoEx, GetConsoleScreenBufferInfoEx, SetConsoleMode, GetConsoleMode, Sleep, RtlLookupFunctionEntry, GetStdHandle, OutputDebugStringW, InitializeSListHead
USER32.dll	MessageBoxA, MoveWindow, GetWindowRect, GetWindowLongA, SetWindowLongA
ADVAPI32.dll	CryptEncrypt, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey
SHELL32.dll	ShellExecuteA
MSVCP140.dll	?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Xlength_error@std@@YAXPEBD@Z, _Thrd_detach, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?_Random_device@std@@YAIXZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Xbad_function_call@std@@YAXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
urlmon.dll	URLDownloadToFileA
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertOpenStore, CertCloseStore
WS2_32.dll	ntohl, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, __WSAFDIsSet, ioctlsocket, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, listen
VCRUNTIME140.dll	__std_exception_destroy, __std_exception_copy, memcpy, memcmp, _CxxThrowException, __std_terminate, __C_specific_handler, strchr, __current_exception_context, strrchr, __current_exception, memchr, memset, strstr, memmove
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_errno, __sys_nerr, _invalid_parameter_noinfo_noreturn, strerror, exit, _getpid, system, _beginthreadex, _register_thread_local_exe_atexit_callback, terminate, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _c_exit, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, __p___argv, __p___argc
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, calloc, realloc, malloc, _set_new_mode, free
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vfprintf, fseek, feof, __p__commode, fputc, ftell, _lseeki64, _read, _write, _close, _open, __acrt_iob_func, __stdio_common_vsscanf, fgets, fputs, fopen, fflush, __stdio_common_vsprintf, fread, fclose, _set_fmode, fwrite
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtoul, strtoull, strtoll, strtol, strtod
api-ms-win-crt-locale-l1-1-0.dll	localeconv, _configthreadlocale
api-ms-win-crt-time-l1-1-0.dll	_time64, _gmtime64
api-ms-win-crt-string-l1-1-0.dll	strpbrk, strcspn, strcmp, strncmp, strncpy, strspn, isupper, tolower, _strdup
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-filesystem-l1-1-0.dll	_stat64, _access, _unlink, _fstat64
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dclass

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:53:13.392244101 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:13.392287970 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:13.392493963 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:13.404994011 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:13.405030012 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:13.868478060 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:13.868577003 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:13.873060942 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:13.873078108 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:13.873421907 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:13.877686024 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:13.919337988 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:14.180005074 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:14.180099010 CET	443	49708	172.67.72.57	192.168.2.5
Jan 14, 2025 16:53:14.180176020 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:14.190316916 CET	49708	443	192.168.2.5	172.67.72.57
Jan 14, 2025 16:53:14.190351009 CET	443	49708	172.67.72.57	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:53:13.376233101 CET	60348	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:53:13.383497000 CET	53	60348	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:53:13.376233101 CET	192.168.2.5	1.1.1.1	0x149b	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:53:13.383497000 CET	1.1.1.1	192.168.2.5	0x149b	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:53:13.383497000 CET	1.1.1.1	192.168.2.5	0x149b	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:53:13.383497000 CET	1.1.1.1	192.168.2.5	0x149b	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:53:26.128638029 CET	1.1.1.1	192.168.2.5	0x4187	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:53:26.128638029 CET	1.1.1.1	192.168.2.5	0x4187	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:54:27.622817993 CET	1.1.1.1	192.168.2.5	0x67fa	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:54:27.622817993 CET	1.1.1.1	192.168.2.5	0x67fa	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

keyauth.win

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	172.67.72.57	443	5560	C:\Users\user\Desktop\AimPrivStoreAtt117.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:53:13 UTC	128	OUT	POST /api/1.1/ HTTP/1.1 Host: keyauth.win Accept: / Content-Length: 74 Content-Type: application/x-www-form-urlencoded
2025-01-14 15:53:13 UTC	74	OUT	Data Raw: 74 79 70 65 3d 69 6e 69 74 26 76 65 72 3d 32 2e 36 26 6e 61 6d 65 3d 4c 6f 61 64 65 72 20 50 72 69 6e 63 69 70 61 6c 20 7c 20 50 72 69 76 61 74 65 20 53 74 6f 72 65 26 6f 77 6e 65 72 69 64 3d 39 57 49 76 54 56 4a 61 39 6d Data Ascii: type=init&ver=2.6&name=Loader Principal \| Private Store&ownerid=9WIvTVJa9m
2025-01-14 15:53:14 UTC	1326	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:53:14 GMT Content-Type: application/json; charset=UTF-8 Content-Length: 475 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hxKzBJIlJarRRw9izFk2IloJegBipY04TgLzYpVb92byy%2BB2ooLEUL94nXwxvg8jIMYhbPu5hJxXotyX964ov8rwCy%2B%2B6tFyRUEm8%2FzHMu%2FJR0AAqXzwL98BP8Xs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Acknowledge: Credit to VaultCord.com X-Powered-By: VaultCord.com content-security-policy: upgrade-insecure-requests permissions-policy: accelerometer=(), camera=(), fullscreen=, geolocation=(self), gyroscope=(), microphone=(), payment= referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains x-content-security-policy: img-src ; media-src data:; x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Server: cloudflare CF-RAY: 901ecc363a255e78-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1597&rtt_var=627&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2346&recv_bytes=862&delivery_rate=1708601&cwnd=252&unsent_bytes=0&cid=28970cb2a1b36c03&ts=325&x=0"
2025-01-14 15:53:14 UTC	43	IN	Data Raw: 7b 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 63 6f 64 65 22 3a 36 38 2c 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 Data Ascii: {"success":true,"code":68,"message":"Initia
2025-01-14 15:53:14 UTC	432	IN	Data Raw: 6c 69 7a 65 64 22 2c 22 73 65 73 73 69 6f 6e 69 64 22 3a 22 34 65 65 38 33 39 36 32 22 2c 22 61 70 70 69 6e 66 6f 22 3a 7b 22 6e 75 6d 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4f 6e 6c 69 6e 65 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4b 65 79 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 32 2e 36 22 2c 22 63 75 73 Data Ascii: lized","sessionid":"4ee83962","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() function in latest example","version":"2.6","cus

Target ID:	0
Start time:	10:53:09
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\AimPrivStoreAtt117.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\AimPrivStoreAtt117.exe"
Imagebase:	0x7ff731650000
File size:	510'464 bytes
MD5 hash:	199E093792C0A0C91233709796553E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff6fb6b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:53:10
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff6fb6b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 904, Parent PID: 2464

General

Target ID:	15
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 1784, Parent PID: 2820

General

Target ID:	17
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 5840, Parent PID: 1600

General

Target ID:	19
Start time:	10:53:11
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:53:12
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 6416, Parent PID: 7156

General

Target ID:	21
Start time:	10:53:12
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff6fb6b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:53:12
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 7116, Parent PID: 5536

General

Target ID:	23
Start time:	10:53:12
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff6fb6b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:53:12
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5804, Parent PID: 5560

General

Target ID:	25
Start time:	10:53:13
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 5824, Parent PID: 5804

General

Target ID:	26
Start time:	10:53:13
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:53:13
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 1816, Parent PID: 5656

General

Target ID:	28
Start time:	10:53:13
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:53:14
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:53:14
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff7c6560000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:53:14
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:53:14
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff6fb6b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:53:14
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:53:14
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff6fb6b0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:53:14
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff7d9800000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	102

Executed Functions

Function 00007FF73167FED0 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167FFA8
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167FFB5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680088
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168010C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316801B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168024A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680315
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168034D
strchr.VCRUNTIME140 ref: 00007FF7316804C7
strchr.VCRUNTIME140 ref: 00007FF7316804DA
strchr.VCRUNTIME140 ref: 00007FF7316804EC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316805F3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680663
memcpy.VCRUNTIME140 ref: 00007FF73168068A
strchr.VCRUNTIME140 ref: 00007FF73168069E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316806B2
strstr.VCRUNTIME140 ref: 00007FF7316808E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680A21
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680B99

Part of subcall function 00007FF7316796F0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731679763

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680C4C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680CD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680F2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680F40
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731680F4F

Part of subcall function 00007FF7316822A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316822FA

strchr.VCRUNTIME140 ref: 00007FF731681507
strchr.VCRUNTIME140 ref: 00007FF73168151A
strchr.VCRUNTIME140 ref: 00007FF73168152C

Part of subcall function 00007FF7316822A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168231A
Part of subcall function 00007FF7316822A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731682323

strchr.VCRUNTIME140 ref: 00007FF73168177F
strchr.VCRUNTIME140 ref: 00007FF731681792
strchr.VCRUNTIME140 ref: 00007FF7316817A4

Part of subcall function 00007FF7316848D0: strchr.VCRUNTIME140 ref: 00007FF7316849B6
Part of subcall function 00007FF7316848D0: strchr.VCRUNTIME140 ref: 00007FF7316849C9
Part of subcall function 00007FF7316848D0: strchr.VCRUNTIME140 ref: 00007FF7316849DB

Strings

Could only read %I64d bytes from the input, xrefs: 00007FF731680B55
Invalid TIMEVALUE, xrefs: 00007FF731681153
Content-Length, xrefs: 00007FF7316812E4, 00007FF731681439, 00007FF7316816BE
Cookie: , xrefs: 00007FF73168103E, 00007FF7316810B4
Proxy-Connection: Keep-Alive, xrefs: 00007FF731680DCF, 00007FF731680DE4
Transfer-Encoding: chunked, xrefs: 00007FF7316805BF
Range, xrefs: 00007FF731680A02
Referer, xrefs: 00007FF731680263
Host: %s%s%s:%d, xrefs: 00007FF7316807B2
Host, xrefs: 00007FF7316805F9
ftp, xrefs: 00007FF7316808B9
User-Agent, xrefs: 00007FF73168006D
Content-Range: bytes %s%I64d/%I64d, xrefs: 00007FF731680BD8
Cookie, xrefs: 00007FF7316802D2
PUT, xrefs: 00007FF731680048
Proxy-Connection, xrefs: 00007FF731680DA3
%s, xrefs: 00007FF731681483
%x, xrefs: 00007FF7316818A5
Content-Range: bytes %s/%I64d, xrefs: 00007FF731680BE6
1.0, xrefs: 00007FF731680C30
Failed sending HTTP POST request, xrefs: 00007FF7316819AB
ftp://%s:%s@%s, xrefs: 00007FF731680CFB
chunked, xrefs: 00007FF731680506
%s , xrefs: 00007FF731680C63
POST, xrefs: 00007FF731680055
%s?%s, xrefs: 00007FF7316800A5
OPTIONS, xrefs: 00007FF73168003B
Host:, xrefs: 00007FF7316806C1
Accept: */*, xrefs: 00007FF7316809B5
File already completely uploaded, xrefs: 00007FF731680B39
upload completely sent off: %I64d out of %I64d bytes, xrefs: 00007FF731681AAE
Content-Type, xrefs: 00007FF7316803B7, 00007FF7316816ED
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00007FF731681224
Expect, xrefs: 00007FF7316814A4, 00007FF731681719
multipart/form-data, xrefs: 00007FF7316803FA
Transfer-Encoding, xrefs: 00007FF73168045D
;type=%c, xrefs: 00007FF731680951
Referer: %s, xrefs: 00007FF73168027E
?%s, xrefs: 00007FF731680D3B
If-Unmodified-Since, xrefs: 00007FF731681194
Could not seek stream, xrefs: 00007FF731680A98
Transfer-Encoding:, xrefs: 00007FF73168047E
Chunky upload is not supported by HTTP 1.0, xrefs: 00007FF7316805CC
Failed sending PUT request, xrefs: 00007FF731681379
100-continue, xrefs: 00007FF731681546, 00007FF7316817C6
0, xrefs: 00007FF7316818F6, 00007FF7316819F5
Expect:, xrefs: 00007FF7316814C5, 00007FF73168173A
Failed sending POST request, xrefs: 00007FF7316813D9, 00007FF73168161D
Content-Length: 0, xrefs: 00007FF7316813A0
If-Modified-Since, xrefs: 00007FF73168119D
Content-Type: application/x-www-form-urlencoded, xrefs: 00007FF731681701
HEAD, xrefs: 00007FF731680011
Accept, xrefs: 00007FF7316809A3
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF731680F0B
Accept-Encoding: %s, xrefs: 00007FF731680322
%s%s=%s, xrefs: 00007FF731681059
1.1, xrefs: 00007FF731680C3E
Content-Length: %I64d, xrefs: 00007FF7316812FB, 00007FF731681450, 00007FF7316816D5
Content-Range, xrefs: 00007FF731680B7E
Accept-Encoding, xrefs: 00007FF7316802F1
Content-Range: bytes 0-%I64d/%I64d, xrefs: 00007FF731680BB4
Range: bytes=%s, xrefs: 00007FF731680A2E
GET, xrefs: 00007FF731680062
Host:%s, xrefs: 00007FF7316806F6
;type=, xrefs: 00007FF7316808DE
http, xrefs: 00007FF73168084B
%s%s, xrefs: 00007FF7316810E0
Failed sending HTTP request, xrefs: 00007FF731681676
Last-Modified, xrefs: 00007FF73168118B
Host: %s%s%s, xrefs: 00007FF73168076D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$strchr$_strdup$callocmemcpystrstr
String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s: %s, %02d %s %4d %02d:%02d:%02d GMT$%s?%s$%x$0$1.0$1.1$100-continue$;type=$;type=%c$?%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified$OPTIONS$POST$PUT$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp$ftp://%s:%s@%s$http$multipart/form-data$upload completely sent off: %I64d out of %I64d bytes
API String ID: 2045874074-4264080130
Opcode ID: df388712e8186f415a9c3d512b14d34def9028130db4415460419967b26806f6
Instruction ID: 6d435507c752b3a3359c3769fb40fd4d4d1013968a3049a3c941cc9b8bdc61ca
Opcode Fuzzy Hash: df388712e8186f415a9c3d512b14d34def9028130db4415460419967b26806f6
Instruction Fuzzy Hash: 8903D231E08BA2E5FB54EBA5D4103B9A7A2AF45B88F844435CE1D17B95DFBCE441E320

Function 00007FF731661E70 Relevance: 124.5, APIs: 58, Strings: 13, Instructions: 288
processsleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7316AFB48: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73165442E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF7316AFB62

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731661ED4
_Thrd_detach.MSVCP140 ref: 00007FF731661F03
GetStdHandle.KERNEL32 ref: 00007FF731661F1E
GetConsoleMode.KERNELBASE ref: 00007FF731661F2F
SetConsoleMode.KERNELBASE ref: 00007FF731661F42
GetStdHandle.KERNEL32 ref: 00007FF731661F4D
GetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF731661F64
SetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF731661F89
GetConsoleMode.KERNELBASE ref: 00007FF731661F97
SetConsoleMode.KERNELBASE ref: 00007FF731661FAB
GetConsoleWindow.KERNELBASE ref: 00007FF731661FB1
GetWindowLongA.USER32 ref: 00007FF731661FC2
SetWindowLongA.USER32 ref: 00007FF731661FD8
GetConsoleWindow.KERNELBASE ref: 00007FF731661FDE
GetWindowRect.USER32 ref: 00007FF731661FEF
MoveWindow.USER32 ref: 00007FF731662017
GetStdHandle.KERNEL32 ref: 00007FF731662022
SetConsoleTextAttribute.KERNELBASE ref: 00007FF731662030
GetStdHandle.KERNEL32 ref: 00007FF731662047
SetConsoleTextAttribute.KERNELBASE ref: 00007FF731662055
GetStdHandle.KERNEL32 ref: 00007FF731662078
SetConsoleTextAttribute.KERNELBASE ref: 00007FF731662086
GetStdHandle.KERNEL32 ref: 00007FF73166209D
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7316620AB

Part of subcall function 00007FF7316623B0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7316623D4
Part of subcall function 00007FF7316623B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7316623F5

GetStdHandle.KERNEL32 ref: 00007FF7316620C2
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7316620D0
GetStdHandle.KERNEL32 ref: 00007FF7316620E7
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7316620F5
GetStdHandle.KERNEL32 ref: 00007FF73166210C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF73166211A
GetStdHandle.KERNEL32 ref: 00007FF731662131
SetConsoleTextAttribute.KERNEL32 ref: 00007FF73166213F
GetStdHandle.KERNEL32 ref: 00007FF731662162
SetConsoleTextAttribute.KERNEL32 ref: 00007FF731662170
GetStdHandle.KERNEL32 ref: 00007FF731662187
SetConsoleTextAttribute.KERNEL32 ref: 00007FF731662195
GetStdHandle.KERNEL32 ref: 00007FF7316621AC
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7316621BA
GetStdHandle.KERNEL32 ref: 00007FF7316621DD
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7316621EB
GetStdHandle.KERNEL32 ref: 00007FF731662202
SetConsoleTextAttribute.KERNEL32 ref: 00007FF731662210
GetStdHandle.KERNEL32 ref: 00007FF731662227
SetConsoleTextAttribute.KERNEL32 ref: 00007FF731662235
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF731662253
URLDownloadToFileA.URLMON ref: 00007FF7316622AA
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316622B6
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316622C3
Sleep.KERNEL32 ref: 00007FF7316622CE
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316622D6
URLDownloadToFileA.URLMON ref: 00007FF73166232A
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662336
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662343
Sleep.KERNEL32 ref: 00007FF73166234E
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662356
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662364
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF731662393
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7316623A2

Strings

Iniciar Valorant Aim (HVCI HABILITADO): , xrefs: 00007FF7316621C0
##########################################################, xrefs: 00007FF7316620B1
start C:\Windows\System32\config\SerceubetisHostDialog.exe, xrefs: 00007FF7316622BC
Iniciar Valorant Aim (HVCI DESLIGADO): , xrefs: 00007FF731662145
start C:\Windows\System32\config\SeiebingsHosDialog.exe, xrefs: 00007FF73166233C
http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exe, xrefs: 00007FF731662262
C:\Windows\System32\config\SeiebingsHosDialog.exe, xrefs: 00007FF7316622F4
http://167.114.85.75/aimhvcionattprivatestore674.exe, xrefs: 00007FF7316622E2
cd C:\, xrefs: 00007FF7316622AF, 00007FF73166232F
[ Selecione uma opcao: ], xrefs: 00007FF73166208C
##########################################################, xrefs: 00007FF731662067
Selecione a opcao: , xrefs: 00007FF73166223B
C:\Windows\System32\config\SerceubetisHostDialog.exe, xrefs: 00007FF731662273

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Console$Handle$AttributeText$Window$Modesystem$BufferCpp_error@std@@DownloadFileInfoLongScreenSleepThrow_exit$??5?$basic_istream@D@std@@@std@@MoveRectThrd_detachU?$char_traits@V01@__acrt_iob_func__stdio_common_vfprintf_beginthreadexmallocterminate
String ID: Iniciar Valorant Aim (HVCI DESLIGADO): $ Iniciar Valorant Aim (HVCI HABILITADO): $ Selecione a opcao: $##########################################################$##########################################################$C:\Windows\System32\config\SeiebingsHosDialog.exe$C:\Windows\System32\config\SerceubetisHostDialog.exe$[ Selecione uma opcao: ]$cd C:\$http://167.114.85.75/aimhvcioffbronkzatualizadoh97.exe$http://167.114.85.75/aimhvcionattprivatestore674.exe$start C:\Windows\System32\config\SeiebingsHosDialog.exe$start C:\Windows\System32\config\SerceubetisHostDialog.exe
API String ID: 3379756739-3340239426
Opcode ID: 5881214bdcecccd07407780c68f0ed9ff0d7f6a6fe0d88e462e8c414fdabbda1
Instruction ID: f9f0aa7c300a9b0b33ccc4e4099b222883173d95c7204868ce9f680e551cbe13
Opcode Fuzzy Hash: 5881214bdcecccd07407780c68f0ed9ff0d7f6a6fe0d88e462e8c414fdabbda1
Instruction Fuzzy Hash: 36D13721E08913E2EB04FBA1E814179B3A2FF88755F808639D51F466B5DFBCF545A3A0

Function 00007FF73168A87D Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73168A9D8
strchr.VCRUNTIME140 ref: 00007FF73168AA04
strchr.VCRUNTIME140 ref: 00007FF73168AA3E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168AA62
strchr.VCRUNTIME140 ref: 00007FF73168AB72
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168AB8A

Strings

CurrentService, xrefs: 00007FF73168AAB5
LocalMachineGroupPolicy, xrefs: 00007FF73168AB2C
LocalMachineEnterprise, xrefs: 00007FF73168AB4B
Microsoft Unified Security Protocol Provider, xrefs: 00007FF73168AF7F
http/1.1, xrefs: 00007FF73168B0A7
http/1.1, xrefs: 00007FF73168B093
Services, xrefs: 00007FF73168AAD7
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF73168AE19
LocalMachine, xrefs: 00007FF73168AA93
schannel: Failed to read cert file %s, xrefs: 00007FF73168AF39
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF73168B073
schannel: AcquireCredentialsHandle failed: %s, xrefs: 00007FF73168AFF5
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 00007FF73168AE44
CurrentUser, xrefs: 00007FF73168AA52
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 00007FF73168AE8F
schannel: Failed to get certificate location or file for %s, xrefs: 00007FF73168AF62
schannel: unable to allocate memory, xrefs: 00007FF73168AEFC, 00007FF73168B187
CurrentUserGroupPolicy, xrefs: 00007FF73168AB0D
schannel: ALPN, offering %s, xrefs: 00007FF73168B0B5
schannel: TLS 1.3 is not yet supported, xrefs: 00007FF73168A90B
schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00007FF73168ABF0
Users, xrefs: 00007FF73168AAF6
Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00007FF73168AA77

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$_strdupstrncmpstrtol
String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$Services$Unable to set ciphers to passed via SSL_CONN_CONFIG$Users$http/1.1$http/1.1$schannel: ALPN, offering %s$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: TLS 1.3 is not yet supported$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.
API String ID: 707411602-3372543188
Opcode ID: 3b907009211ff7cb2198ef5d328b79b85d72c5b5477c74e40b21cd7e234a9625
Instruction ID: c74b8ba80262b19c8f6604e224bd19788298ad31f2634c9650e5fef2841d9547
Opcode Fuzzy Hash: 3b907009211ff7cb2198ef5d328b79b85d72c5b5477c74e40b21cd7e234a9625
Instruction Fuzzy Hash: 0742C471E08B62E1EB64AF92D8502B9A3A6FF45784F805135CE5E07B90DFBCE544E720

Function 00007FF7316792C0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF7316792E8
WSACleanup.WS2_32 ref: 00007FF731679303
GetModuleHandleA.KERNEL32 ref: 00007FF731679354
GetProcAddress.KERNEL32 ref: 00007FF731679380
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167939A
LoadLibraryA.KERNEL32 ref: 00007FF7316793BD
GetProcAddress.KERNEL32 ref: 00007FF7316793DA
LoadLibraryExA.KERNELBASE ref: 00007FF7316793F0
GetSystemDirectoryA.KERNEL32 ref: 00007FF731679406
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167941E
GetSystemDirectoryA.KERNEL32 ref: 00007FF731679432
LoadLibraryA.KERNEL32 ref: 00007FF7316794A0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316794AC
GetProcAddress.KERNEL32 ref: 00007FF7316794D8
VerSetConditionMask.KERNEL32 ref: 00007FF731679561
VerSetConditionMask.KERNEL32 ref: 00007FF731679574
VerSetConditionMask.KERNEL32 ref: 00007FF731679583
VerSetConditionMask.KERNEL32 ref: 00007FF731679592
VerSetConditionMask.KERNEL32 ref: 00007FF7316795A2
VerifyVersionInfoA.KERNEL32 ref: 00007FF7316795B3
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7316795CF

Strings

AddDllDirectory, xrefs: 00007FF7316793D0
if_nametoindex, xrefs: 00007FF7316794CE
kernel32, xrefs: 00007FF73167933B
iphlpapi.dll, xrefs: 00007FF731679386
LoadLibraryExA, xrefs: 00007FF73167936E

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ConditionMask$AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleInfoModulePerformanceQueryStartupVerifyVersionfreemallocstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 2612373469-2794540096
Opcode ID: eeb22dd33ee6f1824ceccbff02a487c861c0f39535903402c4be651aa8da3d3c
Instruction ID: 82f2ecfad4f15e1e920289d512aca022613e133ebd6d2a55d87e4050c2744094
Opcode Fuzzy Hash: eeb22dd33ee6f1824ceccbff02a487c861c0f39535903402c4be651aa8da3d3c
Instruction Fuzzy Hash: 9591A535E097A2D1EB20EB52E4043B9A3E2FF89B94F849135CA4E06754EFBCE045D720

Function 00007FF731678600 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF73167869C
socket.WS2_32 ref: 00007FF7316786E5
htons.WS2_32 ref: 00007FF731678771
setsockopt.WS2_32 ref: 00007FF7316787D3
WSAGetLastError.WS2_32 ref: 00007FF7316787DD
getsockopt.WS2_32 ref: 00007FF73167887F
setsockopt.WS2_32 ref: 00007FF7316788AE
setsockopt.WS2_32 ref: 00007FF7316788ED
WSAIoctl.WS2_32 ref: 00007FF73167897A
WSAGetLastError.WS2_32 ref: 00007FF731678984

Part of subcall function 00007FF7316855D0: ioctlsocket.WS2_32 ref: 00007FF7316855E9

Part of subcall function 00007FF73167E0F0: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF73166616F), ref: 00007FF73167E107

connect.WS2_32 ref: 00007FF731678AAB
WSAGetLastError.WS2_32 ref: 00007FF731678AC8

Part of subcall function 00007FF731662E40: GetLastError.KERNEL32 ref: 00007FF731662E62
Part of subcall function 00007FF731662E40: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662E6A

Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676555
Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676570

Part of subcall function 00007FF731676F10: closesocket.WS2_32 ref: 00007FF731676F53

Strings

Could not set TCP_NODELAY: %s, xrefs: 00007FF7316787FA
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00007FF7316788FA
Trying %s:%ld..., xrefs: 00007FF73167877F
@, xrefs: 00007FF731678817
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00007FF731678B6E
Immediate connect fail for %s: %s, xrefs: 00007FF731678AF8
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00007FF73167898D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast$setsockopt$fwrite$CounterIoctlPerformanceQuery_errnoclosesocketconnectgetsockopthtonsioctlsocketmemcpysocket
String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3453287622-3868455274
Opcode ID: 2f9119e324de080cc09b2f9ffb043b1f18a9a114bed014c39b0810f39b736cae
Instruction ID: 5e47ffc36285ada6b89cfb1f26c994662e743660b6dd38197c39d2e6fe022dbc
Opcode Fuzzy Hash: 2f9119e324de080cc09b2f9ffb043b1f18a9a114bed014c39b0810f39b736cae
Instruction Fuzzy Hash: CBF10671E08262E6F710EBA5D4542BDA3A6FB44B48FC05035DA4E47B94DFBCE944EB20

Function 00007FF7316853A0 Relevance: 24.1, APIs: 16, Instructions: 127
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF7316853E1
htonl.WS2_32 ref: 00007FF73168540E
setsockopt.WS2_32 ref: 00007FF731685445
bind.WS2_32 ref: 00007FF731685460
getsockname.WS2_32 ref: 00007FF73168547C
listen.WS2_32 ref: 00007FF731685491
socket.WS2_32 ref: 00007FF7316854A8
connect.WS2_32 ref: 00007FF7316854C7
accept.WS2_32 ref: 00007FF7316854DE
send.WS2_32 ref: 00007FF73168552C
recv.WS2_32 ref: 00007FF73168554A
memcmp.VCRUNTIME140 ref: 00007FF731685565
closesocket.WS2_32 ref: 00007FF731685571

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: socket$acceptbindclosesocketconnectgetsocknamehtonllistenmemcmprecvsendsetsockopt
String ID:
API String ID: 3699910901-0
Opcode ID: 18acca75b82256b36fd27439601572a11a61d7d3643b22be5c7afa3228a250b6
Instruction ID: 23267bef7a12b1b10ecf9e73a9440d76d6a16db604f4533d91c9122c893ecd01
Opcode Fuzzy Hash: 18acca75b82256b36fd27439601572a11a61d7d3643b22be5c7afa3228a250b6
Instruction Fuzzy Hash: AD517032A08A51D1D710EF65E464179B3A2EB44BB4F908734EA7B43AE4DFBCE449D720

Function 00007FF7316772C0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

After %I64dms connect time, move on!, xrefs: 00007FF731677485
connect to %s port %ld failed: %s, xrefs: 00007FF73167753D
Connection failed, xrefs: 00007FF7316776A6
Failed to connect to %s port %ld: %s, xrefs: 00007FF7316777EE
Connection time-out, xrefs: 00007FF7316773A9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
API String ID: 0-3307081561
Opcode ID: 5f6f60715a206276a7ad46beb51eba481cecc6ffeb3571600683a81ee718a552
Instruction ID: a062dbabbb9523cd83995048a0d31c4b9d0a7b3f70aac8036efa3d67c73b24d5
Opcode Fuzzy Hash: 5f6f60715a206276a7ad46beb51eba481cecc6ffeb3571600683a81ee718a552
Instruction Fuzzy Hash: 8DE10431F086A2E2E764ABA5D4482BDA7A2FB487A4F804235DB5D077C5DFBCE401D710

Function 00007FF731661AD0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731660920: memcpy.VCRUNTIME140(?,0000006E00000006,?,FFFFFFFF,00007FF7316511FC), ref: 00007FF731660958

SleepEx.KERNELBASE ref: 00007FF731661C8F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731661D03
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731661D44
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731661D7C

Strings

PRIVATE STORE - , xrefs: 00007FF731661CAB
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789, xrefs: 00007FF731661B29

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Sleepmemcpy
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$PRIVATE STORE -
API String ID: 18138616-2486835083
Opcode ID: f62d194c9a5506e1bc40a120267c7f5705a5248675cb0b804e02d88154972be3
Instruction ID: 2042b677351a8e5b8ee7b61f1f9de2e696be6c5acff2ce59384fe5e9808f92a9
Opcode Fuzzy Hash: f62d194c9a5506e1bc40a120267c7f5705a5248675cb0b804e02d88154972be3
Instruction Fuzzy Hash: B581F672E18691E6EB10EB65E4402BDA363FBD9394F805331EA9D02AD9DFBCD080D710

Function 00007FF731652AE0 Relevance: 40.7, APIs: 16, Strings: 7, Instructions: 402
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316528E7
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652957
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316529B7
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652A07
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652A57

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652C88

Part of subcall function 00007FF731654900: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316549C0

Part of subcall function 00007FF7316AFB48: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73165442E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF7316AFB62

Part of subcall function 00007FF731654350: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654381

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652CD8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652D17
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652D65
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652DA4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652E58
memcpy.VCRUNTIME140 ref: 00007FF731652E7D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652F53
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652F9A
ShellExecuteA.SHELL32 ref: 00007FF731653092
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165309A
MessageBoxA.USER32 ref: 00007FF7316530D0
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316530E1
Sleep.KERNEL32 ref: 00007FF731653149
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731653151
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731653158

Part of subcall function 00007FF7316531A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316532AF
Part of subcall function 00007FF7316531A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316532F0

Part of subcall function 00007FF731653C70: memcpy.VCRUNTIME140 ref: 00007FF731653CC3

Part of subcall function 00007FF731653310: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316533F0

Part of subcall function 00007FF731653410: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316534F0

Strings

download, xrefs: 00007FF731653055
open, xrefs: 00007FF731653089
invalidver, xrefs: 00007FF731653019
Failure, xrefs: 00007FF7316530C7
success, xrefs: 00007FF731652EB6
message, xrefs: 00007FF731652FE3, 00007FF7316530A1
sessionid, xrefs: 00007FF731652EDE

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$system$exitmemcpy$Concurrency::cancel_current_taskExecuteMessageShellSleepmalloc
String ID: Failure$download$invalidver$message$open$sessionid$success
API String ID: 3283070336-3881042241
Opcode ID: 48964f434a99398b1488b2b580d5da66e7d6d207f2f7662726f7a427ccfb5c37
Instruction ID: db268cfac2364a5e374ea392af53e57a02dd24fc2b4a7a2cd39da7644a49033d
Opcode Fuzzy Hash: 48964f434a99398b1488b2b580d5da66e7d6d207f2f7662726f7a427ccfb5c37
Instruction Fuzzy Hash: 9802F7B2E08792E1EB00EBA5E4543ADA762FF85794F805235DA5D03AD6DFBCE084D350

Function 00007FF73168BF00 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF73168C541
memcpy.VCRUNTIME140 ref: 00007FF73168C55D

Strings

schannel: can't renogotiate, encrypted data available, xrefs: 00007FF73168C4E2
schannel: renegotiation failed, xrefs: 00007FF73168C4CE
schannel: server closed the connection, xrefs: 00007FF73168C3D4
schannel: renegotiating SSL/TLS connection, xrefs: 00007FF73168C358
schannel: remote party requests renegotiation, xrefs: 00007FF73168C322
schannel: SSL/TLS connection renegotiated, xrefs: 00007FF73168C39F
schannel: server closed abruptly (missing close_notify), xrefs: 00007FF73168C4EE
schannel: an unrecoverable error occurred in a prior call, xrefs: 00007FF73168BFA5
schannel: unable to re-allocate memory, xrefs: 00007FF73168C03D, 00007FF73168C4A6
schannel: can't renogotiate, an error is pending, xrefs: 00007FF73168C4C2
schannel: Curl_read_plain returned CURLE_RECV_ERROR, xrefs: 00007FF73168C0CD
schannel: failed to decrypt data, need more data, xrefs: 00007FF73168C46A
schannel: Curl_read_plain returned error %d, xrefs: 00007FF73168C2A1
schannel: failed to read data from server: %s, xrefs: 00007FF73168C492
schannel: enough decrypted data is already available, xrefs: 00007FF73168BF85
schannel: server indicated shutdown in a prior call, xrefs: 00007FF73168BFC8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy
String ID: schannel: Curl_read_plain returned CURLE_RECV_ERROR$schannel: Curl_read_plain returned error %d$schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: can't renogotiate, an error is pending$schannel: can't renogotiate, encrypted data available$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server closed abruptly (missing close_notify)$schannel: server closed the connection$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
API String ID: 3510742995-857957974
Opcode ID: 66a31f3b8282b5844e5921c489c9b9307312f9f7db6f704572f5908f00d00f68
Instruction ID: 4e3d0708584ebefac6bfb45afde1c9983fe8a4b4063acc34fbbea02765d8108c
Opcode Fuzzy Hash: 66a31f3b8282b5844e5921c489c9b9307312f9f7db6f704572f5908f00d00f68
Instruction Fuzzy Hash: 0D020372E08B61D6EB60EB9AD4843B9A7A6FB44B94F904136DE4D83B90CFBCD441D710

Function 00007FF73168B390 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168B480
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168B4D1
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168B514
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168B5F7
memcpy.VCRUNTIME140 ref: 00007FF73168B699
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168B702
memcpy.VCRUNTIME140 ref: 00007FF73168B7DA
memset.VCRUNTIME140 ref: 00007FF73168B9A7
CertFreeCertificateContext.CRYPT32 ref: 00007FF73168BA0A

Strings

schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 00007FF73168B8B4
schannel: unable to re-allocate memory, xrefs: 00007FF73168B522
SSL: failed retrieving public key from server certificate, xrefs: 00007FF73168BA2A
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF73168BA4A
SSL: public key does not match pinned public key!, xrefs: 00007FF73168B9EC, 00007FF73168BA14
schannel: SNI or certificate check failed: %s, xrefs: 00007FF73168B86B
schannel: next InitializeSecurityContext failed: %s, xrefs: 00007FF73168B89E, 00007FF73168BAB2
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 00007FF73168B806
schannel: unable to allocate memory, xrefs: 00007FF73168BAFF

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: malloc$memcpy$CertCertificateContextFreefreememsetrealloc
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 860210379-3059304359
Opcode ID: 490e22f11895540a16886b2f19630deea4581af9f1cb7349150999466fba332e
Instruction ID: f73dccf6d4e0b7687bf51c577a595ef2e7bd5c92430932b1390b801cb6f71eb9
Opcode Fuzzy Hash: 490e22f11895540a16886b2f19630deea4581af9f1cb7349150999466fba332e
Instruction Fuzzy Hash: 68129172E08B91D5EB60DF9AD8503AEB7A2FB44B84F904139CA6D47B90DFB8D441D710

Function 00007FF73168A5B0 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF73168A681
GetProcAddress.KERNEL32 ref: 00007FF73168A691

Strings

wine_get_version, xrefs: 00007FF73168A68A
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00007FF73168B24C, 00007FF73168B293
http/1.1, xrefs: 00007FF73168B0A7
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00007FF73168A662
http/1.1, xrefs: 00007FF73168B093
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF73168A722
ntdll, xrefs: 00007FF73168A67A
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF73168B073
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00007FF73168B329
Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 00007FF73168B02F
schannel: SNI or certificate check failed: %s, xrefs: 00007FF73168B26D
schannel: unable to allocate memory, xrefs: 00007FF73168B187
schannel: ALPN, offering %s, xrefs: 00007FF73168B0B5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Unrecognized parameter passed via CURLOPT_SSLVERSION$http/1.1$http/1.1$ntdll$schannel: ALPN, offering %s$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 1646373207-2477831187
Opcode ID: 1c50b0e86c0dfb581e2f1436c7238595f97150c7056481b8677d10f7589f3bf5
Instruction ID: b1826221506f0a420c24e0f02b5a947f10c38ea407e8dbeaa34a9272a9322db0
Opcode Fuzzy Hash: 1c50b0e86c0dfb581e2f1436c7238595f97150c7056481b8677d10f7589f3bf5
Instruction Fuzzy Hash: DF02E072E08BA1D6E720ABA5D8402BE77A6FB44788F804139DE5D47B91DFBCD441E710

Function 00007FF73166BBF0 Relevance: 28.7, APIs: 19, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BC22
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BCBD
InitializeCriticalSectionEx.KERNEL32 ref: 00007FF73166BCD6

Part of subcall function 00007FF7316853A0: socket.WS2_32 ref: 00007FF7316853E1

DeleteCriticalSection.KERNEL32 ref: 00007FF73166BD10
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BD1A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BD24
closesocket.WS2_32 ref: 00007FF73166BD42
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BD78
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73166BD7E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166BDAD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BDC7
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166BDD0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73166BE05
EnterCriticalSection.KERNEL32 ref: 00007FF73166BE26
LeaveCriticalSection.KERNEL32 ref: 00007FF73166BE3A
CloseHandle.KERNEL32 ref: 00007FF73166BE47
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BE72
closesocket.WS2_32 ref: 00007FF73166BE8B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BE9F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$CriticalSection$_errno_strdupclosesocket$CloseDeleteEnterHandleInitializeLeavecallocmallocsocket
String ID:
API String ID: 259767416-0
Opcode ID: 3ff14ab7fd73e1196f0c363a5ae2acba01a7f4db7ebc729dc49ae69849a598b5
Instruction ID: c6164abe7f7a8e6aa689e668c8f1b3c846a9f3c0a49725c9774f5e4f6578f642
Opcode Fuzzy Hash: 3ff14ab7fd73e1196f0c363a5ae2acba01a7f4db7ebc729dc49ae69849a598b5
Instruction Fuzzy Hash: BC815C22E09B91D2E724EF61E850269B371FB99B54F405239CB9E027A2DFB8F4D4D310

Function 00007FF731673260 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON

Download Yara Rule

Strings

proxy, xrefs: 00007FF731673922
anonymous, xrefs: 00007FF731673418
NTLM picked AND auth done set, clear picked!, xrefs: 00007FF731673AB2
No connections available., xrefs: 00007FF731673A01
No connections available in cache, xrefs: 00007FF731673C5B
No more connections allowed to host %s: %zu, xrefs: 00007FF7316739F2
ftp@example.com, xrefs: 00007FF73167341F
Re-using existing connection! (#%ld) with %s %s, xrefs: 00007FF731673943
host, xrefs: 00007FF731673930
NTLM-proxy picked AND auth done set, clear picked!, xrefs: 00007FF731673AE0

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID: NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host %s: %zu$Re-using existing connection! (#%ld) with %s %s$anonymous$ftp@example.com$host$proxy
API String ID: 0-760484938
Opcode ID: 5cb594704e5a14a3a99ff94c5cd79eddc6f9554907c6ec994f531ed743c6ce03
Instruction ID: 956f7e663496a88187aebfd04eeff803d89ed29cbb0248fd882416d86e28cc70
Opcode Fuzzy Hash: 5cb594704e5a14a3a99ff94c5cd79eddc6f9554907c6ec994f531ed743c6ce03
Instruction Fuzzy Hash: 3342D262E09BD2E1EB59EB6595503B8E3A2FB85B84F884135CE5D47385DFBCE060D320

Function 00007FF7316721F0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316624A1,?,?,?,?,00007FF7316535D1), ref: 00007FF731672208
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731672251

Strings

<, xrefs: 00007FF731672498
v, xrefs: 00007FF7316724FF
<, xrefs: 00007FF73167248E
`, xrefs: 00007FF7316724EA
<, xrefs: 00007FF731672367

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: callocfree
String ID: <$<$<$`$v
API String ID: 306872129-2056843887
Opcode ID: 96fc72d4107bc01bf252997c18d8b870d50ec99ce162ed03cf5650f0768a792d
Instruction ID: 1722787ff7730c73ddcc71bb7cd3064199015d6d1442dc41a43343bb1f2db81e
Opcode Fuzzy Hash: 96fc72d4107bc01bf252997c18d8b870d50ec99ce162ed03cf5650f0768a792d
Instruction Fuzzy Hash: 7F913872908BC1C6E310DF34D4043E877A1FB99B5CF485239DE991A39ADFBAA095D720

Function 00007FF731678FA0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,?,00007FF7316A2DFA,?,?,?,?,00007FF73167932B), ref: 00007FF731678FB4
GetProcAddress.KERNEL32(?,?,00007FF7316A2DFA,?,?,?,?,00007FF73167932B), ref: 00007FF731678FD9
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00007FF7316A2DFA,?,?,?,?,00007FF73167932B), ref: 00007FF731678FEC

Strings

AddDllDirectory, xrefs: 00007FF731679033
kernel32, xrefs: 00007FF731678FAD
LoadLibraryExA, xrefs: 00007FF731678FCA

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: ed8c58319feda3e2ef0bf4467202deb353ecfa3ac03bdd26cde5824d9b1eb468
Instruction ID: 18ccd383b23ebed198eb9eced6751f4662b7bdec0bab2d976e62cae40598d08e
Opcode Fuzzy Hash: ed8c58319feda3e2ef0bf4467202deb353ecfa3ac03bdd26cde5824d9b1eb468
Instruction Fuzzy Hash: BA41B716F09662E5FB15AF96A410139A7E2EF46BE1F888134CE1D03790DE7DE486D720

Function 00007FF731677C40 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32 ref: 00007FF731677CAC
WSAGetLastError.WS2_32 ref: 00007FF731677CB6

Part of subcall function 00007FF731662E40: GetLastError.KERNEL32 ref: 00007FF731662E62
Part of subcall function 00007FF731662E40: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662E6A

getsockname.WS2_32 ref: 00007FF731677D36
WSAGetLastError.WS2_32 ref: 00007FF731677D40

Strings

ssrem inet_ntop() failed with errno %d: %s, xrefs: 00007FF731677DC6
getsockname() failed with errno %d: %s, xrefs: 00007FF731677D60
getpeername() failed with errno %d: %s, xrefs: 00007FF731677CD6
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00007FF731677E5C

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast$_errnogetpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 2911674258-670633250
Opcode ID: 1d68d23901f2bc99712f764ecee20f1df52790d8a263a8a7c26a230ac7d5d946
Instruction ID: 86debbe0a237b7115ab3b8c697766980139d7b3cea07660b222537f9639b8ff8
Opcode Fuzzy Hash: 1d68d23901f2bc99712f764ecee20f1df52790d8a263a8a7c26a230ac7d5d946
Instruction Fuzzy Hash: 7A91BB32E08AD1D2E710DF65C5542E9B3A1FB8CB88F849236DE4C47616EF78E185CB20

Function 00007FF731689010 Relevance: 19.6, APIs: 13, Instructions: 128
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FF731689032
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF73168909E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF7316890D8
memcpy.VCRUNTIME140(?,?,?,00007FF73166BB35), ref: 00007FF7316890F1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF7316890FF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF73168913A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF731689143
freeaddrinfo.WS2_32(?,?,?,00007FF73166BB35), ref: 00007FF731689171
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF731689185
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF73168918F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF73168919C
WSASetLastError.WS2_32(?,?,?,00007FF73166BB35), ref: 00007FF7316891BD

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc$ErrorLast_strdupfreeaddrinfogetaddrinfomemcpy
String ID:
API String ID: 2364279375-0
Opcode ID: 1fb9b7d07c9e8a83ca4e6813051c7f37d9c67e9dd09fc361b0a1b938884a6115
Instruction ID: a374fcaeb4052ce630f88dd9597aeba245794260d9a1e60943c36512666d7e59
Opcode Fuzzy Hash: 1fb9b7d07c9e8a83ca4e6813051c7f37d9c67e9dd09fc361b0a1b938884a6115
Instruction Fuzzy Hash: BD514C36E09B51D2EB65AF92A554139F7A2FB88B95F844039CE8E13B50CF7CE444E720

Function 00007FF731674ED0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675EC4
Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675EDA
Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675EEE
Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675F02
Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675F16
Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675F2A
Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675F3E
Part of subcall function 00007FF731675EB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF731675F52

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674F52

Part of subcall function 00007FF73169EE80: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EE95
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EEAF
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EECA
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EEE6
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EF02
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EF1A
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EF32
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EF4A
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EF62
Part of subcall function 00007FF73169EE80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EF7A
Part of subcall function 00007FF73169EE80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731674EF5,?,?,?,?,?,00007FF7316732FC), ref: 00007FF73169EF94

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731675156
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731675199
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7316752DE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167535B

Strings

Protocol "%s" not supported or disabled in libcurl, xrefs: 00007FF73167509F
file, xrefs: 00007FF731675243, 00007FF7316752BC
%s://%s, xrefs: 00007FF731674F5F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup$free$callocstrtoul
String ID: %s://%s$Protocol "%s" not supported or disabled in libcurl$file
API String ID: 954404409-4150109901
Opcode ID: 0ac8339ab56343dfb0608ee691da3d5eeb1b2d07e07abf4930b7335b89ee0e18
Instruction ID: e758cff7dcef0a73f71b18c75cdc09be7e854ce75983ef3862807c5f46dda430
Opcode Fuzzy Hash: 0ac8339ab56343dfb0608ee691da3d5eeb1b2d07e07abf4930b7335b89ee0e18
Instruction Fuzzy Hash: 66C1E432F08A92E2FB69ABA5D9547F9A392FB84345F844471CB0D47685DFBCE410E360

Function 00007FF731686920 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF73168697D
Sleep.KERNEL32 ref: 00007FF73168698E
WSASetLastError.WS2_32 ref: 00007FF731686AF8
Sleep.KERNEL32 ref: 00007FF731686B09
__WSAFDIsSet.WS2_32 ref: 00007FF731686BBC
__WSAFDIsSet.WS2_32 ref: 00007FF731686BD3
__WSAFDIsSet.WS2_32 ref: 00007FF731686BEE
__WSAFDIsSet.WS2_32 ref: 00007FF731686C02
__WSAFDIsSet.WS2_32 ref: 00007FF731686C1D
__WSAFDIsSet.WS2_32 ref: 00007FF731686C31

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 7e3a5c8391cbd2fe5a66151918e3f45155f736d235638181fdd996934fd2847e
Instruction ID: c08e85e15a8d7e44b9b121f0a2ce7049ff48190d2eaf3fb9aa12304078add93d
Opcode Fuzzy Hash: 7e3a5c8391cbd2fe5a66151918e3f45155f736d235638181fdd996934fd2847e
Instruction Fuzzy Hash: 9691FC31F0C6A6E6EB64AE9599502B9E397FB44758F904134DD1E86FC4DFBCE900A210

Function 00007FF731675830 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167587F

Strings

Couldn't resolve host '%s', xrefs: 00007FF7316759B1
Unix socket path too long: '%s', xrefs: 00007FF7316758D6
Couldn't resolve proxy '%s', xrefs: 00007FF731675A5C

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: calloc
String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$Unix socket path too long: '%s'
API String ID: 2635317215-3812100122
Opcode ID: eff8b956742bb68419ca025f1cdfc5da50cfc823b85c2868b4250ee5da627a45
Instruction ID: 39e9250858bfa058a9040e57293f6dc054dc7a56be4229e337b9dbd845220c68
Opcode Fuzzy Hash: eff8b956742bb68419ca025f1cdfc5da50cfc823b85c2868b4250ee5da627a45
Instruction Fuzzy Hash: 1A51E422F0CBA2E6F75AABA594A0379A792FB44780F940075DF5D43390DF7CE451A720

Function 00007FF731652880 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121processCOMMON

Download Yara Rule

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316528E7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652957
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316529B7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652A07
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652A57
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652AC8

Strings

h%49, xrefs: 00007FF731652A9E
.8, xrefs: 00007FF731652AA5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: system
String ID: .8$h%49
API String ID: 3377271179-4206735779
Opcode ID: 23d25a257ec8e6a06825ac2238ab2d79f1aaa4dbc3fa61955fb06a3204d1439f
Instruction ID: 320db0828e208702339eec594c83345976692fcc3cc5da8b286588c781630d28
Opcode Fuzzy Hash: 23d25a257ec8e6a06825ac2238ab2d79f1aaa4dbc3fa61955fb06a3204d1439f
Instruction Fuzzy Hash: DB617D26E18BE6D9F301DBB8E8051BCB772BB8D708F805338CEC925A15EFA81148D754

Function 00007FF7316B021C Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7316B0245
__scrt_release_startup_lock.LIBCMT ref: 00007FF7316B02B3
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316B0301
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316B0306
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316B030E
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316B0316
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316B0338
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316B0392

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: 53dfa699f0e776e93b8434ed3c0ad4270c14bc29c46198c7798260165ce92bd4
Instruction ID: aa4525f22ce8e49489e5076c05bf0f4bc360cbe810e31dc674bef3abe38d4c01
Opcode Fuzzy Hash: 53dfa699f0e776e93b8434ed3c0ad4270c14bc29c46198c7798260165ce92bd4
Instruction Fuzzy Hash: A8316121E0DA23E2FB10FBE294553BA97A3AF44784FC48035E54E472D3DEADA444E271

Function 00007FF73166BAE0 Relevance: 12.1, APIs: 8, Instructions: 67networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731689010: getaddrinfo.WS2_32 ref: 00007FF731689032
Part of subcall function 00007FF731689010: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF73168909E
Part of subcall function 00007FF731689010: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF7316890D8
Part of subcall function 00007FF731689010: memcpy.VCRUNTIME140(?,?,?,00007FF73166BB35), ref: 00007FF7316890F1
Part of subcall function 00007FF731689010: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF7316890FF
Part of subcall function 00007FF731689010: freeaddrinfo.WS2_32(?,?,?,00007FF73166BB35), ref: 00007FF731689171
Part of subcall function 00007FF731689010: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF731689185
Part of subcall function 00007FF731689010: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF73168918F
Part of subcall function 00007FF731689010: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BB35), ref: 00007FF73168919C

WSAGetLastError.WS2_32 ref: 00007FF73166BB3B
WSAGetLastError.WS2_32 ref: 00007FF73166BB45
EnterCriticalSection.KERNEL32 ref: 00007FF73166BB60
LeaveCriticalSection.KERNEL32 ref: 00007FF73166BB6F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166BB80
send.WS2_32 ref: 00007FF73166BBA3
WSAGetLastError.WS2_32 ref: 00007FF73166BBAD
LeaveCriticalSection.KERNEL32 ref: 00007FF73166BBC0

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$CriticalErrorLastSection$Leavemalloc$Enter_strdupfreeaddrinfogetaddrinfomemcpysend
String ID:
API String ID: 506363382-0
Opcode ID: 2cc453d08f745c6a3c59f832767adf90c4defb3494f8eef72683afc19a1c4f9f
Instruction ID: 26dbd0ac452b9ad0c1f5d0004227c25ac26a2f6a5de01f20d3d58b9a17a4a9a6
Opcode Fuzzy Hash: 2cc453d08f745c6a3c59f832767adf90c4defb3494f8eef72683afc19a1c4f9f
Instruction Fuzzy Hash: 9B318432F08652D2EB50EF65E450269B3A1FB88B98F804135D65F83698DFBCE445D760

Function 00007FF731686580 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF7316865E6
WSASetLastError.WS2_32 ref: 00007FF7316867A6
Sleep.KERNEL32 ref: 00007FF7316867B6
__WSAFDIsSet.WS2_32 ref: 00007FF7316868CA
__WSAFDIsSet.WS2_32 ref: 00007FF7316868E2
Sleep.KERNEL32 ref: 00007FF73168690D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 8a5b4f1b789db9ccb89845b8f97dcc9209c77af34dde97e523798634a5c91cdc
Instruction ID: e80fe13217d1277031bf236eee7a5968298ae26d0991d920735e86f9eca6a2c5
Opcode Fuzzy Hash: 8a5b4f1b789db9ccb89845b8f97dcc9209c77af34dde97e523798634a5c91cdc
Instruction Fuzzy Hash: 2BA14A71E286BAD2EB696F559400379A396FF44B54F904234EE1E46FC4EFBDD4009360

Function 00007FF7316897F0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731689A1A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731689A5F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731689A87
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731689AC9

Strings

schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 00007FF7316899E3
schannel: ApplyControlToken failure: %s, xrefs: 00007FF7316898F8
schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 00007FF73168986E

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
API String ID: 1294909896-116363806
Opcode ID: 7efc566423fa0d197834d59ee1389c6d4582752e74dfab533cafd7e8b38643b5
Instruction ID: c6027884496752a28cab7fafe5f7be499fb4b633f3f02ed6ffac5180bff3278b
Opcode Fuzzy Hash: 7efc566423fa0d197834d59ee1389c6d4582752e74dfab533cafd7e8b38643b5
Instruction Fuzzy Hash: 34916832A08F91D6EB109F66D8806ADB7B5FB88B88F840135CE8D47B64DF78D445DB20

Function 00007FF73168C5D0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168C66E
memcpy.VCRUNTIME140 ref: 00007FF73168C706
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168C83C

Strings

select/poll on SSL socket, errno: %d, xrefs: 00007FF73168C7E4
schannel: timed out sending data (bytes sent: %zd), xrefs: 00007FF73168C804

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemallocmemcpy
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 3056473165-3891197721
Opcode ID: 5e927313b045fb50520b99f68cdb8cb6e07c988077a1b5e64f35ee76836d8337
Instruction ID: 2533103f0d440f28e501f616e51135bb2bc76f9fd6c4059d28d7690ec1a0cf3a
Opcode Fuzzy Hash: 5e927313b045fb50520b99f68cdb8cb6e07c988077a1b5e64f35ee76836d8337
Instruction Fuzzy Hash: C3718972F08B11DAEB10DBA5D4506AD77A6FB48BA8F804235DE2D47BC4EE78E406D350

Function 00007FF731667640 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166768E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316676A5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316677D2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316677FE

Strings

Connection #%ld to host %s left intact, xrefs: 00007FF7316678BB
%s, xrefs: 00007FF731667907

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %s$Connection #%ld to host %s left intact
API String ID: 1294909896-118628944
Opcode ID: 7bbbfc9fc39b892fe47f4d760995b619898a2bed64aad6e52c5ec38839e87b67
Instruction ID: 0ad82a9e9cd20a79e6c9dbae92f2ebe31a0993d3fa29bbeada8ee01d5c938a41
Opcode Fuzzy Hash: 7bbbfc9fc39b892fe47f4d760995b619898a2bed64aad6e52c5ec38839e87b67
Instruction Fuzzy Hash: 49918431F086A1E2EB58BB6595403BDA3E6FB44B84F844435CE4E07255CFBCE860E760

Function 00007FF731671AD0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731671AFB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731671B11

Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167192D
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167194A
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167195E
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167197A
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671997
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF7316719BA
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF7316719CE
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF7316719E2
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A08
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A1C
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A30
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A7F
Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A8C

Part of subcall function 00007FF7316718B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671AB5

memset.VCRUNTIME140 ref: 00007FF731671B45

Strings

Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF731671D21
User-Agent: %s, xrefs: 00007FF731671BDF

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$memset
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 2717317152-3248832348
Opcode ID: 0b5af3561c7f0beabbbfc97a2aecd37f8a35a6766f80842a6e57c91dfd642cc5
Instruction ID: 35cf9546ec3c083005725cff2efaa794d68afbbbdc5397dcbfd1c1c2bc0b8e93
Opcode Fuzzy Hash: 0b5af3561c7f0beabbbfc97a2aecd37f8a35a6766f80842a6e57c91dfd642cc5
Instruction Fuzzy Hash: 2A71AF62D0CAD2D1E751EFB590103BDA762EB81B94F984136DE9D0B285DFBCE480E720

Function 00007FF731682050 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316820E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316820F1
memcpy.VCRUNTIME140 ref: 00007FF73168210C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168226C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731682275

Strings

1.1, xrefs: 00007FF73168205F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$memcpy
String ID: 1.1
API String ID: 4107583993-2150719395
Opcode ID: 9c93a6a937aa17bde0d74d21f4712d5c5711554ab9829be0d6950b6c6c408ace
Instruction ID: d591dcffd1408d24fd3a5a26b8e8898ec4ab64ef3487e81e1da537ea3d641917
Opcode Fuzzy Hash: 9c93a6a937aa17bde0d74d21f4712d5c5711554ab9829be0d6950b6c6c408ace
Instruction Fuzzy Hash: 33518072A08B91D6EB649F62E5503AAB3A1FB48B84F848035CF9E47B54CF7CE055E310

Function 00007FF731676810 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316768D6
recv.WS2_32 ref: 00007FF731676900
send.WS2_32 ref: 00007FF731676923
WSAGetLastError.WS2_32 ref: 00007FF731676935

Strings

Send failure: %s, xrefs: 00007FF731676965

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLastmallocrecvsend
String ID: Send failure: %s
API String ID: 25851408-857917747
Opcode ID: 673c8457288706f5a134c36b68c9957e0830b558a30659419899d547b49b0c3d
Instruction ID: 82857cd095dbd0c4941f94a1ae9b9aae119fb3577184c3a9bd2e83a536ecc797
Opcode Fuzzy Hash: 673c8457288706f5a134c36b68c9957e0830b558a30659419899d547b49b0c3d
Instruction Fuzzy Hash: 6441F072B05B92D5EB64EF65E8007B9A396BB08BA8F944235CE6D07380DF7CE440D310

Function 00007FF731668738 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731668888
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316688CF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316688FA

Part of subcall function 00007FF731667640: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166768E
Part of subcall function 00007FF731667640: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316676A5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166892F

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF731667C76

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Resolving timed out after %I64d milliseconds
API String ID: 1294909896-3343404259
Opcode ID: 09adf2ee5de9c113138e5bdaa025590f3709708e40e62865b75a7a1d270c404f
Instruction ID: 047bf403fcd17c1cd44afe69fcc94b3eece2787677d53c78f2de438c75d74900
Opcode Fuzzy Hash: 09adf2ee5de9c113138e5bdaa025590f3709708e40e62865b75a7a1d270c404f
Instruction Fuzzy Hash: 44D19361E08666E5FB24AFB990543BDA3B6EF40B88F846531CE0D17695DFB8E440E360

Function 00007FF731653590 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316528E7
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652957
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316529B7
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652A07
Part of subcall function 00007FF731652880: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652A57

MessageBoxA.USER32 ref: 00007FF731653767

Part of subcall function 00007FF731654350: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654381

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316537CA

Strings

keyauth.win, xrefs: 00007FF7316536F3
null, xrefs: 00007FF7316535F2

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: system$Message_invalid_parameter_noinfo_noreturnmemcpy
String ID: keyauth.win$null
API String ID: 3545939226-2841560827
Opcode ID: 62b5113f44a3402a1324ae18612a13510356cfcaf61231a5455f64cb290a4ed1
Instruction ID: e96c0856f6c3c0c708c6a0b93aaa0d6797303898898fff64d7f92d65d73e5e67
Opcode Fuzzy Hash: 62b5113f44a3402a1324ae18612a13510356cfcaf61231a5455f64cb290a4ed1
Instruction Fuzzy Hash: C051F462F187A1D5FB04EBB5D4243AC6332AB44B88F804035DE4D17B8ADFBC9182D3A1

Function 00007FF7316A2DC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731678FA0: GetModuleHandleA.KERNEL32(?,?,?,00007FF7316A2DFA,?,?,?,?,00007FF73167932B), ref: 00007FF731678FB4

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF73167932B), ref: 00007FF7316A2E10

Strings

secur32.dll, xrefs: 00007FF7316A2DE3
security.dll, xrefs: 00007FF7316A2DEA
InitSecurityInterfaceA, xrefs: 00007FF7316A2E06

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: AddressCallerHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2084706301-3788156360
Opcode ID: 5e3a6711635448fff0480283db2dd73f071ee0026d5417c64c4451555ff8fb5c
Instruction ID: 56cfca39743108e414259c9a90d77a521bb863e1c02af8a1703d8a5f93f57f9b
Opcode Fuzzy Hash: 5e3a6711635448fff0480283db2dd73f071ee0026d5417c64c4451555ff8fb5c
Instruction Fuzzy Hash: 14F08190E0A723E1FF48FB96A88177093D2AF58344FC45038C50D462A1EFBCA495E320

Function 00007FF73166826B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF731667C76

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID: Resolving timed out after %I64d milliseconds
API String ID: 0-3343404259
Opcode ID: 7163487e0e08904306f2315dbf6caa09e5d06ad51b43a8eb750352c4f908bad4
Instruction ID: 00c13054303d58790830aee031882fa8eed56b0727f955a9e176da2b29b5898a
Opcode Fuzzy Hash: 7163487e0e08904306f2315dbf6caa09e5d06ad51b43a8eb750352c4f908bad4
Instruction Fuzzy Hash: 97B1B562E08762E5FB24AFB5905027DA3B6EF41B48F846435CE0E47295DFBDE440E360

Function 00007FF731681C10 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731681D10

Part of subcall function 00007FF7316822A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316822FA

Part of subcall function 00007FF731682050: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316820E8
Part of subcall function 00007FF731682050: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316820F1

Strings

TCP4, xrefs: 00007FF731681CAA
PROXY %s %s %s %li %li, xrefs: 00007FF731681CE4
TCP6, xrefs: 00007FF731681C97

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$calloc
String ID: PROXY %s %s %s %li %li$TCP4$TCP6
API String ID: 3095843317-1242256665
Opcode ID: 61a59c7a151553d47fe05b5f846b99ff14d6c5c000ef83b11831b5288ce8ad4a
Instruction ID: fb9208cb534d69ade2783ccfc5bec9d28db5502e4e98b294699b6ba49f6ddbe5
Opcode Fuzzy Hash: 61a59c7a151553d47fe05b5f846b99ff14d6c5c000ef83b11831b5288ce8ad4a
Instruction Fuzzy Hash: 8A41C832E0C692EAEB50FFA5A4103B9A7E3AB85384F944036DA8D47B85DE7CD404D720

Function 00007FF731666500 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00007FF731662536,?,?,?,?,00000000,?,00007FF73165374E), ref: 00007FF73166651D
closesocket.WS2_32 ref: 00007FF731666629
closesocket.WS2_32 ref: 00007FF731666636

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: closesocket$calloc
String ID:
API String ID: 2958813939-0
Opcode ID: 4da166a860aaa5a5f36b028cdd6123a8f8e5fb87d46c06d9e6026e5161d811a0
Instruction ID: 060e7540caf327eb2bbf8224317de4bda950954189e0e3c619d1a5ca6a9668dc
Opcode Fuzzy Hash: 4da166a860aaa5a5f36b028cdd6123a8f8e5fb87d46c06d9e6026e5161d811a0
Instruction Fuzzy Hash: 6D419331E08A61E1E700FFB4E4502E9A362EF88728FC84635DE5D862D6EFB8D545D320

Function 00007FF731660920 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,0000006E00000006,?,FFFFFFFF,00007FF7316511FC), ref: 00007FF731660958
memcpy.VCRUNTIME140(?,0000006E00000006,?,FFFFFFFF,00007FF7316511FC), ref: 00007FF7316609F9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731660A17

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: b53f007d235b3f06568d166cbfc5e17c10bef2aa46fa8e4ff4674de9681ddfa7
Instruction ID: 117ad55327308f4def31d435001dbe74c68a505084ac27f7e5506c7554326d28
Opcode Fuzzy Hash: b53f007d235b3f06568d166cbfc5e17c10bef2aa46fa8e4ff4674de9681ddfa7
Instruction Fuzzy Hash: B131D862F09A66E1FB25BB91A51037C93669F04BA0F940730DE6D077C2DFBCA8929310

Function 00007FF73168A3C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

SSL/TLS connection timeout, xrefs: 00007FF73168A51C
select/poll on SSL/TLS socket, errno: %d, xrefs: 00007FF73168A503

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 7e94522a85ffdfe09165299c90d504e75b726f9f70ae0ce343aad7af42f998ec
Instruction ID: 7f0f2e6cc30eb671b9ddfae6a4d536947580f8cae4ea0adcded73cbb98a84caf
Opcode Fuzzy Hash: 7e94522a85ffdfe09165299c90d504e75b726f9f70ae0ce343aad7af42f998ec
Instruction Fuzzy Hash: 4B51F831E08662E5EB50EBA59944279A392EF447A4F849231DE2D47BD1EF7CE041D331

Function 00007FF731666700 Relevance: 4.8, APIs: 3, Instructions: 309networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF731666AF6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731666B17

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freerecv
String ID:
API String ID: 2032557106-0
Opcode ID: 9fb7283d3b3fe2a32a5a4308ef32750d50e53da8e2d5037518f41ed1d519b0cc
Instruction ID: c9f4ee8a3537c41d322895f99712a111f5098e78e75a912bd9bfad4b9d3cfb17
Opcode Fuzzy Hash: 9fb7283d3b3fe2a32a5a4308ef32750d50e53da8e2d5037518f41ed1d519b0cc
Instruction Fuzzy Hash: 09C10972E086A2D6EB259B65E0403B9A7B2FB447A4F844235DEAE437C4DF7CE401D710

Function 00007FF7316727D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731672835

Strings

Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF731672974
User-Agent: %s, xrefs: 00007FF731672846

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 1294909896-3248832348
Opcode ID: f606bcd2038c5ef08dcce9581c18184adf0bd88fa452844af4fc4b9c61b2a22f
Instruction ID: 5a95061c2569739a6e806c163f07fde557e91621869217b19bcabcab43c09f41
Opcode Fuzzy Hash: f606bcd2038c5ef08dcce9581c18184adf0bd88fa452844af4fc4b9c61b2a22f
Instruction Fuzzy Hash: A8519D22E08AD1D1E7419F65D0403EDA7A2EB85B98F8C4136DE8D0B39ADFBDD494D320

Function 00007FF731661DC0 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731661AD0: SleepEx.KERNELBASE ref: 00007FF731661C8F

SetConsoleTitleA.KERNEL32 ref: 00007FF731661E08
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731661E62

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ConsoleSleepTitle_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4275364305-0
Opcode ID: d93b49df8ad4e5ec2ae08ef71ace1e26886ffdca7d49e109a83afd150722af17
Instruction ID: 85050e2954b3a82cd470b9c6eb89a9dac2f15d6941cad3496432bf685a999198
Opcode Fuzzy Hash: d93b49df8ad4e5ec2ae08ef71ace1e26886ffdca7d49e109a83afd150722af17
Instruction Fuzzy Hash: 5111A361F08596E1EB20FB50E844329A372FF85794FC04235E6DD426D5DFACE040E710

Function 00007FF731676630 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF73167663C
WSAGetLastError.WS2_32 ref: 00007FF73167664B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: cd326ec70821d1c6bd3ccd5998ab6033c7b5e388acd7fa64615cf810a5de8fbd
Instruction ID: 049cdd5ebef79c8a531a1312601dd64e6c9bde39626d76d52e45a0cf692cc254
Opcode Fuzzy Hash: cd326ec70821d1c6bd3ccd5998ab6033c7b5e388acd7fa64615cf810a5de8fbd
Instruction Fuzzy Hash: 0DE0DF22F0460982FF29A7B2A8643381296DB48731F848738CA3B863C0DEAC44D65760

Function 00007FF7316623B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7316623D4
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7316623F5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 0899256543c42a584bb2c1203292e23dbc0e11d5bfc7daf5769558ae29ecc1bd
Instruction ID: 2c41bbd9e20a270d5b045ffd084f82dee71e6654a5cf893047e5a0592357b8d6
Opcode Fuzzy Hash: 0899256543c42a584bb2c1203292e23dbc0e11d5bfc7daf5769558ae29ecc1bd
Instruction Fuzzy Hash: 98E03072A08B81D2D710DB51F81445AF3A5FB987C4F808139EB8D47A24CF7CD1A5CB40

Function 00007FF731676F10 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF731676F53

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 28d1a3e97e11a378cd7bab388fd231acb8ccc8f46742947f7eb31e0aaede86b5
Instruction ID: 3af2b7e1813f0eeb2af7f5c8d1d19b2e45e356c3813ce9a8083695fbf58cb2db
Opcode Fuzzy Hash: 28d1a3e97e11a378cd7bab388fd231acb8ccc8f46742947f7eb31e0aaede86b5
Instruction Fuzzy Hash: 4401B932F05551D1FB44EB6AE19837DA3A2EF88B84F888031D70D4B296DFACD4A58351

Function 00007FF73167EA30 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF73167EA59

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: fcdf1e471a768b8d3800e6a5a8fac55e45bbbeaecbd2d52c19637331be9ebc89
Instruction ID: 4ac0c8a69c54021f6d9ce071a3349a833b37857e58af85701e938fdbd465fe31
Opcode Fuzzy Hash: fcdf1e471a768b8d3800e6a5a8fac55e45bbbeaecbd2d52c19637331be9ebc89
Instruction Fuzzy Hash: 2BE02B36E02111C1DF08B76584511B923527B41734FC44771C53D033C0CE2C926AAB10

Function 00007FF731689690 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316896AB

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: a2f10a116a4385fa7276dd3863204c228892657fe7e053c5a7e9772d6e2cbb02
Instruction ID: 9c1b60b3f0e1d6abd6795b2ba19057c31917fff443860a5e0310ed666a501d3d
Opcode Fuzzy Hash: a2f10a116a4385fa7276dd3863204c228892657fe7e053c5a7e9772d6e2cbb02
Instruction Fuzzy Hash: EED0C263B18A00839B10DFA2A840029E252B788770B888739AE7D827E0EB38D1414600

Function 00007FF7316855D0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF7316855E9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 590ac8b3d2ea95d7b222035a517254eae77e8f4ea7ddc23fbb583e43bf786d7b
Instruction ID: 9825a026126d947cceeec098ebd3d5919fd6e653fed2e89f0cc928292f9cf448
Opcode Fuzzy Hash: 590ac8b3d2ea95d7b222035a517254eae77e8f4ea7ddc23fbb583e43bf786d7b
Instruction Fuzzy Hash: E1C08056F15581C2C344AF625485087A7B2BBC4344FD56439D10742524DD3CD6E59B40

Non-executed Functions

Function 00007FF7316831D0 Relevance: 127.2, APIs: 25, Strings: 47, Instructions: 1229stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731684393

Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676555
Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676570

memchr.VCRUNTIME140 ref: 00007FF731684486
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168459E
strchr.VCRUNTIME140 ref: 00007FF7316845B2
strchr.VCRUNTIME140 ref: 00007FF7316845DA
strchr.VCRUNTIME140 ref: 00007FF7316845F0

Strings

HTTP error before end of send, stop sending, xrefs: 00007FF7316843DD
The requested URL returned error: %d, xrefs: 00007FF731684763
, xrefs: 00007FF731683572
Transfer-Encoding:, xrefs: 00007FF731683B1A
HTTP/%1d.%1d%c%3d, xrefs: 00007FF731683369
HTTP/1.0 connection set to keep alive!, xrefs: 00007FF731683B9B
Content-Length:, xrefs: 00007FF7316836DF
Received 101, xrefs: 00007FF73168466B
Got 417 while waiting for a 100, xrefs: 00007FF731684373
Set-Cookie:, xrefs: 00007FF731683D63
Location:, xrefs: 00007FF731683F9E
Retry-After:, xrefs: 00007FF731683C13
Content-Encoding:, xrefs: 00007FF731683BD1
Connection:, xrefs: 00007FF73168399B, 00007FF731683A50
, xrefs: 00007FF7316833BC
HTTP/1.0 proxy connection set to keep alive!, xrefs: 00007FF731683B5C
HTTP/%1[23] %d, xrefs: 00007FF731683394
HTTP error before end of send, keep sending, xrefs: 00007FF7316843B9
Proxy-authenticate:, xrefs: 00007FF731683E91
Overflow Content-Length: value!, xrefs: 00007FF73168376B
Negotiate: noauthpersist -> %d, header part: %s, xrefs: 00007FF731683F5C
Keep sending data to get tossed away!, xrefs: 00007FF73168442C
The requested URL returned error: %s, xrefs: 00007FF731684607
RTSP/, xrefs: 00007FF7316832C4
RTSP/%1d.%1d%c%3d, xrefs: 00007FF73168355D
Persistent-Auth, xrefs: 00007FF731683F02
Lying server, not serving HTTP/2, xrefs: 00007FF7316833EC
HTTP %3d, xrefs: 00007FF731683438
Unsupported HTTP version in response, xrefs: 00007FF731684571
Content-Range:, xrefs: 00007FF731683C9E
no chunk, no close, no size. Assume close to signal end, xrefs: 00007FF731684186
Last-Modified:, xrefs: 00007FF731683E07
HTTP/, xrefs: 00007FF7316834D9
Received HTTP/0.9 when not allowed, xrefs: 00007FF7316844FB
Connection closure while negotiating auth (HTTP 1.0?), xrefs: 00007FF7316841DC, 00007FF731684228
Maximum file size exceeded, xrefs: 00007FF73168462F
HTTP/1.1 proxy connection set close!, xrefs: 00007FF731683B7D
keep-alive, xrefs: 00007FF731683896, 00007FF731683A26
Proxy-Connection:, xrefs: 00007FF731683803, 00007FF7316838DC
Mark bundle as not supporting multiuse, xrefs: 00007FF73168340F
HTTP 1.0, assume close after body, xrefs: 00007FF731683637
false, xrefs: 00007FF731683F40
WWW-Authenticate:, xrefs: 00007FF731683E66
HTTP, xrefs: 00007FF73168458E
close, xrefs: 00007FF731683963, 00007FF731683AE3
Invalid Content-Length: value, xrefs: 00007FF731684648
Content-Type:, xrefs: 00007FF731683786

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$fwrite$_strdupmemchrstrncmp
String ID: $ $ HTTP %3d$ HTTP/%1[23] %d$ HTTP/%1d.%1d%c%3d$ RTSP/%1d.%1d%c%3d$Connection closure while negotiating auth (HTTP 1.0?)$Connection:$Content-Encoding:$Content-Length:$Content-Range:$Content-Type:$Got 417 while waiting for a 100$HTTP$HTTP 1.0, assume close after body$HTTP error before end of send, keep sending$HTTP error before end of send, stop sending$HTTP/$HTTP/1.0 connection set to keep alive!$HTTP/1.0 proxy connection set to keep alive!$HTTP/1.1 proxy connection set close!$Invalid Content-Length: value$Keep sending data to get tossed away!$Last-Modified:$Location:$Lying server, not serving HTTP/2$Mark bundle as not supporting multiuse$Maximum file size exceeded$Negotiate: noauthpersist -> %d, header part: %s$Overflow Content-Length: value!$Persistent-Auth$Proxy-Connection:$Proxy-authenticate:$RTSP/$Received 101$Received HTTP/0.9 when not allowed$Retry-After:$Set-Cookie:$The requested URL returned error: %d$The requested URL returned error: %s$Transfer-Encoding:$Unsupported HTTP version in response$WWW-Authenticate:$close$false$keep-alive$no chunk, no close, no size. Assume close to signal end
API String ID: 3939785054-690044944
Opcode ID: 02b158a5d06cb4d669ca7a5a0a1d934c2b7e1cd1307387fd3b949a54989a76ae
Instruction ID: 388de60c2811d1324a2b35d91913aa28c4195ba88cdddacb64f9b7a227992520
Opcode Fuzzy Hash: 02b158a5d06cb4d669ca7a5a0a1d934c2b7e1cd1307387fd3b949a54989a76ae
Instruction Fuzzy Hash: CCC28471E086A2E5FB50ABA594443F9A792EF41B88F884135CE4D0BBC5DFADE445E330

Function 00007FF7316692D0 Relevance: 105.7, APIs: 41, Strings: 19, Instructions: 745stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000000,?,00000000,?,?,00007FF73166AB27), ref: 00007FF731669340
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166935B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731669394
strchr.VCRUNTIME140 ref: 00007FF7316693A7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669527
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669548
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166956B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669578
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731669611
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166961A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731669632
strchr.VCRUNTIME140 ref: 00007FF73166981F
strchr.VCRUNTIME140 ref: 00007FF731669839
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166992C
strchr.VCRUNTIME140 ref: 00007FF731669958
strrchr.VCRUNTIME140 ref: 00007FF73166996A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166998B
memcpy.VCRUNTIME140 ref: 00007FF7316699A4
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669A18
strchr.VCRUNTIME140 ref: 00007FF731669A3B
strchr.VCRUNTIME140 ref: 00007FF731669A50

Strings

path, xrefs: 00007FF7316695FD
#HttpOnly_, xrefs: 00007FF731669A0E
skipped cookie with bad tailmatch domain: %s, xrefs: 00007FF73166973E
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 00007FF7316698AF
domain, xrefs: 00007FF731669651
Replaced, xrefs: 00007FF731669F41
FALSE, xrefs: 00007FF731669A8E, 00007FF731669C8B
__Host-, xrefs: 00007FF731669541
version, xrefs: 00007FF73166975B
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF731669F57
Added, xrefs: 00007FF731669F4D
expires, xrefs: 00007FF7316697B5
max-age, xrefs: 00007FF731669788
httponly, xrefs: 00007FF7316695D6
secure, xrefs: 00007FF73166959E
__Secure-, xrefs: 00007FF731669520
%4095[^;=] =%4095[^;], xrefs: 00007FF7316693E6
localhost, xrefs: 00007FF73166967F
TRUE, xrefs: 00007FF731669A87

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$_strdup$freestrncmp$_time64callocmallocmemcpystrrchr
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 2059720140-3844637060
Opcode ID: e3f99c3e3755d2d6c1980cd8f88d78ae643bc3364991d747844ef04f6e2ddb54
Instruction ID: b9b6ae8cd280b9f7fbfe205e1fa3d4935d3d5e8cc6d4c113e301a7444cd25466
Opcode Fuzzy Hash: e3f99c3e3755d2d6c1980cd8f88d78ae643bc3364991d747844ef04f6e2ddb54
Instruction Fuzzy Hash: 8A72A421E0CBA2E9FB60ABA5D4503B9E7B2EF45744F844535CE8E02695DFBCE445E320

Function 00007FF73169DB60 Relevance: 102.1, APIs: 45, Strings: 13, Instructions: 581COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676555
Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676570

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169DBEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169DC22
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169DC2C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169DC49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169DC5C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169DC65
#22.WLDAP32 ref: 00007FF73169DC76
#211.WLDAP32 ref: 00007FF73169DD10
#217.WLDAP32 ref: 00007FF73169DD2C
#211.WLDAP32 ref: 00007FF73169DD45
#211.WLDAP32 ref: 00007FF73169DD57
#60.WLDAP32 ref: 00007FF73169DD87
#211.WLDAP32 ref: 00007FF73169DEA2
#60.WLDAP32 ref: 00007FF73169DEC7
#22.WLDAP32 ref: 00007FF73169DF6A
#41.WLDAP32 ref: 00007FF73169E386
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169E3AE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169E3B8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169E3D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169E3EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169E3F4
#46.WLDAP32 ref: 00007FF73169E406

Strings

LDAP remote: %s, xrefs: 00007FF73169DFE7
LDAP local: LDAP Vendor = %s ; LDAP Version = %d, xrefs: 00007FF73169DB94
LDAP local: Cannot connect to %s:%ld, xrefs: 00007FF73169DDAB
LDAP local: %s, xrefs: 00007FF73169DC7C
DN: , xrefs: 00007FF73169E062
Microsoft Corporation., xrefs: 00007FF73169DB80
LDAP local: trying to establish %s connection, xrefs: 00007FF73169DCA9
LDAP local: bind via ldap_win_bind %s, xrefs: 00007FF73169DF74
LDAP local: %s, xrefs: 00007FF73169DBD7
There are more than %d entries, xrefs: 00007FF73169E396
cleartext, xrefs: 00007FF73169DC9F
;binary, xrefs: 00007FF73169E1F0
encrypted, xrefs: 00007FF73169DCBE

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$#211$fwrite$#217calloc
String ID: ;binary$DN: $LDAP local: %s$LDAP local: %s$LDAP local: Cannot connect to %s:%ld$LDAP local: LDAP Vendor = %s ; LDAP Version = %d$LDAP local: bind via ldap_win_bind %s$LDAP local: trying to establish %s connection$LDAP remote: %s$Microsoft Corporation.$There are more than %d entries$cleartext$encrypted
API String ID: 2742731861-78870445
Opcode ID: e05f186c5871f8e9a1cf914d91ab134c850205750ee5631c653f6314f1df2d2e
Instruction ID: 02dbfd16163e2367c2afb020deb22bf9efefdc0441e66015aed16f7c6dd6bd1c
Opcode Fuzzy Hash: e05f186c5871f8e9a1cf914d91ab134c850205750ee5631c653f6314f1df2d2e
Instruction Fuzzy Hash: 3942B371F09A62E6F714EBA2D8046BDA3A2FB48B88F804475CE0E57755DEBCE405E350

Function 00007FF73165959D Relevance: 78.0, APIs: 39, Strings: 5, Instructions: 975COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF731659F9D
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF731659FA4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A084
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A0B2
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A0C0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A0FB

Strings

array, xrefs: 00007FF73165A1BA
object separator, xrefs: 00007FF731659CA3, 00007FF73165A4DA
number overflow parsing ', xrefs: 00007FF731659FC0
object key, xrefs: 00007FF731659E2F, 00007FF73165A669
object, xrefs: 00007FF73165A349

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Xbad_function_call@std@@__std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: array$number overflow parsing '$object$object key$object separator
API String ID: 1664669839-85532522
Opcode ID: 6bad89433c570a47db82fdfe098d3b7112479f4ef1bdb9ba293033d34251bd8a
Instruction ID: 3ff48f3437f659b6b362c7e9ce2dd58069512597a1da45a8bdd855300db73cee
Opcode Fuzzy Hash: 6bad89433c570a47db82fdfe098d3b7112479f4ef1bdb9ba293033d34251bd8a
Instruction Fuzzy Hash: C0A207B2E18B96D2EF00EBA8D4503AD6362FB45794F805235DA5D03AD9DFBCE084E350

Function 00007FF73165AC3D Relevance: 74.4, APIs: 37, Strings: 5, Instructions: 925COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165B5D4
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165B602
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165B610
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165B64A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165B6A7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165B760
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165B78E
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165B79C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165B7D6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165B833

Part of subcall function 00007FF73165F1F0: memcmp.VCRUNTIME140 ref: 00007FF73165F27D
Part of subcall function 00007FF73165F1F0: memcmp.VCRUNTIME140 ref: 00007FF73165F301

Strings

array, xrefs: 00007FF73165BA49
object separator, xrefs: 00007FF73165B540, 00007FF73165BD69
number overflow parsing ', xrefs: 00007FF73165B84F
object key, xrefs: 00007FF73165B6CC, 00007FF73165BEF8
object, xrefs: 00007FF73165BBD8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcmp
String ID: array$number overflow parsing '$object$object key$object separator
API String ID: 969624648-85532522
Opcode ID: cc9bd05c10a0952d493baea29dc97bbe2041c0de7411cdd94aa303596c4bb6ca
Instruction ID: cc7a4d2e27027f312e4782c4a3e2edb70dc0b162e7ca994cf3e8587b81e30892
Opcode Fuzzy Hash: cc9bd05c10a0952d493baea29dc97bbe2041c0de7411cdd94aa303596c4bb6ca
Instruction Fuzzy Hash: 5A92F8B2E18B95D2EB10EBA9D4543AD6362FB453A4F804235DA5D07AD9DFBCE084E310

Function 00007FF7316A6410 Relevance: 72.3, APIs: 17, Strings: 24, Instructions: 549encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF7316A657F
GetLastError.KERNEL32 ref: 00007FF7316A6592
CertCreateCertificateChainEngine.CRYPT32 ref: 00007FF7316A6644
GetLastError.KERNEL32 ref: 00007FF7316A664E
CertGetCertificateChain.CRYPT32 ref: 00007FF7316A66DB
GetLastError.KERNEL32 ref: 00007FF7316A66E5
CertGetNameStringA.CRYPT32 ref: 00007FF7316A6853
CertFreeCertificateChainEngine.CRYPT32 ref: 00007FF7316A6CCB
CertCloseStore.CRYPT32 ref: 00007FF7316A6CE0
CertFreeCertificateChain.CRYPT32 ref: 00007FF7316A6CF0
CertFreeCertificateContext.CRYPT32 ref: 00007FF7316A6D00

Strings

schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 00007FF7316A6792
schannel: CertGetCertificateChain failed: %s, xrefs: 00007FF7316A66FF
schannel: Empty DNS name., xrefs: 00007FF7316A695A, 00007FF7316A6B08
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 00007FF7316A6C09
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 00007FF7316A6B93
schannel: failed to create certificate store: %s, xrefs: 00007FF7316A65AC
schannel: server certificate name verification failed, xrefs: 00007FF7316A6C3E
2.5.29.17, xrefs: 00007FF7316A68B3, 00007FF7316A68E4, 00007FF7316A6A4F, 00007FF7316A6A8B
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 00007FF7316A6C56
schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 00007FF7316A67BA
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 00007FF7316A674D
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7316A6551
schannel: Null certificate info., xrefs: 00007FF7316A68A3, 00007FF7316A6A34
schannel: failed to create certificate chain engine: %s, xrefs: 00007FF7316A6668
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7316A6C7D
schannel: Null certificate context., xrefs: 00007FF7316A6868, 00007FF7316A6A17
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 00007FF7316A6765
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00007FF7316A691E, 00007FF7316A6AC5
schannel: CertFindExtension() returned no extension., xrefs: 00007FF7316A68CB, 00007FF7316A6A67
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 00007FF7316A677C
schannel: CertGetNameString() returned no certificate name information, xrefs: 00007FF7316A699D
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 00007FF7316A67A9
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 00007FF7316A6BF9
schannel: Not enough memory to list all host names., xrefs: 00007FF7316A6B7C

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Cert$Certificate$Chain$ErrorFreeLast$EngineStore$CloseContextCreateNameOpenString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Failed to read remote certificate context: %s$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: failed to create certificate chain engine: %s$schannel: failed to create certificate store: %s$schannel: server certificate name verification failed$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 561913010-2037819326
Opcode ID: 8fe9d2f109287e050480a03d61a4f1592479ca31c33be7afb087222c66a7d160
Instruction ID: ab64e370ff9913ba314b6a002281edf8c04bdb3eba332e78a707966063b018b7
Opcode Fuzzy Hash: 8fe9d2f109287e050480a03d61a4f1592479ca31c33be7afb087222c66a7d160
Instruction Fuzzy Hash: 8B429FB2E08A62E1FB10EB95D4402BDA7A2FB44B94F808135DE5E07794DFBCE544E760

Function 00007FF731695330 Relevance: 67.0, APIs: 25, Strings: 13, Instructions: 515networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731695411
getsockname.WS2_32 ref: 00007FF73169560A
WSAGetLastError.WS2_32 ref: 00007FF731695614
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731695B4B

Strings

bind(port=%hu) on non-local address failed: %s, xrefs: 00007FF7316957A4
,%d,%d, xrefs: 00007FF731695A29
Failure sending EPRT command: %s, xrefs: 00007FF731695AFF
Failure sending PORT command: %s, xrefs: 00007FF731695A7C
%s %s, xrefs: 00007FF731695A59
getsockname() failed: %s, xrefs: 00007FF73169562E, 00007FF73169583E
bind(port=%hu) failed: %s, xrefs: 00007FF731695875
bind() failed, we ran out of ports!, xrefs: 00007FF731695806
socket failure: %s, xrefs: 00007FF73169570F, 00007FF731695916
PORT, xrefs: 00007FF731695A52
EPRT, xrefs: 00007FF731695AC2
failed to resolve the address provided to PORT: %s, xrefs: 00007FF731695B39
%s |%d|%s|%hu|, xrefs: 00007FF731695AD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLastcallocfreegetsockname
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 2454324209-2383553807
Opcode ID: 31966fe653b7fed37960368b7c06c3862ad6e197602e1853e4edc5743cd8f9e5
Instruction ID: b1c119ea4dfe489d40d53c303e759876a8fad3b03c20529158c936e333f80d0f
Opcode Fuzzy Hash: 31966fe653b7fed37960368b7c06c3862ad6e197602e1853e4edc5743cd8f9e5
Instruction Fuzzy Hash: 3D22E861F0C7A2E2EB50ABA1D4602BDA7A3FB45784FC04036DA4E47685DFBCE505E720

Function 00007FF73166FA20 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 254stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166FA86
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166FAAD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166FB08

Strings

;sha256//, xrefs: 00007FF73166FB80
sha256//, xrefs: 00007FF73166FA7C, 00007FF73166FBCE
-----END PUBLIC KEY-----, xrefs: 00007FF73166FD0E
public key hash: sha256//%s, xrefs: 00007FF73166FB1E
-----BEGIN PUBLIC KEY-----, xrefs: 00007FF73166FCDA

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemallocstrncmp
String ID: public key hash: sha256//%s$-----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$;sha256//$sha256//
API String ID: 1436789207-471711153
Opcode ID: 741c414627603e13976b1654e94c46e7877726b99649eee4496777f13a4975bb
Instruction ID: aa484cfa2eb0520de3e9b950695d10b9af046eca08499c661db4b6e5d7792f8d
Opcode Fuzzy Hash: 741c414627603e13976b1654e94c46e7877726b99649eee4496777f13a4975bb
Instruction Fuzzy Hash: ACA1AF22F09B62E1FB50AFA294202B9E7A6AF55BC4F844475DD5E07794DFBCE401E320

Function 00007FF731673C70 Relevance: 51.2, APIs: 21, Strings: 8, Instructions: 401stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF731673CCA
memset.VCRUNTIME140 ref: 00007FF731673CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731673CFB
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731673D22
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731673D99
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731673DCC
strchr.VCRUNTIME140 ref: 00007FF731673EB6
strchr.VCRUNTIME140 ref: 00007FF731673EFB
strchr.VCRUNTIME140 ref: 00007FF731673F2B
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731673FD3

Part of subcall function 00007FF73168C880: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C8A8
Part of subcall function 00007FF73168C880: GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C8CE
Part of subcall function 00007FF73168C880: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C8EF
Part of subcall function 00007FF73168C880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C900

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316740A6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316740D5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316740FB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674127
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674135
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674147
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316742EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316742F3

Strings

Uses proxy env variable %s == '%s', xrefs: 00007FF731673E2C, 00007FF73167408A
_proxy, xrefs: 00007FF731673FE9
memory shortage, xrefs: 00007FF731673DA7
NO_PROXY, xrefs: 00007FF731673E0D
ALL_PROXY, xrefs: 00007FF731674070
http_proxy, xrefs: 00007FF73167401D
all_proxy, xrefs: 00007FF731674059
no_proxy, xrefs: 00007FF731673DF1

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$strchr$_strdupmemsetreallocstrncpy$EnvironmentVariabletolower
String ID: ALL_PROXY$NO_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy$memory shortage$no_proxy
API String ID: 1339443121-1021110354
Opcode ID: 177f44d6cc9a43f31137bfcb0f99dfd393f9e62ec467c212a4ed2979e01c71b4
Instruction ID: 042991bdfac0703d132b528e28b99ebc956945a2766990056df19ad332cd63ea
Opcode Fuzzy Hash: 177f44d6cc9a43f31137bfcb0f99dfd393f9e62ec467c212a4ed2979e01c71b4
Instruction Fuzzy Hash: B102B821E0D7A2E6EB51EB91A4583B9E796EF85784F884035DE8D07785DFBCE404E320

Function 00007FF73168A93C Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73168A9D8
strchr.VCRUNTIME140 ref: 00007FF73168AA04
strchr.VCRUNTIME140 ref: 00007FF73168AA3E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168AA62
strchr.VCRUNTIME140 ref: 00007FF73168AB72
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168AB8A
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73168ACB5
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73168ACE1

Strings

, xrefs: 00007FF73168A93C
CurrentUser, xrefs: 00007FF73168AA52
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF73168AE19

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: $CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-4282655970
Opcode ID: 44284fa79ded30185dcaea1d40745ef51c0fc5c25a02b710c190dcfc99000fb8
Instruction ID: e666d243521fafdc325c627deab9302731c3c6033bbe84d9aada94bf4736bba3
Opcode Fuzzy Hash: 44284fa79ded30185dcaea1d40745ef51c0fc5c25a02b710c190dcfc99000fb8
Instruction Fuzzy Hash: 9C81D821F09662E1FB55EFA29850379A392BF45754F849034CE1E02BD0EFBCE440E320

Function 00007FF73165977B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 509COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF731659FA4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A084
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A0B2
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A0C0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A0FB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A13A

Strings

array, xrefs: 00007FF73165A1BA
number overflow parsing ', xrefs: 00007FF731659FC0
object, xrefs: 00007FF73165A349

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$Xbad_function_call@std@@
String ID: array$number overflow parsing '$object
API String ID: 958247072-579821726
Opcode ID: cc42e23da44563c21996daa89caf7799f9ff30c9e3c015dcccd6dd62b989381a
Instruction ID: 5e2f0c8c4be8caf1cb30cecbfa1138025b50694cbebbd643ccaf85dd235d74ba
Opcode Fuzzy Hash: cc42e23da44563c21996daa89caf7799f9ff30c9e3c015dcccd6dd62b989381a
Instruction Fuzzy Hash: CD32E4B2E18B96D6EF10EBA8D4503ED6362FB44794F805235DA5D06AD9DFBCE080E350

Function 00007FF73168A945 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73168A9D8
strchr.VCRUNTIME140 ref: 00007FF73168AA04
strchr.VCRUNTIME140 ref: 00007FF73168AA3E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168AA62
strchr.VCRUNTIME140 ref: 00007FF73168AB72
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168AB8A
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73168ACB5
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73168ACE1

Strings

CurrentUser, xrefs: 00007FF73168AA52
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF73168AE19

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-1887299029
Opcode ID: 46dca4af87e9991eea0c7ad5b1381903ad70e694a6c3f6e92a9794833b808ff3
Instruction ID: 7eb4cdbbdc1e682c11dbae50567203775ec80f0ae2b8ab9b37133a6cb36661bc
Opcode Fuzzy Hash: 46dca4af87e9991eea0c7ad5b1381903ad70e694a6c3f6e92a9794833b808ff3
Instruction Fuzzy Hash: FE81D821F09662E1FB55EFA29850379A792BF45794F849534CE1E42BD0EFBCE440E320

Function 00007FF731662650 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF731662678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662680

Strings

%s (0x%08X), xrefs: 00007FF7316626D5
Unknown error, xrefs: 00007FF731662B70
CRYPT_E_REVOKED, xrefs: 00007FF731662AB2
SEC_I_CONTINUE_NEEDED, xrefs: 00007FF731662ADC
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00007FF731662B89
No error, xrefs: 00007FF731662AD0
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_CONTINUE_NEEDED$Unknown error
API String ID: 3939687465-1752685260
Opcode ID: 08efb8bee4486beec1541706793736939f3f5dfdb77aa2eae10172abc41618e9
Instruction ID: ba778b64e6e1a37bb5bf7289749978df959ed2f25a36af56f6ae94a168bb40f1
Opcode Fuzzy Hash: 08efb8bee4486beec1541706793736939f3f5dfdb77aa2eae10172abc41618e9
Instruction Fuzzy Hash: B551B661E0C6A2E6E721EF91E4503BAB3A6FB48744FC04539CA4E42695DFBCE504E720

Function 00007FF731688600 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73168887E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731688886
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73168889C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316888A5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316888AD
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316888B7

Strings

%02d:%02d:%02d%n, xrefs: 00007FF731688829
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00007FF7316886BE
%02d:%02d%n, xrefs: 00007FF73168885D
GMT, xrefs: 00007FF731688777

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: 630c3f7c29af7cc51b7054100824388b0dc4b27b1364d234017239c35fcdbd3b
Instruction ID: 422cc1f5140bf8a95fa1e8ad9565b6155d38621bd7851485fe1dde2b696ca30d
Opcode Fuzzy Hash: 630c3f7c29af7cc51b7054100824388b0dc4b27b1364d234017239c35fcdbd3b
Instruction Fuzzy Hash: 4FF11672F18522DAEB24EBA884002BCB3BABB44758F905235DE1E57BD4DFBCA4159350

Function 00007FF731689C40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF731689C80
CryptAcquireContextA.ADVAPI32(?,?,?,?,?,?,?,?,00007FF731689C09), ref: 00007FF731689C9F
CryptCreateHash.ADVAPI32(?,?,?,?,?,?,?,?,00007FF731689C09), ref: 00007FF731689CC9
CryptHashData.ADVAPI32(?,?,?,?,?,?,?,?,00007FF731689C09), ref: 00007FF731689CE1
CryptGetHashParam.ADVAPI32(?,?,?,?,?,?,?,?,00007FF731689C09), ref: 00007FF731689D06
CryptGetHashParam.ADVAPI32(?,?,?,?,?,?,?,?,00007FF731689C09), ref: 00007FF731689D32
CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,?,00007FF731689C09), ref: 00007FF731689D42
CryptReleaseContext.ADVAPI32(?,?,?,?,?,?,?,?,00007FF731689C09), ref: 00007FF731689D54

Strings

@, xrefs: 00007FF731689C95

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyReleasememset
String ID: @
API String ID: 2041421932-2766056989
Opcode ID: b19f146303758e271180fad454341801ecbff7d7b13df1b0d4adca5799cf73cb
Instruction ID: b2d25d8b91e28b341003b7079aa865d2943f94c34048487d8bdf378baf2d7cd6
Opcode Fuzzy Hash: b19f146303758e271180fad454341801ecbff7d7b13df1b0d4adca5799cf73cb
Instruction Fuzzy Hash: 6E31A332A08A91D6E760DF62E444A6AB7A2FBC8B80F848035EF4E53B14CF7CD445DB14

Function 00007FF7316AF870 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7316AF8B6
CryptCreateHash.ADVAPI32 ref: 00007FF7316AF8DA
CryptHashData.ADVAPI32 ref: 00007FF7316AF8F6
CryptGetHashParam.ADVAPI32 ref: 00007FF7316AF915
CryptGetHashParam.ADVAPI32 ref: 00007FF7316AF938
CryptDestroyHash.ADVAPI32 ref: 00007FF7316AF948
CryptReleaseContext.ADVAPI32 ref: 00007FF7316AF95A

Strings

@, xrefs: 00007FF7316AF88D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID: @
API String ID: 3606780921-2766056989
Opcode ID: 2faf0608d56b9c58672882d9ff8660f1ea1e60fa0df29c845616acc5bcf4b34a
Instruction ID: df23cd83ae59e4497b1f8212b001f574cdd892c5d2fca230d8322dea8d334336
Opcode Fuzzy Hash: 2faf0608d56b9c58672882d9ff8660f1ea1e60fa0df29c845616acc5bcf4b34a
Instruction Fuzzy Hash: BB217332A18691D6E760EF91E45066AF3A2FFC9B84F845135EA8E03A18CF3CE445DB50

Function 00007FF7316B06AC Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7316B06C8
memset.VCRUNTIME140 ref: 00007FF7316B06EC
RtlCaptureContext.KERNEL32 ref: 00007FF7316B06F5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7316B070F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7316B0750
memset.VCRUNTIME140 ref: 00007FF7316B0783
IsDebuggerPresent.KERNEL32 ref: 00007FF7316B07A4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7316B07C1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7316B07CC

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 1a54c212ee74d5254ce934133b79b156ec1c6a6db0b5f5b7bb79e8dd12b40982
Instruction ID: 1968f7ddf6691e0e53d676ede1a2585812b75ad0c2d36290727bcee4ea6b7629
Opcode Fuzzy Hash: 1a54c212ee74d5254ce934133b79b156ec1c6a6db0b5f5b7bb79e8dd12b40982
Instruction Fuzzy Hash: B9313076A09A91DAEB60DFA1E8403E9B3A5FB88704F448039DB4E47B94DF78D548C710

Function 00007FF7316AD780 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7316AD7C7
CryptImportKey.ADVAPI32 ref: 00007FF7316AD899
CryptReleaseContext.ADVAPI32 ref: 00007FF7316AD8B1
CryptEncrypt.ADVAPI32 ref: 00007FF7316AD8E2
CryptDestroyKey.ADVAPI32 ref: 00007FF7316AD8EC
CryptReleaseContext.ADVAPI32 ref: 00007FF7316AD8F8

Strings

@, xrefs: 00007FF7316AD7AD

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID: @
API String ID: 3016261861-2766056989
Opcode ID: 6c2ab8d22f959655aa670125644ca85f2505b009f973729a6368826819c2f17d
Instruction ID: 6ad4219b91ffb36548ca955ef023f13b80e622f453d27c2463014010f4b47178
Opcode Fuzzy Hash: 6c2ab8d22f959655aa670125644ca85f2505b009f973729a6368826819c2f17d
Instruction Fuzzy Hash: BF41AD62A046A09EF710CBB6E4513EE7BB2EB4A348F444065DE9D13A4ACF3C911AE750

Function 00007FF7316B0A48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF7316518B0), ref: 00007FF7316B0A5E
GetLastError.KERNEL32 ref: 00007FF7316B0AA9
IsDebuggerPresent.KERNEL32 ref: 00007FF7316B0AC1
OutputDebugStringW.KERNEL32 ref: 00007FF7316B0AD2

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7316B0ACB

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: 24a53484bc0fd71449e03691ab0ee63bc227999d08d6eb9eaa3694953670cc44
Instruction ID: e56d06a88e5fdd9474e70730bbb21b5e518aa80597b35a5fa4023ee377a890bd
Opcode Fuzzy Hash: 24a53484bc0fd71449e03691ab0ee63bc227999d08d6eb9eaa3694953670cc44
Instruction Fuzzy Hash: 4B118232E18B52E7E744EB96D550379B3A6FF08345F808139CA4D82650EFBCE464D760

Function 00007FF731689B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF731689BA1
CryptGenRandom.ADVAPI32 ref: 00007FF731689BB5
CryptReleaseContext.ADVAPI32 ref: 00007FF731689BC6
CryptReleaseContext.ADVAPI32 ref: 00007FF731689BDC

Strings

@, xrefs: 00007FF731689B89

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireRandom
String ID: @
API String ID: 2916321625-2766056989
Opcode ID: d013a4cd2a7bfdb85827b6dcfbc84fd0b7fb8600f1af68ad5829e41dc60a1cf5
Instruction ID: 442569740511b3d7f256a0c105e6a0b85e035d86b93f211bb5ba0f0c7a325702
Opcode Fuzzy Hash: d013a4cd2a7bfdb85827b6dcfbc84fd0b7fb8600f1af68ad5829e41dc60a1cf5
Instruction Fuzzy Hash: CFF06261B08651D2E7109B52F844327E3A2EBCC7D4F844434DE8D46A68DEBCD485DB10

Function 00007FF73167A180 Relevance: 8.2, Strings: 6, Instructions: 693COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00007FF73167A69B, 00007FF73167A706
.%ld, xrefs: 00007FF73167A4E9
%ld, xrefs: 00007FF73167A490
(nil), xrefs: 00007FF73167A9E6
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FF73167A1C3, 00007FF73167A694, 00007FF73167A6FB
(nil), xrefs: 00007FF73167A964

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID: %ld$(nil)$(nil)$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-1379995092
Opcode ID: 0c1808b9c04dba6c0537016bc3371ffc92631462d09866dd86f1be3741a9d0a2
Instruction ID: 83883dd4ace0db967318c46c02ed6df8d65765d43f692032837c258c2ad1dcca
Opcode Fuzzy Hash: 0c1808b9c04dba6c0537016bc3371ffc92631462d09866dd86f1be3741a9d0a2
Instruction Fuzzy Hash: 3A423632D189A3D5E720AA58990037AE793FF40794FD86630DE5E476C4DFBEE841A720

Function 00007FF7316B08C4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7316B08F0
GetCurrentThreadId.KERNEL32 ref: 00007FF7316B08FE
GetCurrentProcessId.KERNEL32 ref: 00007FF7316B090A
QueryPerformanceCounter.KERNEL32 ref: 00007FF7316B091A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 2d4f7db5757917a2a277bb3a7b4c4408b8485e3dabffe06df6407e9d8fc6ad37
Instruction ID: 9b07851c135a320b59215cbac9b9b4fc0517a826b0ac1193fe2ac81fe1a2ec18
Opcode Fuzzy Hash: 2d4f7db5757917a2a277bb3a7b4c4408b8485e3dabffe06df6407e9d8fc6ad37
Instruction Fuzzy Hash: DC114C26B14F11D9EB00EBA1E8442A873B4F758758F840E35DB6D867A4DFB8E154D390

Function 00007FF73168CB60 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF73168CB90
CryptGetHashParam.ADVAPI32 ref: 00007FF73168CBB6
CryptDestroyHash.ADVAPI32 ref: 00007FF73168CBC5
CryptReleaseContext.ADVAPI32 ref: 00007FF73168CBD5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 4e60c33a2d61307284ef8c5db994e199559ff52cdd7cb4eb6751c0d29896966e
Instruction ID: aa772b27a1f438b464ca4079230f8a3528dc3a72701545e2fa4459c8c89f726e
Opcode Fuzzy Hash: 4e60c33a2d61307284ef8c5db994e199559ff52cdd7cb4eb6751c0d29896966e
Instruction Fuzzy Hash: 0E01D436A08A51D2EB10DF61E04436AF372FB88BC8F548435DB4D02A68CF7CD488DB50

Function 00007FF73168CB00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF73168CB1C
CryptCreateHash.ADVAPI32 ref: 00007FF73168CB3D

Strings

@, xrefs: 00007FF73168CB0C

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID: @
API String ID: 1914063823-2766056989
Opcode ID: dd62d4f9d256574e6267e05a13928312c03464707a5dda229d01d497ea16c598
Instruction ID: eb5de89618ecb5eacefb0b40365371f037ff26ea72253be9711b00628973e00e
Opcode Fuzzy Hash: dd62d4f9d256574e6267e05a13928312c03464707a5dda229d01d497ea16c598
Instruction Fuzzy Hash: 9DE0D861F18562C3F7309B65E401B16A392FB88748F888034CF4C06A14CF7CD145CB54

Function 00007FF731699440 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF73169947B
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316994AF

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _getpidhtons
String ID:
API String ID: 3416910171-0
Opcode ID: 09a5b7d0a19d5a5080428c22b692b7231929b54e28db978406f224c4a795607f
Instruction ID: 2cb71a12ea2bee45ea3d1857c12386d2eaf0b7c394c5f06daa45a4338da0ee7c
Opcode Fuzzy Hash: 09a5b7d0a19d5a5080428c22b692b7231929b54e28db978406f224c4a795607f
Instruction Fuzzy Hash: 1E115A22A247D0DAD304CF76E4001AD77B0FB5CB84B44D62AFB8987B18EB78D690C744

Function 00007FF73165EC60 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF73165ED40

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: 4d64e340ef3a35a6a2b2a55b040ebe7d34003aab0ad24f2f85e2358cbc881d9c
Instruction ID: 7cdee86fe711930d6bb72ae3c7e1df53dac07191fbc7e366ab504ed4afa76f13
Opcode Fuzzy Hash: 4d64e340ef3a35a6a2b2a55b040ebe7d34003aab0ad24f2f85e2358cbc881d9c
Instruction Fuzzy Hash: C681ACA3B18BA9D9EF00DBA9D0943ACA7B2E745B48F984022CF8D07795DF79D040D364

Function 00007FF73165D340 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23195db887e80f4d2cea8d575e2b125909b75d07273f377a0876d07e28769e32
Instruction ID: 0879ccc65b74f6cb9d0b55cae3cc2090e86c25326dcc9d79bcf9a8ec00fb87e0
Opcode Fuzzy Hash: 23195db887e80f4d2cea8d575e2b125909b75d07273f377a0876d07e28769e32
Instruction Fuzzy Hash: C06127A2F1AB9492EB10DB69E8502B9A362E7597D4F908231DF5D477C9EF7CE041D300

Function 00007FF731661780 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ce16abf6dabfd6c05904dcfc4add426f37854a28f683b97e97ab74344d31e2
Instruction ID: fbe477916b6c33231869a857a75229df7d32f96f502d57348422e82122b8d485
Opcode Fuzzy Hash: c7ce16abf6dabfd6c05904dcfc4add426f37854a28f683b97e97ab74344d31e2
Instruction Fuzzy Hash: 8C416133B1555487E78CCE2AC8256AD73A2F3D9304F95C23DEA1AC7385DE399905CB40

Function 00007FF7316AF800 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction ID: 28ce4826a97dd9fd2936bf5fb4d741eebd07964e919590767be3b9dd5f6fbf8f
Opcode Fuzzy Hash: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction Fuzzy Hash: C5F08C65725B67BEFE40853B4624FBD5E519BC0700FA369748C80020CBCAAE5493D724

Function 00007FF73168CB50 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2531883bdb2675076cff1241557530729214863f5c933d0601999c3a7faa8fa8
Instruction ID: 59ce9bb87cc3754578f00cc3a6d1922d1bd964fcdd08c26072b27d4ca88f838e
Opcode Fuzzy Hash: 2531883bdb2675076cff1241557530729214863f5c933d0601999c3a7faa8fa8
Instruction Fuzzy Hash: B6A01122A0A80AC0A3208B02E2A0E20A3A2FB8CB883808020880E028208E28A002C300

Function 00007FF7316B0854 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8db9603258850444462101a3ae1cdcc35cbb873210dfaf0ec72ac43398cd4d
Instruction ID: 6041bee71ab35545a7fd10a993741568a71520419ed19561364980a5aad151b2
Opcode Fuzzy Hash: 9c8db9603258850444462101a3ae1cdcc35cbb873210dfaf0ec72ac43398cd4d
Instruction Fuzzy Hash: AEA00125D2CD26F0EB14EB82A950024A7B6BB54305B869035C20E410609EBCA600A2A0

Function 00007FF731675390 Relevance: 52.7, APIs: 34, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73167E0F0: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF73166616F), ref: 00007FF73167E107

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167551D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675531
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675545
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675559
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167556D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675581
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675595
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316755A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316755BD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316755D1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316755E5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316755F9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167560D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675621
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675635
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675649

Part of subcall function 00007FF73167F820: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167F85E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167565D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675671
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675685
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675699
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316756AD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316756C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316756D5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316756E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316756FD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675711
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675725
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675739
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167574D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675761

Part of subcall function 00007FF7316731E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673168), ref: 00007FF7316731FB
Part of subcall function 00007FF7316731E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673168), ref: 00007FF731673229

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167578B

Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9A1
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9B1
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9BF
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9CD
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9DB
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9E9
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9F7
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166FA05

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316757B7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316757CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316757DB

Strings

Closing connection %ld, xrefs: 00007FF731675489

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$CounterPerformanceQuery
String ID: Closing connection %ld
API String ID: 3490100708-2599090834
Opcode ID: cdcbae72db95bf63457d18ded92aa631f3e30a14882dcc80f85a26a89bb00687
Instruction ID: 899f25d9daba6e094d0f58ddb3db71f1d683227e783c6a22e6348e5816b977fd
Opcode Fuzzy Hash: cdcbae72db95bf63457d18ded92aa631f3e30a14882dcc80f85a26a89bb00687
Instruction Fuzzy Hash: 27C14A76A08B91D2E750AF61E4502AC7336FB85F98F480235DEAD07659CF78D155E330

Function 00007FF7316977D0 Relevance: 49.9, APIs: 6, Strings: 27, Instructions: 385COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316978CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316979CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731697A41
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731697ABB

Strings

Referer: %s, xrefs: 00007FF731697A72
%s %s RTSP/1.0CSeq: %ld, xrefs: 00007FF731697B67
Content-Length, xrefs: 00007FF731697D0C
Range: %s, xrefs: 00007FF731697AC3
Transport, xrefs: 00007FF73169787E
Refusing to issue an RTSP SETUP without a Transport: header., xrefs: 00007FF731697905
Range, xrefs: 00007FF731697A97
Content-Type: application/sdp, xrefs: 00007FF731697D9D
CSeq, xrefs: 00007FF731697AEC
CSeq cannot be set as a custom header., xrefs: 00007FF731697B00
Referer, xrefs: 00007FF731697A57
Accept, xrefs: 00007FF731697928
Failed sending RTSP request, xrefs: 00007FF731697E31
Transport: %s, xrefs: 00007FF7316978DA
Refusing to issue an RTSP request [%s] without a session ID., xrefs: 00007FF731697853
Accept-Encoding: %s, xrefs: 00007FF731697979
Session ID cannot be set as a custom header., xrefs: 00007FF731697B2D
Content-Type: text/parameters, xrefs: 00007FF731697D67
Content-Length: %I64d, xrefs: 00007FF731697D27
User-Agent, xrefs: 00007FF7316979AE, 00007FF7316979DD
Accept-Encoding, xrefs: 00007FF731697944
Session, xrefs: 00007FF731697B19
Session: %s, xrefs: 00007FF731697B9D
OPTIONS, xrefs: 00007FF7316977D0
Accept: application/sdp, xrefs: 00007FF73169793A
%s%s%s%s%s%s%s%s, xrefs: 00007FF731697C26
Content-Type, xrefs: 00007FF731697D53, 00007FF731697D89

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %s %s RTSP/1.0CSeq: %ld$%s%s%s%s%s%s%s%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: application/sdp$CSeq$CSeq cannot be set as a custom header.$Content-Length$Content-Length: %I64d$Content-Type$Content-Type: application/sdp$Content-Type: text/parameters$Failed sending RTSP request$OPTIONS$Range$Range: %s$Referer$Referer: %s$Refusing to issue an RTSP SETUP without a Transport: header.$Refusing to issue an RTSP request [%s] without a session ID.$Session$Session ID cannot be set as a custom header.$Session: %s$Transport$Transport: %s$User-Agent
API String ID: 1294909896-2200874227
Opcode ID: 8e4fe92576e85a1649832a746bfe2ac2763d99e700bc8479731e5c23ff789ab4
Instruction ID: 84512bf23fcf663c71580ab2b42ee6d68714d977309e0dc91ca4105012ce7288
Opcode Fuzzy Hash: 8e4fe92576e85a1649832a746bfe2ac2763d99e700bc8479731e5c23ff789ab4
Instruction Fuzzy Hash: CF029021E097A2E2EB60FB91E8403BAA392EF44784F844035CE4D47795EFBCE545E760

Function 00007FF731691270 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 297stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316912CE
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731691302
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731691381
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169139B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316913AA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316913F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731691408

Strings

Mime-Version: 1.0, xrefs: 00007FF731691564
SIZE=, xrefs: 00007FF731691671
<%s>, xrefs: 00007FF731691389, 00007FF7316914CD
SMTPUTF8, xrefs: 00007FF73169165A
Mime-Version, xrefs: 00007FF731691549
%I64d, xrefs: 00007FF7316915BE
MAIL FROM:%s%s%s%s%s%s, xrefs: 00007FF73169169C
AUTH=, xrefs: 00007FF731691665
<%s@%s>, xrefs: 00007FF731691366, 00007FF7316914AA

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree$strpbrk
String ID: AUTH=$ SIZE=$ SMTPUTF8$%I64d$<%s>$<%s@%s>$MAIL FROM:%s%s%s%s%s%s$Mime-Version$Mime-Version: 1.0
API String ID: 2737852498-2994854565
Opcode ID: b3c887b8b654f7e6ab9bd426e25545138578bed1ec83a85998221e109ef5ae0e
Instruction ID: cb202631c0252628370ca5985d0369cd9fe05d9514b0cf9955d124c59d5e6f18
Opcode Fuzzy Hash: b3c887b8b654f7e6ab9bd426e25545138578bed1ec83a85998221e109ef5ae0e
Instruction Fuzzy Hash: 5AD1A021F09B72E2FB10EBA198102B9A3A2BF45B94F944575DD4E07781DFBCE505E320

Function 00007FF7316AE750 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE836
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE8DB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE932
htonl.WS2_32 ref: 00007FF7316AE95F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE971
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE9A0
htonl.WS2_32 ref: 00007FF7316AE9B5
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE9E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEA69
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEA72
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEA7B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEAA1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEAB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEABB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEAC4
memcpy.VCRUNTIME140 ref: 00007FF7316AEADF
memcpy.VCRUNTIME140 ref: 00007FF7316AEAF3
memcpy.VCRUNTIME140 ref: 00007FF7316AEB09
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEB30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEB39
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEB42
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEB4B

Strings

GSSAPI handshake failure (empty security message), xrefs: 00007FF7316AE8B7, 00007FF7316AEB58
GSSAPI handshake failure (invalid security layer), xrefs: 00007FF7316AE946
GSSAPI handshake failure (invalid security data), xrefs: 00007FF7316AE8C7

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc$memcpy$htonl
String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
API String ID: 82385936-242323837
Opcode ID: b5ce5a9e2a0b33df0e939376c1fe06cecc69fbaa3637c0c0980714c72d35468e
Instruction ID: 4422a3e4381acd214d573bf222b9b8e63e0ec1ec35a22d4e5432f84236fa56f1
Opcode Fuzzy Hash: b5ce5a9e2a0b33df0e939376c1fe06cecc69fbaa3637c0c0980714c72d35468e
Instruction Fuzzy Hash: C5C13C71F18A62D6E710ABA5E4542ADB7B6FB45B88F804035DE8E43B54CFBCE405E720

Function 00007FF7316A34F0 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7316A35D9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A3620
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A3876
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A388D
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A38A8
htons.WS2_32 ref: 00007FF7316A3907

Strings

bad error code, xrefs: 00007FF7316A3638
%s%02x%02x, xrefs: 00007FF7316A376E
DOH AAAA: , xrefs: 00007FF7316A3722
Could not DOH-resolve: %s, xrefs: 00007FF7316A3546
DOH: %s type %s for %s, xrefs: 00007FF7316A3654
TTL: %u seconds, xrefs: 00007FF7316A36B5
AAAA, xrefs: 00007FF7316A3646
CNAME: %s, xrefs: 00007FF7316A3803
%s, xrefs: 00007FF7316A37C3
DOH Host name: %s, xrefs: 00007FF7316A36A1
DOH A: %u.%u.%u.%u, xrefs: 00007FF7316A36EE

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: calloc$_strdupfreehtonsmemset
String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
API String ID: 130798683-4053692942
Opcode ID: b7ea18d54f0fbc825fb5669daafabcae6a8462ca2209896e4bea7f4fb4aa7d12
Instruction ID: 93bfd7d512ac56086d8f9e00f60e0e4afe687662c88159cad2d2fa7da05bab27
Opcode Fuzzy Hash: b7ea18d54f0fbc825fb5669daafabcae6a8462ca2209896e4bea7f4fb4aa7d12
Instruction Fuzzy Hash: 60E19072E08AA2E6EB60AF61D4403B9B7A6FB84B88F844135DE4D07745DFBCE544D720

Function 00007FF731659928 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 423COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A084
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A0B2
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A0C0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A0FB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A13A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AB2E

Strings

array, xrefs: 00007FF73165A1BA
number overflow parsing ', xrefs: 00007FF731659FC0
object, xrefs: 00007FF73165A349

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: array$number overflow parsing '$object
API String ID: 1346393832-579821726
Opcode ID: 612217a731006b17a9bf7d36795b1e63913d7f320859813cc151115b1c0ee28f
Instruction ID: 4487b4aba12b25cf05d0172ad3cc8eb5113bf01dd5b95a92262e3e306a11f784
Opcode Fuzzy Hash: 612217a731006b17a9bf7d36795b1e63913d7f320859813cc151115b1c0ee28f
Instruction Fuzzy Hash: 9A12E7B2E18796D2FB00EBA8D4543AD6362FB457A4F805235DA5D02AD9DFBCE081E350

Function 00007FF73169E450 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 257stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E4D6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E4FC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E50D
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E57B
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E5AC
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E5CC
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E5DE
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E640
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E6B1
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E6C8
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E783
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E7F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF73169DC0F), ref: 00007FF73169E800

Strings

onetree, xrefs: 00007FF73169E6F6
LDAP, xrefs: 00007FF73169E496
base, xrefs: 00007FF73169E709
one, xrefs: 00007FF73169E6E3
subtree, xrefs: 00007FF73169E747
sub, xrefs: 00007FF73169E734

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$free$_strdupcalloc
String ID: LDAP$base$one$onetree$sub$subtree
API String ID: 112326314-884163498
Opcode ID: b72b3b6b8f8b35fc2830f8e4368748d3916e01b9f25a2d53a481e4d0df09ac53
Instruction ID: f2194ff275885a71fbbaf54cf86bc7d1fa1865eb77f661c187bf64238e7ec79b
Opcode Fuzzy Hash: b72b3b6b8f8b35fc2830f8e4368748d3916e01b9f25a2d53a481e4d0df09ac53
Instruction Fuzzy Hash: 83B1AF26E09B62E2EB51EB95940067DA3A2FF44B84FC48475DE8D07784EF7CE451E720

Function 00007FF73169C620 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 175stringCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF73169C681
memchr.VCRUNTIME140 ref: 00007FF73169C6B7
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73169C73B
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73169C7CB

Strings

got option=(%s) value=(%s), xrefs: 00007FF73169C6FC
%s (%d), xrefs: 00007FF73169C855, 00007FF73169C878
server requested blksize larger than allocated, xrefs: 00007FF73169C828
%s (%ld), xrefs: 00007FF73169C7DB
blksize, xrefs: 00007FF73169C71F
%s (%ld), xrefs: 00007FF73169C832
blksize parsed from OACK, xrefs: 00007FF73169C773
blksize is larger than max supported, xrefs: 00007FF73169C871
%s (%d) %s (%d), xrefs: 00007FF73169C78D
invalid blocksize value in OACK packet, xrefs: 00007FF73169C88E
invalid tsize -:%s:- value in OACK packet, xrefs: 00007FF73169C8A7
tsize parsed from OACK, xrefs: 00007FF73169C7D4
requested, xrefs: 00007FF73169C77A
tsize, xrefs: 00007FF73169C7AF
Malformed ACK packet, rejecting, xrefs: 00007FF73169C8BA
blksize is smaller than min supported, xrefs: 00007FF73169C84E

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memchrstrtol
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 1626215102-895336422
Opcode ID: 79dfef3ee0d82b343d4b81e40e272c507a7aa2e2bd38e7d364f08c563dddb735
Instruction ID: 354d82d3df18636cf27f41abea6f16c624b7bf27337fe96addf18aa4fb4e7bb4
Opcode Fuzzy Hash: 79dfef3ee0d82b343d4b81e40e272c507a7aa2e2bd38e7d364f08c563dddb735
Instruction Fuzzy Hash: 6261A360E0C662F6FB14EB9699002B9A752AF417E4FC08132D91E4B7D5DFBCE106E360

Function 00007FF73166C740 Relevance: 34.9, APIs: 6, Strings: 17, Instructions: 352COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF731666097
Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF7316660A3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C9D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C9DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166CA03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166CA0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166CA90
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166CA99

Strings

application/octet-stream, xrefs: 00007FF73166C866
Content-Disposition: %s%s%s%s%s%s%s, xrefs: 00007FF73166CA59
text/plain, xrefs: 00007FF73166C8AC
; filename=", xrefs: 00007FF73166CA21
attachment, xrefs: 00007FF73166C98B, 00007FF73166C992
multipart/, xrefs: 00007FF73166C977
8bit, xrefs: 00007FF73166CC1A
multipart/mixed, xrefs: 00007FF73166C835
Content-Type: %s%s%s, xrefs: 00007FF73166CABD
; boundary=, xrefs: 00007FF73166CAB3
Content-Transfer-Encoding: %s, xrefs: 00007FF73166CC21
Content-Disposition, xrefs: 00007FF73166C901
Content-Transfer-Encoding, xrefs: 00007FF73166CB01
form-data, xrefs: 00007FF73166CC46
; name=", xrefs: 00007FF73166CA2F
Content-Type, xrefs: 00007FF73166C7C8
multipart/form-data, xrefs: 00007FF73166CB97

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
API String ID: 1294909896-1595554923
Opcode ID: 6bdb922d749ab1fe29328e538f3ef6b7cd3e7e9cfbaf12b4b060728a50306d1a
Instruction ID: 80c79e0f309bfa7d3c733423f4192000fd6697e3c1195e549d5f2ea67b424a09
Opcode Fuzzy Hash: 6bdb922d749ab1fe29328e538f3ef6b7cd3e7e9cfbaf12b4b060728a50306d1a
Instruction Fuzzy Hash: 84E18521F09BA2E1EB65AB9295402B9A7B2BF05B84FC84435CE4D47641DFBCF854E360

Function 00007FF731656350 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731654350: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654381

memcpy.VCRUNTIME140 ref: 00007FF7316564C6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF731656558
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF731656599
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316566E3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731656722
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731656770
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316567B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165680E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316568C8

Part of subcall function 00007FF7316AFB48: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73165442E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF7316AFB62

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731656909
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316569D6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731656A17
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731656A3A

Strings

; last read: ', xrefs: 00007FF73165661C
unexpected , xrefs: 00007FF731656853
rsing , xrefs: 00007FF7316564A8
; expected , xrefs: 00007FF731656960
syntax error , xrefs: 00007FF73165639D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$Concurrency::cancel_current_taskmalloc
String ID: ; expected $; last read: '$rsing $syntax error $unexpected
API String ID: 264867259-3075834232
Opcode ID: 5ddee20f24811701f88de3ed6b3b9c5beeb918b66c6a729a8a008020f288624f
Instruction ID: 49a8bb345a46e162fad6ae0fe51cfbe76c8aa4448ffef439331bb284e55c4c2b
Opcode Fuzzy Hash: 5ddee20f24811701f88de3ed6b3b9c5beeb918b66c6a729a8a008020f288624f
Instruction Fuzzy Hash: 1D12D7B2F08652D1FB10EBA5E41036DA762EB447A8F804635DA6D037DADFBCE485E350

Function 00007FF73166A360 Relevance: 31.8, APIs: 21, Instructions: 269stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73166B2B0: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,?,00007FF73166AD2E,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9), ref: 00007FF73166B2D3
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B329
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B333
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B33D
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B347
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B351
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B35B
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B365
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B36F
Part of subcall function 00007FF73166B2B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B378

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A457
strchr.VCRUNTIME140 ref: 00007FF73166A471
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A49B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A4A8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A4D2
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A4E6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A4F3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A50C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A51A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A528
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A543
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A55F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A57B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A597
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A5B3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A5CF
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A5EB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A603
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A69B
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF73166A6D2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A713

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdup$_time64callocmallocqsortstrchrstrncmp
String ID:
API String ID: 1087521380-0
Opcode ID: 38ea0279ecf3060a7191ead8b4a3581ef11fd8d8a316d763dfd1daf95e724c62
Instruction ID: 8657f55ebfafcec5f34bd0fb9dbb6301988941b0ffc9b30b1737cbce9346b3e6
Opcode Fuzzy Hash: 38ea0279ecf3060a7191ead8b4a3581ef11fd8d8a316d763dfd1daf95e724c62
Instruction Fuzzy Hash: 4CB18121F0AB62E5EB55AFA59914378A7B2AF45B94F881134CE5D43780DFBCE850E330

Function 00007FF73169EB80 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 214stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169EB90
strstr.VCRUNTIME140 ref: 00007FF73169EBBF
strchr.VCRUNTIME140 ref: 00007FF73169EBEB
strrchr.VCRUNTIME140 ref: 00007FF73169EC05
strchr.VCRUNTIME140 ref: 00007FF73169EC1A
strrchr.VCRUNTIME140 ref: 00007FF73169EC7A

Strings

?, xrefs: 00007FF73169EBF8
/, xrefs: 00007FF73169EC4E
., xrefs: 00007FF73169EC5A
/, xrefs: 00007FF73169EBD5
/, xrefs: 00007FF73169EC93

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchrstrrchr$_strdupstrstr
String ID: .$/$/$/$?
API String ID: 2325335452-1821401756
Opcode ID: 9261ab79bdb83ea22a8fa9ae64580533c3681aa6c0cda1dfe81c3d98f48dc030
Instruction ID: e1592c669fa5a2072dbaf06af4e8e56715ce4f70576a8014fe5ba10a7a668dd6
Opcode Fuzzy Hash: 9261ab79bdb83ea22a8fa9ae64580533c3681aa6c0cda1dfe81c3d98f48dc030
Instruction Fuzzy Hash: BE81E212E0C6E2E2FB65AB95910077DEB93AF45784F8844B1CE9D063C6DEBCE455B320

Function 00007FF731699A80 Relevance: 31.7, APIs: 9, Strings: 12, Instructions: 208stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF731699B53
strchr.VCRUNTIME140 ref: 00007FF731699BAA
strchr.VCRUNTIME140 ref: 00007FF731699BC2
strchr.VCRUNTIME140 ref: 00007FF731699BDD
strchr.VCRUNTIME140 ref: 00007FF731699C59
strchr.VCRUNTIME140 ref: 00007FF731699C71
strchr.VCRUNTIME140 ref: 00007FF731699C8C
strchr.VCRUNTIME140 ref: 00007FF731699CA7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731699D34

Strings

/MATCH:, xrefs: 00007FF731699ABA
CLIENT libcurl 7.70.0MATCH %s %s %sQUIT, xrefs: 00007FF731699D15
/D:, xrefs: 00007FF731699B26
Failed sending DICT request, xrefs: 00007FF731699D41
CLIENT libcurl 7.70.0%sQUIT, xrefs: 00007FF731699B8A
/M:, xrefs: 00007FF731699AD5
/DEFINE:, xrefs: 00007FF731699B0B
/LOOKUP:, xrefs: 00007FF731699B3D
lookup word is missing, xrefs: 00007FF731699BF4, 00007FF731699CBE
default, xrefs: 00007FF731699C03, 00007FF731699CCD
/FIND:, xrefs: 00007FF731699AF0
CLIENT libcurl 7.70.0DEFINE %s %sQUIT, xrefs: 00007FF731699C3A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$free
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.70.0%sQUIT$CLIENT libcurl 7.70.0DEFINE %s %sQUIT$CLIENT libcurl 7.70.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
API String ID: 3578582447-31095704
Opcode ID: 3818cbc8e39213c928cda0c38d8a3541617fcfd322a322e3fd4af905bb9cf079
Instruction ID: 0dde6987ae75b58c5a4dcb2e23fa26cc10058df1200e79d069fe8694da712cd5
Opcode Fuzzy Hash: 3818cbc8e39213c928cda0c38d8a3541617fcfd322a322e3fd4af905bb9cf079
Instruction Fuzzy Hash: BD818F21E0D6A2F2FB51BB9299502B9E793AF45BC4FC88071C94D07785DEACE605E330

Function 00007FF731675AB0 Relevance: 30.1, APIs: 24, Instructions: 137COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675ACC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675AE2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675AF6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675B03

Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9A1
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9B1
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9BF
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9CD
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9DB
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9E9
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9F7
Part of subcall function 00007FF73166F990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166FA05

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675B3F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675B53
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675BA6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675BBA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675BCE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675BE2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675C4A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675C5E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675C72
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675C86
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675CEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675D2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675D3E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675D52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675D66
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675D7A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675D8E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675DA2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675DB6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731675DD8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8259ff6e623f5e8fe84b6f773224f5a953ae370b270943317448fd41960c9f86
Instruction ID: d3187fb652bf44b986c56e4aeadd1f06e5ffbd1315ff0e2acea3e8754fce78fd
Opcode Fuzzy Hash: 8259ff6e623f5e8fe84b6f773224f5a953ae370b270943317448fd41960c9f86
Instruction Fuzzy Hash: B991C276A08B91E3E7499F71E9902A8B368F749F48F440139EFAD47354CF74A261E320

Function 00007FF7316942F0 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 284stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169433D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169442F
strchr.VCRUNTIME140 ref: 00007FF731694371

Part of subcall function 00007FF73166B460: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166B4A4

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731694597
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731694761
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731694783

Part of subcall function 00007FF73167F820: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167F85E

Strings

Connecting to %s (%s) port %d, xrefs: 00007FF73169473A
Can't resolve proxy host %s:%hu, xrefs: 00007FF731694643
Bad PASV/EPSV response: %03d, xrefs: 00007FF7316947AE
Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 00007FF73169456B
Couldn't interpret the 227-response, xrefs: 00007FF7316944DE
%c%c%c%u%c, xrefs: 00007FF7316943AB
Illegal port number in EPSV reply, xrefs: 00007FF7316943EF
Can't resolve new host %s:%hu, xrefs: 00007FF7316946AE
%u.%u.%u.%u, xrefs: 00007FF7316945A3
%u,%u,%u,%u,%u,%u, xrefs: 00007FF7316944BB
Weirdly formatted EPSV reply, xrefs: 00007FF73169444F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree$__stdio_common_vsscanfstrchr
String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
API String ID: 3103143820-2414412286
Opcode ID: b4f9b2d5e7cbae1782e3f6f8a12a44ccccba11d09565d8c439cd8e380772ba0a
Instruction ID: a4a873b69e423ca4bd3d696d661492777467afbcf11e9a0c81f0a37156b7a54c
Opcode Fuzzy Hash: b4f9b2d5e7cbae1782e3f6f8a12a44ccccba11d09565d8c439cd8e380772ba0a
Instruction Fuzzy Hash: A8D19522F096A2E3EB54EBA1E5402BDE3A2FB45B84F800036DB4D07A55DFBCE560D710

Function 00007FF731674B80 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 219COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674EA2

Strings

socks5, xrefs: 00007FF731674C40
socks4, xrefs: 00007FF731674C76
http, xrefs: 00007FF731674C9E
Unsupported proxy syntax in '%s', xrefs: 00007FF731674E8A
https, xrefs: 00007FF731674C04
socks5h, xrefs: 00007FF731674C22
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 00007FF731674CE4
Unsupported proxy scheme for '%s', xrefs: 00007FF731674CB1
socks4a, xrefs: 00007FF731674C5B
socks, xrefs: 00007FF731674C8A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 1294909896-874090715
Opcode ID: 093fa01c1f5bd7a98eb4c303981484f46682d263194a912cf4eeb29883cd8169
Instruction ID: c2afc6b24b8e047a1e0a60b4e0c0b025fc13c12d781749d4ef243f2add29b405
Opcode Fuzzy Hash: 093fa01c1f5bd7a98eb4c303981484f46682d263194a912cf4eeb29883cd8169
Instruction Fuzzy Hash: 07A1C132F08662E6FB10EBA1D8546BDA7A6BB44794F844931DE8C53785DFBCE504E320

Function 00007FF7316937A0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 208stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73168C9C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF731673D4F), ref: 00007FF73168C9EE

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731693876
strchr.VCRUNTIME140 ref: 00007FF731693894
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316938C4
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316938DF
strchr.VCRUNTIME140 ref: 00007FF731693909
strrchr.VCRUNTIME140 ref: 00007FF731693925
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169394F
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169396A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169398E
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316939A6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316939E5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731693A20
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731693ABC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731693AE1

Strings

Request has same path as previous transfer, xrefs: 00007FF731693AC6
Uploading to a URL without a file name!, xrefs: 00007FF731693A0C

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: calloc$free$strchrstrncpy$_strdupmallocstrncmpstrrchr
String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
API String ID: 2243338858-131330169
Opcode ID: 9bb391558646337b25e735532d6e92d88ebe20401bd44c15c974a5a0c0c4ffcd
Instruction ID: fe5fb7db4eedd04012779ac71094247e91e2da62d3ef01cfe82408ab1603aec8
Opcode Fuzzy Hash: 9bb391558646337b25e735532d6e92d88ebe20401bd44c15c974a5a0c0c4ffcd
Instruction Fuzzy Hash: 8191AF22F08B92E7EB54AB659444379A3E2FB85B80F944076DE9E03795DF7CE440E710

Function 00007FF73166ACE0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AD43
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166ADBD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166ADE1
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AE30
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AE6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AE7C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AE8F
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AEAA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AEC0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9,?,?,00000000,00007FF731671F35), ref: 00007FF73166AEC9

Strings

## Fatal libcurl error, xrefs: 00007FF73166AEF7
# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00007FF73166ADB6
%s, xrefs: 00007FF73166AE5B
%s.%s.tmp, xrefs: 00007FF73166AD7A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$fclose$__acrt_iob_func_unlinkcallocfputsqsort
String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
API String ID: 1368378007-4087121635
Opcode ID: 344d1e83408e5aa8c09dd1b5b124e3602bc2af5de0146423da4577ad8867d292
Instruction ID: f6372f72f72e4000637ad1bd058f5c5d7f70fa6a72cf202ab661f7173d2e753f
Opcode Fuzzy Hash: 344d1e83408e5aa8c09dd1b5b124e3602bc2af5de0146423da4577ad8867d292
Instruction Fuzzy Hash: 2D519211F0D662E2FF65BBA29D1427AA3B2AF45B85FC49434CD4E06350EEBCE404F260

Function 00007FF7316554B0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 364COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165560E
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165563C
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165564A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731655684
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316556D5
memset.VCRUNTIME140 ref: 00007FF731655503

Part of subcall function 00007FF731654350: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654381

Part of subcall function 00007FF731656350: memcpy.VCRUNTIME140 ref: 00007FF7316564C6

Part of subcall function 00007FF731651FF0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652161

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731655842
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165586E
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165587C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316558B7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165590A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316559F1
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF731655A09
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF731655A16

Strings

value, xrefs: 00007FF731655576, 00007FF7316557AE

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy$?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@memset
String ID: value
API String ID: 2102519606-494360628
Opcode ID: 0681b0cbd6cc313949f343e8ef1c8002e7ee2f51d413c373bf9241906f22b9b9
Instruction ID: 15d3af6d9b592601f159889c2845d944b2bcb7d6ca9951b8b61413e25d707be8
Opcode Fuzzy Hash: 0681b0cbd6cc313949f343e8ef1c8002e7ee2f51d413c373bf9241906f22b9b9
Instruction Fuzzy Hash: ECF10962E086D1D5FB10EBB5E4543ADA762EB857A4F404231EAAD03AE9DFBCD085D310

Function 00007FF73168BB20 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 241encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF73168BE07
CertEnumCertificatesInStore.CRYPT32 ref: 00007FF73168BE77
CertFreeCertificateContext.CRYPT32 ref: 00007FF73168BEB5
CertFreeCertificateContext.CRYPT32 ref: 00007FF73168BEC8

Strings

schannel: failed to setup confidentiality, xrefs: 00007FF73168BBB2
schannel: failed to retrieve ALPN result, xrefs: 00007FF73168BC3B
schannel: failed to setup memory allocation, xrefs: 00007FF73168BBD1
ALPN, server did not agree to a protocol, xrefs: 00007FF73168BC95
http/1.1, xrefs: 00007FF73168BC7B
schannel: failed to setup stream orientation, xrefs: 00007FF73168BBF0
schannel: ALPN, server accepted to use %.*s, xrefs: 00007FF73168BC68
schannel: failed to retrieve remote cert context, xrefs: 00007FF73168BEE7
schannel: failed to store credential handle, xrefs: 00007FF73168BD6C
schannel: failed to setup replay detection, xrefs: 00007FF73168BB96
schannel: failed to setup sequence detection, xrefs: 00007FF73168BB7A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Cert$CertificateCertificatesContextEnumFreeStore
String ID: ALPN, server did not agree to a protocol$http/1.1$schannel: ALPN, server accepted to use %.*s$schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle
API String ID: 2572311694-3353508759
Opcode ID: 103a66c3a53550784711af1dfa48bdffb5b22969c7d859b1a8e8efaaf0d7177c
Instruction ID: b087e48b4b467a4fd33c43d6303c03b428ae601dda9560d8184eb0caf9941166
Opcode Fuzzy Hash: 103a66c3a53550784711af1dfa48bdffb5b22969c7d859b1a8e8efaaf0d7177c
Instruction Fuzzy Hash: 61B1D472E08A62E5EB60EB55D8143B9A393FB84B84FC44035CA1D47B95DFBCE401E760

Function 00007FF731682340 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 218stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7316823F8
strchr.VCRUNTIME140 ref: 00007FF73168240F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168245B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731682627
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731682676
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168267F

Strings

Authorization:, xrefs: 00007FF7316825B1
Transfer-Encoding:, xrefs: 00007FF731682598
%s, xrefs: 00007FF73168260C
Cookie:, xrefs: 00007FF7316825CB
Host:, xrefs: 00007FF7316824D9
Content-Length:, xrefs: 00007FF73168254B
1.1, xrefs: 00007FF73168235B
Connection:, xrefs: 00007FF731682571
Content-Type:, xrefs: 00007FF7316824FF, 00007FF731682525

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$strchr$_strdup
String ID: %s$1.1$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
API String ID: 1922034842-2519073162
Opcode ID: 618ecbf9edcba6c5a583dceb0031c8d968e55155e3ae0f44d7de65b39f56fd4a
Instruction ID: 7d7bb3fa4f77c296f8cfd383a5f5bf90b396eebe64a2109db66b40ab91a04748
Opcode Fuzzy Hash: 618ecbf9edcba6c5a583dceb0031c8d968e55155e3ae0f44d7de65b39f56fd4a
Instruction Fuzzy Hash: E091CC21E09672E6FB61EB51D410379E792AF48B84FC44039CE4E47AD5EEADE541E330

Function 00007FF7316AD940 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7316A066F), ref: 00007FF7316AD96D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0000000100000000,?,00007FF7316A066F), ref: 00007FF7316AD98F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7316A066F), ref: 00007FF7316AD9A0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7316A066F), ref: 00007FF7316AD9CE

Strings

/.., xrefs: 00007FF7316ADAD2
/./, xrefs: 00007FF7316ADA5C
../, xrefs: 00007FF7316ADA39
/../, xrefs: 00007FF7316ADA9B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: ../$/..$/../$/./
API String ID: 111713529-456519384
Opcode ID: 61c15189d735682e971e48453faa0514a71c150c6ab138010393682c7d56857a
Instruction ID: 0f1b61057851719440e2a49e5342b9917a338608c28ae657ebd1fb8c7d686c02
Opcode Fuzzy Hash: 61c15189d735682e971e48453faa0514a71c150c6ab138010393682c7d56857a
Instruction Fuzzy Hash: 637120E1E0C6A2E1FB21BB51991027DEBA3AB55B94F844171CF9D026D6DFBCE051E320

Function 00007FF7316A8541 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A8572
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8BEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8C28

Strings

FALSE, xrefs: 00007FF7316A855D
Signature, xrefs: 00007FF7316A8A0F
-----END CERTIFICATE-----, xrefs: 00007FF7316A8B77
Signature: %s, xrefs: 00007FF7316A8A27
TRUE, xrefs: 00007FF7316A8564
%s, xrefs: 00007FF7316A8C16
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7316A8ACC
Cert, xrefs: 00007FF7316A8BFE

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Signature: %s$%s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$FALSE$Signature$TRUE
API String ID: 111713529-3006446216
Opcode ID: ead7ad64410cf63012cd3b6e98572aabadeff694823e11d38ff1ffd43fa03750
Instruction ID: 2094ff989fd8638c24ecd106816fdfb1831e1f1be62658be650d4fd140a58aeb
Opcode Fuzzy Hash: ead7ad64410cf63012cd3b6e98572aabadeff694823e11d38ff1ffd43fa03750
Instruction Fuzzy Hash: 3F71FBE2E0D7D2E5EB11EBA590142B9FBA6EF46749F985072CA4E03351DF6CD405E320

Function 00007FF7316A25B0 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A2672
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A26AA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A26BD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A26F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A26FC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A27B2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A27BB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A27C6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A28B1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A28BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A28C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A293B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A2944
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A294F

Part of subcall function 00007FF7316A2D40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316A4C2A,?,?,00000000,00007FF7316A1665), ref: 00007FF7316A2D50
Part of subcall function 00007FF7316A2D40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316A4C2A,?,?,00000000,00007FF7316A1665), ref: 00007FF7316A2D61
Part of subcall function 00007FF7316A2D40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316A4C2A,?,?,00000000,00007FF7316A1665), ref: 00007FF7316A2D73

Strings

DIGEST-MD5 handshake failure (empty challenge message), xrefs: 00007FF7316A295C
WDigest, xrefs: 00007FF7316A265C, 00007FF7316A2774

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: DIGEST-MD5 handshake failure (empty challenge message)$WDigest
API String ID: 2190258309-1086287758
Opcode ID: d6ceaab0806046a6fad15daabaa3b331c93cb5b9507ece998b51a21d75b291da
Instruction ID: 7373eddda2329bbb6ccbe44b67c77067b562abaf422a8062321e133fd14829fa
Opcode Fuzzy Hash: d6ceaab0806046a6fad15daabaa3b331c93cb5b9507ece998b51a21d75b291da
Instruction Fuzzy Hash: DDB16072E08B56D6EB10AFA5E8402ADB7A5FB48B88F800039DE8E47B54DF7CD544E710

Function 00007FF7316A9300 Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 179COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9413

Strings

rsaEncryption, xrefs: 00007FF7316A9345
dsa(p), xrefs: 00007FF7316A94AD
rsa(n), xrefs: 00007FF7316A9420
dh(g), xrefs: 00007FF7316A95A0
rsa(e), xrefs: 00007FF7316A944B
dsa(q), xrefs: 00007FF7316A94DC
dh(pub_key), xrefs: 00007FF7316A95B6
dsa, xrefs: 00007FF7316A9475
dhpublicnumber, xrefs: 00007FF7316A9536
RSA Public Key (%lu bits), xrefs: 00007FF7316A93CE
dsa(pub_key), xrefs: 00007FF7316A9522
dh(p), xrefs: 00007FF7316A956F
RSA Public Key, xrefs: 00007FF7316A93FF
dsa(g), xrefs: 00007FF7316A950C
%lu, xrefs: 00007FF7316A93E8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: RSA Public Key (%lu bits)$%lu$RSA Public Key$dh(g)$dh(p)$dh(pub_key)$dhpublicnumber$dsa$dsa(g)$dsa(p)$dsa(pub_key)$dsa(q)$rsa(e)$rsa(n)$rsaEncryption
API String ID: 1294909896-1220118048
Opcode ID: f0158090d86be3429eb3269982509cc72675253f20fd575ca3fe3ae1e362a893
Instruction ID: 64a7cdbcf43ab2a88f65a9d2b3e13a20c0f269d712a2b5584d6f20f5b1920073
Opcode Fuzzy Hash: f0158090d86be3429eb3269982509cc72675253f20fd575ca3fe3ae1e362a893
Instruction Fuzzy Hash: 427192A1E09766E1EB10EBE2A4501F9A3A2FF48B84F944032DE4D03796EFBCD505D760

Function 00007FF73169F6DC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F948
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F9A0
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F9AD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FAA1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FAAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FAFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FB16

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdupmalloctolower
String ID: %%%02x
API String ID: 1244608590-4020994737
Opcode ID: cc941b5b1586ca65034f02fda84f81cd4fb17835c43a73507d46e3afe6f7d722
Instruction ID: efdf2dcaf7fba6fd6f1a30a9053c7bcdbb2b3405747d80cdedfd7972fc50e8b5
Opcode Fuzzy Hash: cc941b5b1586ca65034f02fda84f81cd4fb17835c43a73507d46e3afe6f7d722
Instruction Fuzzy Hash: B5A1B812E0D2B2E6FB616B659110379AFE69F05B84F8A44F1DE8D462C5DEACE444F330

Function 00007FF73168D9C0 Relevance: 22.8, APIs: 1, Strings: 14, Instructions: 321COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF73168DA18

Strings

, xrefs: 00007FF73168DA21
EXAMINE, xrefs: 00007FF73168DCE7
Unexpected continuation response, xrefs: 00007FF73168DE5E
NOOP, xrefs: 00007FF73168DD5F
FETCH, xrefs: 00007FF73168DB8C, 00007FF73168DCA2
SELECT, xrefs: 00007FF73168DCCF
EXPUNGE, xrefs: 00007FF73168DD17
PREA, xrefs: 00007FF73168DA54
SEARCH, xrefs: 00007FF73168DB2C, 00007FF73168DCFF
STORE, xrefs: 00007FF73168DC4A
LIST, xrefs: 00007FF73168DBFC
UID, xrefs: 00007FF73168DD47
CAPABILITY, xrefs: 00007FF73168DDE0
LSUB, xrefs: 00007FF73168DD2F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcmp
String ID: $CAPABILITY$EXAMINE$EXPUNGE$FETCH$LIST$LSUB$NOOP$PREA$SEARCH$SELECT$STORE$UID$Unexpected continuation response
API String ID: 1475443563-555813803
Opcode ID: f824413ec63595f229157022f7262be96b8ecc5a249fb8cb69c045449cfec291
Instruction ID: a7668e7edcf45948b3d2008e4f3749111041ec30745e90020db684cc3bf11eb4
Opcode Fuzzy Hash: f824413ec63595f229157022f7262be96b8ecc5a249fb8cb69c045449cfec291
Instruction Fuzzy Hash: C5D15F63E0C662F1FB256E91CD142B8E7A3AB11794FC49071DA1D46986EFECE841E331

Function 00007FF7316891F0 Relevance: 22.7, APIs: 15, Instructions: 160COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,00007FF7316894A6), ref: 00007FF73168920B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168922B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168924C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731689255

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdupmalloc
String ID:
API String ID: 111713529-0
Opcode ID: 621cbfd0ee36ffef54caf14af25ee3b9e37cafa5b82458fd53113b4841491521
Instruction ID: ece47d4fc7db68540f43cef500c0e896645997ac0c5657defbdaa6722b0586f1
Opcode Fuzzy Hash: 621cbfd0ee36ffef54caf14af25ee3b9e37cafa5b82458fd53113b4841491521
Instruction Fuzzy Hash: 81618D76A05B51D2EB25DF56A454229B3A1FB88B84B858035CF8E43B90EF7CE494E320

Function 00007FF731692310 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 279COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731692430

Strings

server did not report OK, got %d, xrefs: 00007FF73169269E
partial download completed, closing connection, xrefs: 00007FF731692663
Failure sending ABOR command: %s, xrefs: 00007FF731692551
Remembering we are in dir "%s", xrefs: 00007FF7316924C8
control connection looks dead, xrefs: 00007FF731692622
Received only partial file: %I64d bytes, xrefs: 00007FF73169273E
ABOR, xrefs: 00007FF73169252B
Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 00007FF731692706
No data was received!, xrefs: 00007FF73169276C

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$No data was received!$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
API String ID: 1294909896-2312071747
Opcode ID: a0623ea6344bcf45b5f90fc84e39796b348e01075dae96949922a8793e9a13ae
Instruction ID: 101776d9a10c4beee1331c0ad9b1bfcc78bd26f7734f805be462b3e7886d2370
Opcode Fuzzy Hash: a0623ea6344bcf45b5f90fc84e39796b348e01075dae96949922a8793e9a13ae
Instruction Fuzzy Hash: F9D1E721E0D6A2E7EBA4FBA194503BDA352FB45754FC04279CA6E076C1DFACE444A360

Function 00007FF73165A7E2 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731654350: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654381

Part of subcall function 00007FF731656350: memcpy.VCRUNTIME140 ref: 00007FF7316564C6

Part of subcall function 00007FF731651FF0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652161

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A891
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A8BF
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165A8CD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A907
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165A964
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AA1D
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165AA4B
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165AA59
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AA93
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AAE4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AB2E

Strings

value, xrefs: 00007FF73165A800, 00007FF73165A989

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy
String ID: value
API String ID: 3212548336-494360628
Opcode ID: 6b5334c8dc40afd695f9f5f7814dc70773cd0d43c74a1f3ab58cc3c0daa169ad
Instruction ID: 0c76caa15857ba6a1a08ecd56dcaaff30c5edd21789dc6dba944194b809ba9f2
Opcode Fuzzy Hash: 6b5334c8dc40afd695f9f5f7814dc70773cd0d43c74a1f3ab58cc3c0daa169ad
Instruction Fuzzy Hash: 60A1E772E18A91D6EB00EBA9E4543AD6362FF453A4F805335DA6D02AD9DFBCE081D350

Function 00007FF73166A950 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 161fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A9BD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A9DD
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166AA11
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166AA32
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166AA55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166AA66
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166AA88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166AB3F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166AB54

Strings

none, xrefs: 00007FF73166A9D2
Set-Cookie:, xrefs: 00007FF73166AAC6
ignoring failed cookie_init for %s, xrefs: 00007FF73166AA92

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
API String ID: 4109794434-4095489131
Opcode ID: 0eeaf11df58c9bde20a6e3c1becd47c5d211bcaa5ae6dfd947c6e12309e66ec9
Instruction ID: e2fed85580f9768e7f3b21572e5c3c9aecdf6fca386b2dc0eb4cc538e0c2762d
Opcode Fuzzy Hash: 0eeaf11df58c9bde20a6e3c1becd47c5d211bcaa5ae6dfd947c6e12309e66ec9
Instruction Fuzzy Hash: 5161E221F0C7A2E1EB50AB6199042BDA7A6FF45B84F885439DE8D03781DFBCE401E320

Function 00007FF7316A5270 Relevance: 19.8, APIs: 8, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A52E5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A5306
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A5321
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A532F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A53B6
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A5405
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A5466
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A55EC

Strings

SPNEGO handshake failure (empty challenge message), xrefs: 00007FF7316A54B6
CompleteAuthToken failed: %s, xrefs: 00007FF7316A5647
Negotiate, xrefs: 00007FF7316A5274, 00007FF7316A537C, 00007FF7316A5423
InitializeSecurityContext failed: %s, xrefs: 00007FF7316A560A
HTTP, xrefs: 00007FF7316A5270

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$calloc$malloc
String ID: CompleteAuthToken failed: %s$HTTP$InitializeSecurityContext failed: %s$Negotiate$SPNEGO handshake failure (empty challenge message)
API String ID: 3103867982-1477229593
Opcode ID: abcaebdcec3108e36cd59e43220c0eb99015a202a648407847131c0655e3d7ce
Instruction ID: bcd7edfa05e555a02eea4bcabe1eddd69780c19114e98551847c28159d0986c3
Opcode Fuzzy Hash: abcaebdcec3108e36cd59e43220c0eb99015a202a648407847131c0655e3d7ce
Instruction Fuzzy Hash: 25C13AB2A04B61D6EB10EFA5E4502ADB7B6FB44B88F400036DE4D87B58DFB8D845D760

Function 00007FF7316A7150 Relevance: 19.7, APIs: 5, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7203
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7269
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A728C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A72EC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A735C

Strings

Issuer, xrefs: 00007FF7316A72C0
%2d Subject: %s, xrefs: 00007FF7316A7254
%lx, xrefs: 00007FF7316A732C
Version: %lu (0x%lx), xrefs: 00007FF7316A736E
Issuer: %s, xrefs: 00007FF7316A72DA
Version, xrefs: 00007FF7316A7347
TRUE, xrefs: 00007FF7316A73C1
Subject, xrefs: 00007FF7316A723A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: Issuer: %s$ Version: %lu (0x%lx)$%2d Subject: %s$%lx$Issuer$Subject$TRUE$Version
API String ID: 2190258309-1457932261
Opcode ID: ffcff0d822d8f7f5c7eb8353cc099688e07f61669229ae3a7ba24ad747551c18
Instruction ID: c5c7378dcc7f1ba902f6aecf41cd0ff92971e37e1e48d4739279d7e8e16b5a20
Opcode Fuzzy Hash: ffcff0d822d8f7f5c7eb8353cc099688e07f61669229ae3a7ba24ad747551c18
Instruction Fuzzy Hash: C061F2A1E0D7A2E1EB11EBA194143FAA392BB45794FC48536CE5D07395EFBDE104D320

Function 00007FF73169A660 Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 151stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF73169A6CB
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169A7F5

Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF731666097
Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF7316660A3

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169A7AF

Part of subcall function 00007FF731665FD0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731665FE0

Strings

NEW_ENV, xrefs: 00007FF73169A811
%hu%*[xX]%hu, xrefs: 00007FF73169A879
TTYPE, xrefs: 00007FF73169A785
BINARY, xrefs: 00007FF73169A89E
USER,%s, xrefs: 00007FF73169A6F0
Syntax error in telnet option: %s, xrefs: 00007FF73169A906
%127[^= ]%*[ =]%255s, xrefs: 00007FF73169A770
XDISPLOC, xrefs: 00007FF73169A7CB
Unknown telnet option %s, xrefs: 00007FF73169A8ED

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freestrncpy$_strdupmemset
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 3826632026-748038847
Opcode ID: 59a0c5fa885d2920454bd0d086efa8d0fdb8e179524ebb4e6a53ff4d96d24a27
Instruction ID: 0ecfa471dd6e8ea375af291f7ba1d7b93f86bd8a054a259f179abfc5ec928032
Opcode Fuzzy Hash: 59a0c5fa885d2920454bd0d086efa8d0fdb8e179524ebb4e6a53ff4d96d24a27
Instruction Fuzzy Hash: 41718C31E0CAD2E1FB21AF55D4412E9A3A2FB84784F845032DA8D47254EFB8D545E760

Function 00007FF73169D760 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 222networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF73169D8D3
sendto.WS2_32 ref: 00007FF73169D98C
WSAGetLastError.WS2_32 ref: 00007FF73169D99A

Strings

Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF73169D7CD
tftp_tx: giving up waiting for block %d ack, xrefs: 00007FF73169D944
Received ACK for block %d, expecting %d, xrefs: 00007FF73169D925
tftp_tx: internal error, event: %i, xrefs: 00007FF73169D7B8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: sendto$ErrorLast
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 4042023021-4197595102
Opcode ID: 85231d28fff2e654bee0dea8e08f6af6eeea1f587eb2a535d9c6f41173a7fb84
Instruction ID: f671aab9aaf37c67b0045743c88f998d483e6acba120645eece7dd993a1f7193
Opcode Fuzzy Hash: 85231d28fff2e654bee0dea8e08f6af6eeea1f587eb2a535d9c6f41173a7fb84
Instruction Fuzzy Hash: 40B1C272A086A2D6E721EF69D8403ADB7A2FB48F88F844132CE4D4B759DF78D401D760

Function 00007FF73169B190 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 180networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF73169B38C
WSAGetLastError.WS2_32 ref: 00007FF73169B39E
send.WS2_32 ref: 00007FF73169B496
WSAGetLastError.WS2_32 ref: 00007FF73169B4A0

Strings

%c%s%c%s, xrefs: 00007FF73169B330
%127[^,],%127s, xrefs: 00007FF73169B2F8
%c%c, xrefs: 00007FF73169B368
Sending data failed (%d), xrefs: 00007FF73169B3A4, 00007FF73169B4A6
%c%c%c%c, xrefs: 00007FF73169B26D
#, xrefs: 00007FF73169B40E
%c%c%c%c%s%c%c, xrefs: 00007FF73169B46F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLastsend
String ID: #$%127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$Sending data failed (%d)
API String ID: 1802528911-931584821
Opcode ID: c0ccde3566b09747bdcd1574ce02ccefcf66fd362645a6cd761a98cee10aabe0
Instruction ID: 79bc05d7c326e2b0eb86e9b05a81d4e188b031bc3ae6f2431784e76036febc3e
Opcode Fuzzy Hash: c0ccde3566b09747bdcd1574ce02ccefcf66fd362645a6cd761a98cee10aabe0
Instruction Fuzzy Hash: 5F91DF22A08AD1E5F721AF94E4047EAA3A2FF847A8F840235EE4D07B85DF7CD245D350

Function 00007FF73169CB40 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF73169CCB8
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73169CCD3
sendto.WS2_32 ref: 00007FF73169CD3A
sendto.WS2_32 ref: 00007FF73169CDF1
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73169CE29

Strings

Received last DATA packet block %d again., xrefs: 00007FF73169CD85
Received unexpected DATA packet block %d, expecting block %d, xrefs: 00007FF73169CE31
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF73169CBB2
tftp_rx: internal error, xrefs: 00007FF73169CB8E

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: sendto$_time64
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 2327272419-1785996722
Opcode ID: fbf5753c1b2dcb24c4e6be8a7fbe5a8ea5f7a693a1b0e401017e265d019b06a4
Instruction ID: 551655bf21addb64fdbeeabbb7b06de4321596c68244624855181b4987e68be8
Opcode Fuzzy Hash: fbf5753c1b2dcb24c4e6be8a7fbe5a8ea5f7a693a1b0e401017e265d019b06a4
Instruction Fuzzy Hash: B691AE32A186A1D6E711DF69D4403A97BA1FB88F88F848136CA4D4B768DF79D406D360

Function 00007FF731674730 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167476D
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316747EF
strchr.VCRUNTIME140 ref: 00007FF73167486E
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73167489C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316748BD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316748CF

Strings

No valid port number in connect to host string (%s), xrefs: 00007FF7316748FB
Please URL encode %% as %%25, see RFC 6874., xrefs: 00007FF7316747F9
Invalid IPv6 address format, xrefs: 00007FF731674857
%25, xrefs: 00007FF7316747E5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup$freestrchrstrncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 2070079882-2404041592
Opcode ID: d0dbf708304496b083f23b7e812b48d865a99afd1e2578677d33c2e86739b3fa
Instruction ID: c80dcb714889f6e966976191720720f206fc418f274bb37ba4b5251709efaa14
Opcode Fuzzy Hash: d0dbf708304496b083f23b7e812b48d865a99afd1e2578677d33c2e86739b3fa
Instruction Fuzzy Hash: D951FA21E086E6E6FB51ABA59424379E7D39F05B84FC84031CECD062C1DFACE545E720

Function 00007FF73166A740 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A77E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166A79E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166A7D0
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166A7ED
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A80B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A81C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166A83C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF731664990), ref: 00007FF73166A8EF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF731664990), ref: 00007FF73166A905

Strings

none, xrefs: 00007FF73166A793
Set-Cookie:, xrefs: 00007FF73166A876

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$none
API String ID: 4109794434-3629594122
Opcode ID: 9f5bed46c0964185472ff9964054de0d46ab92f24e80c46b5d6bfa1eefba3946
Instruction ID: 1c27966e10b28506e0e4187475cb173dcc852f0e71b15db89a79d7aa506d6e84
Opcode Fuzzy Hash: 9f5bed46c0964185472ff9964054de0d46ab92f24e80c46b5d6bfa1eefba3946
Instruction Fuzzy Hash: D851C521F0D7A2E1FB55AB916910279E7E2AF45B80F955438CE8E03781DFBCE446E360

Function 00007FF73167C310 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF73167C6A6

Strings

Unable to allocate trailing headers buffer !, xrefs: 00007FF73167C383
operation aborted by trailing headers callback, xrefs: 00007FF73167C49D
operation aborted by callback, xrefs: 00007FF73167C47D
Moving trailers state machine from initialized to sending., xrefs: 00007FF73167C351
Signaling end of chunked upload via terminating chunk., xrefs: 00007FF73167C63A
%zx%s, xrefs: 00007FF73167C5C7
Successfully compiled trailers., xrefs: 00007FF73167C3EA
Read callback asked for PAUSE when not supported!, xrefs: 00007FF73167C509
read function returned funny value, xrefs: 00007FF73167C54B
Signaling end of chunked upload after trailers., xrefs: 00007FF73167C6F0

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy
String ID: %zx%s$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$Unable to allocate trailing headers buffer !$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 3510742995-1652449680
Opcode ID: 0a5120772036d3f2536d4dc9d905eb8926beb600ab6b3706c495f539b64e461b
Instruction ID: 658927d0fcbfd835aea467f93b8e3124ae9c8b32efe0705b8837690f6d0d7f19
Opcode Fuzzy Hash: 0a5120772036d3f2536d4dc9d905eb8926beb600ab6b3706c495f539b64e461b
Instruction Fuzzy Hash: 6FA1A431E08AA3E1EB50EFA1D4503F9A392EB44B98F945131DE0D5B285EFBCE445E320

Function 00007FF73168E320 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 207COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168E450
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168E466
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168E4C9

Strings

Mime-Version: 1.0, xrefs: 00007FF73168E571
Mime-Version, xrefs: 00007FF73168E556
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_, xrefs: 00007FF73168E338
Cannot SELECT without a mailbox., xrefs: 00007FF73168E47F
Cannot APPEND with unknown input file size, xrefs: 00007FF73168E5C7
SELECT %s, xrefs: 00007FF73168E4B5
APPEND %s (\Seen) {%I64d}, xrefs: 00007FF73168E5FD
Cannot APPEND without a mailbox., xrefs: 00007FF73168E4F4

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_$APPEND %s (\Seen) {%I64d}$Cannot APPEND with unknown input file size$Cannot APPEND without a mailbox.$Cannot SELECT without a mailbox.$Mime-Version$Mime-Version: 1.0$SELECT %s
API String ID: 1294909896-3146291949
Opcode ID: c6d6408244153583df09f91122f28af32bbeb0fa9cc065ef9557b59c520eb09d
Instruction ID: ca57e7572c225466cb952253a23f4b54b5fea053218b332ac624c6efb3ec4387
Opcode Fuzzy Hash: c6d6408244153583df09f91122f28af32bbeb0fa9cc065ef9557b59c520eb09d
Instruction Fuzzy Hash: 2091A721F0DB62E6FB64ABA1945037DA392EF45788F844035CB5D07A81EFACF460E361

Function 00007FF73167EAA0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167EB31
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167EB78
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167EC14
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167EC2A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167EC4B
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167EC9A
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73167ECEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167ED1F

Strings

:%u, xrefs: 00007FF73167ECAE
Shuffling %i addresses, xrefs: 00007FF73167EB1A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc$_time64calloctolower
String ID: :%u$Shuffling %i addresses
API String ID: 133842801-338667637
Opcode ID: 37e83f0708112b4b4e4d776fa3a74a9243a2a4ff4985d18aaf8c6fe5b855d056
Instruction ID: a8413d699eac592921fbe4c7316a3d2c140095b637dc2fbb91a2a6311533d068
Opcode Fuzzy Hash: 37e83f0708112b4b4e4d776fa3a74a9243a2a4ff4985d18aaf8c6fe5b855d056
Instruction Fuzzy Hash: 7671E576E08AA2D1EB10AF55E5007BDA7A6FB48B98F844531CE5E07394DF7CE458D310

Function 00007FF73167C710 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167C78A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167C7A5
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167C822
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167C8AC

Strings

HEAD, xrefs: 00007FF73167C917
Switch to %s, xrefs: 00007FF73167C937
Switch from POST to GET, xrefs: 00007FF73167C976
GET, xrefs: 00007FF73167C91E
Issue another request to this URL: '%s', xrefs: 00007FF73167C8B7
Maximum (%ld) redirects followed, xrefs: 00007FF73167C877

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
API String ID: 1865132094-1312055526
Opcode ID: 31c77a37b0c0b8fbe5e53ac8bd18da749b3546c27af0e0e94c4b5068321a577e
Instruction ID: 09fb4643f2e227c3d6784907618d37b464dc3824ad9f7d76793c7095e94ba10f
Opcode Fuzzy Hash: 31c77a37b0c0b8fbe5e53ac8bd18da749b3546c27af0e0e94c4b5068321a577e
Instruction Fuzzy Hash: AA71D362E0C7A3D0E760ABA594403BDA7A2EB85B94F980035DE4D47699CFBDD441E320

Function 00007FF7316718B0 Relevance: 17.6, APIs: 14, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167192D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167194A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167195E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF73167197A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671997
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF7316719BA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF7316719CE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF7316719E2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A08
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A1C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A30
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A7F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671A8C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731671F35), ref: 00007FF731671AB5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9dafe04a3beda65af2da05c8c2c950cb73e504e5584e316465673385af97ca7b
Instruction ID: 830ccdb930d9d7235398a3996cd567d386bbc9ad10aee58db51a4825a5eade4e
Opcode Fuzzy Hash: 9dafe04a3beda65af2da05c8c2c950cb73e504e5584e316465673385af97ca7b
Instruction Fuzzy Hash: 2A51E831A08A92D1EB14AFA1D8502FDA3A2FF85F88F884435DE4E4B655CEA89445E370

Function 00007FF73169FB31 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FAA1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FAAF
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FBAD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FC16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FC2E

Part of subcall function 00007FF73169EB80: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169EB90

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FC56
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FC6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FC92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FCDF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FCF4

Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE3C
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE46
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE50
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE5A
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE64
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE6E
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE78
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE82
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE8C
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FE96
Part of subcall function 00007FF73169FE30: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73169EE62,?,?,00000000,00007FF731675F6B,?,?,00000000,00007FF7316719B3,?,?,00000000,00007FF731671F35), ref: 00007FF73169FEA0

Strings

,, xrefs: 00007FF73169FB74
:, xrefs: 00007FF73169FB57

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$calloc$_strdup
String ID: ,$:
API String ID: 2460172880-4193410690
Opcode ID: 7f1723af25d2d3e2730a72a3583ce6dabcb50eb040c99ff26131150ba0febd47
Instruction ID: a6901c95dea7cd7622391eddab567b88e044d49e4fe80eda8ed7713602b2ebdc
Opcode Fuzzy Hash: 7f1723af25d2d3e2730a72a3583ce6dabcb50eb040c99ff26131150ba0febd47
Instruction Fuzzy Hash: 0351F712E0CB96D3F721AF7495102B9A362BF55B88F8592B4CE8D02652DFACF5C5E310

Function 00007FF73166D270 Relevance: 16.6, APIs: 11, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF73166D2B7
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF73166D2C7
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166D2DE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166D35A
strrchr.VCRUNTIME140 ref: 00007FF73166D377
strrchr.VCRUNTIME140 ref: 00007FF73166D387
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166D3B7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166D3C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166D3D2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166D3E3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166D3F9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup$free$strrchr$_access_stat64
String ID:
API String ID: 2557200964-0
Opcode ID: a425e0188cbebe21396c5b31fd7196939b60543e69e3bf0485de30aa4f04b208
Instruction ID: fa042d76931054cb97b9c645e6ce2099be3d9fa6860a06cff365dc4e4eaa60f4
Opcode Fuzzy Hash: a425e0188cbebe21396c5b31fd7196939b60543e69e3bf0485de30aa4f04b208
Instruction Fuzzy Hash: 23418221F09B12E5FB10BF92A854279A3B6FF49B90F844034CA9E57791DFBCE455E220

Function 00007FF7316725A0 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7316725D8
strchr.VCRUNTIME140 ref: 00007FF7316725FF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316726B4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316726DA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316726FB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167270C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731672715
memcpy.VCRUNTIME140 ref: 00007FF731672733
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731672747
memcpy.VCRUNTIME140 ref: 00007FF731672764
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731672779
memcpy.VCRUNTIME140 ref: 00007FF731672791
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316727A6

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpy$strchr
String ID:
API String ID: 1615377186-0
Opcode ID: 4a31933ddea44201a5d47b42c714698563d84d1637834a4103e73a14b779df92
Instruction ID: 7eb998ade4566c378452d8bfe0824b0c55c3af71c495a39d808937196452bd22
Opcode Fuzzy Hash: 4a31933ddea44201a5d47b42c714698563d84d1637834a4103e73a14b779df92
Instruction Fuzzy Hash: 89519F25F09BA1E2EB25AF55A514279E3A2BF48BC4F884439CE8E07744DF7CE405E320

Function 00007FF7316744C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674504
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674518
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167453C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731674549
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674572
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167457F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316745B0
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316745BD

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF731674649

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: 4dcf73271c8b8bacb8cfe7207693d9b5d91f111473b558ca7ff9bc1d3b6bb3d1
Instruction ID: c3ceaf5244b0741468880053676e9b09f3f70d4207cb95c1f7c947281c97ed2c
Opcode Fuzzy Hash: 4dcf73271c8b8bacb8cfe7207693d9b5d91f111473b558ca7ff9bc1d3b6bb3d1
Instruction Fuzzy Hash: 4871DC22E08BA2E3EB65ABA5D458379E7A2FB84744F440035DB9D47790DFBDE410E320

Function 00007FF731674468 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674504
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674518
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167453C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731674549
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674572
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167457F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316745B0
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316745BD

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF731674649

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: f2588b72eae4d2d83d4234019271e759b3b16d48f596f5c2917e1ce51cc32042
Instruction ID: 07cbfc3cbff4bfb8adb4ab50fae122202fa322305975c21e78ccc6ea07aa2263
Opcode Fuzzy Hash: f2588b72eae4d2d83d4234019271e759b3b16d48f596f5c2917e1ce51cc32042
Instruction Fuzzy Hash: 6151C362E08BA2D7EB159BA1D45837DA7A1FB44B84F894035CB9D47750DF7CE440E720

Function 00007FF73166278E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

SEC_E_BAD_PKGID, xrefs: 00007FF73166278E
%s (0x%08X), xrefs: 00007FF7316626D5
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
API String ID: 600764987-1052566392
Opcode ID: 0efca67b4cdc14fbe91d37422af2e9fb08fc75ec36ce691b1a4c732ea022d591
Instruction ID: 261f1b68b76a7f8a1b5ecfcada48a7154465651a82ecd7c9b9b80f90b6b331e4
Opcode Fuzzy Hash: 0efca67b4cdc14fbe91d37422af2e9fb08fc75ec36ce691b1a4c732ea022d591
Instruction Fuzzy Hash: FA317262E0C6D1E6E761EFA1E4143AEB3A6FB88744FC04539CA8E02A95DF7CD544D720

Function 00007FF731662782 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

%s (0x%08X), xrefs: 00007FF7316626D5
SEC_E_BAD_BINDINGS, xrefs: 00007FF731662782
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
API String ID: 600764987-2710416593
Opcode ID: a0204534bdfcb8b00a98a7e01e510a1d63ffabb6fbdf480f0e4bbfb348c73876
Instruction ID: a0a182197f46475f199f0d66bdcbb78efd2bdbee6ca2932c93cecfd8b8988894
Opcode Fuzzy Hash: a0204534bdfcb8b00a98a7e01e510a1d63ffabb6fbdf480f0e4bbfb348c73876
Instruction Fuzzy Hash: A6316162E0C6D1E6E761EFA1E4103AAB3A6FB88744F804539CA8E02A95DF7CD544D720

Function 00007FF7316627CA Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

%s (0x%08X), xrefs: 00007FF7316626D5
SEC_E_CERT_UNKNOWN, xrefs: 00007FF7316627CA
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
API String ID: 600764987-1381340633
Opcode ID: 298e794ac7706a66fab8b4d1c88976078ee655fcbdcb2b83b484b773f6ff4f63
Instruction ID: 32475f34b670c9b79c5a48703cc4abba2045baafdac6bb6fd6930f56f77393a2
Opcode Fuzzy Hash: 298e794ac7706a66fab8b4d1c88976078ee655fcbdcb2b83b484b773f6ff4f63
Instruction Fuzzy Hash: 2A317262E0C6D1E6E761EFA1E4103AEB3A6FB88744FC04539CA8E02A95DF7CD544D720

Function 00007FF7316627BE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

%s (0x%08X), xrefs: 00007FF7316626D5
SEC_E_CERT_EXPIRED, xrefs: 00007FF7316627BE
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
API String ID: 600764987-3862749013
Opcode ID: de0156c4063bd9a466d38293046c8cbb20a83bbdd5fd275fc8d816d0a695292a
Instruction ID: 761599afd97d647dcaacf58386224d444809c5b8aa368eb7f227128b3deffe63
Opcode Fuzzy Hash: de0156c4063bd9a466d38293046c8cbb20a83bbdd5fd275fc8d816d0a695292a
Instruction Fuzzy Hash: 95317262E0C6D1E6E721EFA1E4103AEB3A6FB88745FC04539CA8E02A95DF7CD544D720

Function 00007FF7316627B2 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

%s (0x%08X), xrefs: 00007FF7316626D5
SEC_E_CANNOT_PACK, xrefs: 00007FF7316627B2
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
API String ID: 600764987-1502336670
Opcode ID: a99f060a03aed788ed5e06c1aa8b7c80c7450bad84408ad51638c64175808135
Instruction ID: 327eb8e323f726549bdb6282dbf1be6b95476544c475d0cc4dc46741beba1397
Opcode Fuzzy Hash: a99f060a03aed788ed5e06c1aa8b7c80c7450bad84408ad51638c64175808135
Instruction Fuzzy Hash: 52317462E0C6D1E6E761EFA1E4103AEB3A6FB88744FC04539DA8E02A95DF7CD544D720

Function 00007FF73166279A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

SEC_E_BUFFER_TOO_SMALL, xrefs: 00007FF73166279A
%s (0x%08X), xrefs: 00007FF7316626D5
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 600764987-1965992168
Opcode ID: 829df8a539cfc324d627f26e87fab25fce76e1812c0feca66b179d4148e9b6fe
Instruction ID: 4ae0e248447b349fed76022f2f88272cc7e25ca9868d5296963568a075237507
Opcode Fuzzy Hash: 829df8a539cfc324d627f26e87fab25fce76e1812c0feca66b179d4148e9b6fe
Instruction Fuzzy Hash: 31317262E0C6D1E6E761EFA1E4103AEB3A6FB88744FC04539CA8E02A95DF7CD544D720

Function 00007FF7316627A6 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

%s (0x%08X), xrefs: 00007FF7316626D5
SEC_E_CANNOT_INSTALL, xrefs: 00007FF7316627A6
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
API String ID: 600764987-2628789574
Opcode ID: 97b1c77c699c43dc9b389d94b9c168d1f79c38719a14beb900fe4c4e939f7505
Instruction ID: 3b1d7deefed9606560a41f95e82531e15e331d32354be6d4693c2830e8e16720
Opcode Fuzzy Hash: 97b1c77c699c43dc9b389d94b9c168d1f79c38719a14beb900fe4c4e939f7505
Instruction Fuzzy Hash: 7A317262E0D6D1E6E721EFA1E4103AEB3A6FB88744FC04539CA8E02A95DF7CD544D720

Function 00007FF7316626CE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF731662729
strchr.VCRUNTIME140 ref: 00007FF731662750
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731662BEF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662BFA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662C05
GetLastError.KERNEL32 ref: 00007FF731662C0E
SetLastError.KERNEL32 ref: 00007FF731662C1A

Strings

%s (0x%08X), xrefs: 00007FF7316626D5
SEC_E_ALGORITHM_MISMATCH, xrefs: 00007FF7316626CE
%s - %s, xrefs: 00007FF731662BD9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 600764987-618797061
Opcode ID: baaace8c9324e1153c16d76581dd1b850064508bf1f345ef6eeb36c0a0138756
Instruction ID: f37ce8acec85220174ad0d1cac8e116b97aa90626912b9aef5401b8284a19c7e
Opcode Fuzzy Hash: baaace8c9324e1153c16d76581dd1b850064508bf1f345ef6eeb36c0a0138756
Instruction Fuzzy Hash: 03318262E0C6D1E6E721EFA1E4143AEB3A6FB88744F804539CA8E02A95DF7CD544D720

Function 00007FF73166B2B0 Relevance: 15.1, APIs: 10, Instructions: 67COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,?,00007FF73166AD2E,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316719F9), ref: 00007FF73166B2D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B329
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B333
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B33D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B347
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B351
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B35B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B365
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B36F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166B378

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_time64
String ID:
API String ID: 3087401894-0
Opcode ID: 94b7a02d5bc3b31133621eaaf653b4e2e7eeaf76c314e2bfd27b0698e7b4643e
Instruction ID: 7dbc7537598f9ce7f45c0e6f1589b2ea46a07923dd4e10ab428c48d61da909bc
Opcode Fuzzy Hash: 94b7a02d5bc3b31133621eaaf653b4e2e7eeaf76c314e2bfd27b0698e7b4643e
Instruction Fuzzy Hash: 02213C36F08A61E1EB20AFA2E840229B371FB88F84F484435DE9E13714DEBCD441E360

Function 00007FF731657439 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

invalid number; expected digit after '.', xrefs: 00007FF7316577D7
invalid number; expected '+', '-', or digit after exponent, xrefs: 00007FF731657987

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '.'
API String ID: 0-808606891
Opcode ID: b7f0683384f41ca6ab58209a4010d6c5d75d2bd6ba60dd59bf4ed1c60fdea11b
Instruction ID: 0968073f5b255383b91ad60e0dc1661f9ee8e2a839e381bddd91f55c507206cd
Opcode Fuzzy Hash: b7f0683384f41ca6ab58209a4010d6c5d75d2bd6ba60dd59bf4ed1c60fdea11b
Instruction Fuzzy Hash: C7B190A2D08A91E5E7249F68D46027CB773FB15B58FE04531DA4E022D4DFB8E985E360

Function 00007FF7316AEB80 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEC4A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEC98
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AECFB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AEE39

Part of subcall function 00007FF7316A2BE0: strchr.VCRUNTIME140(00000000,?,?,00007FF7316A219F), ref: 00007FF7316A2C26
Part of subcall function 00007FF7316A2BE0: strchr.VCRUNTIME140(00000000,?,?,00007FF7316A219F), ref: 00007FF7316A2C36
Part of subcall function 00007FF7316A2BE0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00007FF7316A219F), ref: 00007FF7316A2C60
Part of subcall function 00007FF7316A2BE0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A2C95
Part of subcall function 00007FF7316A2BE0: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A2CBA
Part of subcall function 00007FF7316A2BE0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A2CDC

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316AEEC4

Strings

GSSAPI handshake failure (empty challenge message), xrefs: 00007FF7316AED43
Kerberos, xrefs: 00007FF7316AEC13, 00007FF7316AECB5
GSSAPI, xrefs: 00007FF7316AEB83

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup$callocmallocstrchr$freestrncpy
String ID: GSSAPI$GSSAPI handshake failure (empty challenge message)$Kerberos
API String ID: 370574955-353107822
Opcode ID: 2fe9f476cda5ddcfb5fd74fde3a49d13dafdadeb69060985bcf90e8757b530e3
Instruction ID: 78fea5a2f102e3db0d71b013a538cb93bdb567dabe714784639fe1471e63b6c5
Opcode Fuzzy Hash: 2fe9f476cda5ddcfb5fd74fde3a49d13dafdadeb69060985bcf90e8757b530e3
Instruction Fuzzy Hash: 8CA16A72E08B65DAEB50EFA5E4402ADB3A6FB44B88F800036DE4D53B58DF78E815D750

Function 00007FF731669AF5 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669B3A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669B5A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669BAB

Part of subcall function 00007FF73166B3C0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166B3C6

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669CB1

Strings

%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF731669F57
Added, xrefs: 00007FF731669F4D
Replaced, xrefs: 00007FF731669F41
FALSE, xrefs: 00007FF731669C8B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: ca865e3b18f49c2f7f6df22b3d467dfa3524c642cbc228afabb56fa03d8f7f64
Instruction ID: fffcc7af0fcd6ca613daca51ab03004447b141e8a7650468251393d1aeb8842a
Opcode Fuzzy Hash: ca865e3b18f49c2f7f6df22b3d467dfa3524c642cbc228afabb56fa03d8f7f64
Instruction Fuzzy Hash: 2D916122E0C7A2E9EF71ABA59554379E7F2EF05744F884035CE8E06695DFACE444E320

Function 00007FF731669C03 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669C06
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669CB1

Strings

%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF731669F57
Added, xrefs: 00007FF731669F4D
Replaced, xrefs: 00007FF731669F41
FALSE, xrefs: 00007FF731669C8B
__Host-, xrefs: 00007FF731669C3D
__Secure-, xrefs: 00007FF731669C20

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$__Host-$__Secure-
API String ID: 1169197092-978722393
Opcode ID: fcc99ede26ec38440564b6c2f8745eb3033eae7c13b2b39be326ceef7692c5fb
Instruction ID: 355cc931c5b774fe75d526daaa43beb3bdec52e98fd0ca36bdb093239713e4c8
Opcode Fuzzy Hash: fcc99ede26ec38440564b6c2f8745eb3033eae7c13b2b39be326ceef7692c5fb
Instruction Fuzzy Hash: A5715321E0C7A2E9FF71ABA69444379E7F2AF05744F884035CE8E06695DFACE444E320

Function 00007FF731674930 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674A0C
strchr.VCRUNTIME140 ref: 00007FF731674A40
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF731674A60
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731674AE4

Strings

anonymous, xrefs: 00007FF731674940
Connecting to hostname: %s, xrefs: 00007FF731674ABB
Connecting to port: %d, xrefs: 00007FF731674B00
%s%s%s, xrefs: 00007FF7316749CF

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$strchrstrtol
String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d$anonymous
API String ID: 137861075-1224060940
Opcode ID: 4e57ebf75fa7549b9b18d69bf1f02a4c5f2f03d803ecc02c17af4985ee83a9e8
Instruction ID: f69daf92866d516d393fd5441fdd95b338d90baf714c8fe802b16883de1def05
Opcode Fuzzy Hash: 4e57ebf75fa7549b9b18d69bf1f02a4c5f2f03d803ecc02c17af4985ee83a9e8
Instruction Fuzzy Hash: 7051F422E08AE2E5EB31EF51A8003A9A792FB45B98F844135DEDD07799DF7CE501D720

Function 00007FF7316649A7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 109COMMON

Download Yara Rule

Strings

FLUSH, xrefs: 00007FF731664A33
ALL, xrefs: 00007FF7316649B3
RELOAD, xrefs: 00007FF731664A55
SESS, xrefs: 00007FF7316649F3
Set-Cookie:, xrefs: 00007FF731664AC8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: ALL$FLUSH$RELOAD$SESS$Set-Cookie:
API String ID: 1294909896-1147549499
Opcode ID: 9d5eb10f013f42e61abe6509040428495e53b4b6b69cbb74a3940447ef100371
Instruction ID: a86e22b673079b82b6f3ccc87e8c676a181ed9a1938cd09c16b0f2e324f6c015
Opcode Fuzzy Hash: 9d5eb10f013f42e61abe6509040428495e53b4b6b69cbb74a3940447ef100371
Instruction Fuzzy Hash: B7418F10F1C573E2FB24BBA299512B9D3A3AF44BC0F885035DE0E47686DEADE401A370

Function 00007FF731696CB1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140 ref: 00007FF731696CC3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731696CDE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731696D0A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731696D2F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731696E0C

Strings

Wildcard - Parsing started, xrefs: 00007FF731696DA7

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup$callocfreestrrchr
String ID: Wildcard - Parsing started
API String ID: 2641349667-2274641867
Opcode ID: efd104096123f095724a507316b2b3770aa51028f776586ecbdeaaf1593d2643
Instruction ID: 123cd88f87e00fce8e3e059a31439d04a65db027aebc36047d82c442612e2fbe
Opcode Fuzzy Hash: efd104096123f095724a507316b2b3770aa51028f776586ecbdeaaf1593d2643
Instruction Fuzzy Hash: CF516D32E08B52D6EB15EF91E4441B8B7A6FB84B44F894475CE5E0B354EFB8E445E320

Function 00007FF7316A73DC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A7403
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937
FALSE, xrefs: 00007FF7316A73F8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdup
String ID: Serial Number: %s$ Signature Algorithm: %s$FALSE$Serial Number$Signature Algorithm
API String ID: 2653869212-3672398475
Opcode ID: e07c45d19973509e67b550ba4295e2b84292b797af6f8f338bbd6149bdbebad7
Instruction ID: d69183d8f803b017a4514361a345c1dfad0b218e7b46bcbecdd6719a53888fb0
Opcode Fuzzy Hash: e07c45d19973509e67b550ba4295e2b84292b797af6f8f338bbd6149bdbebad7
Instruction Fuzzy Hash: E541D6A5F097A2E4EB10ABA594141F9A766BF05788FC84436CE4E17356DF7CE040E320

Function 00007FF73169F220 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F375
memcpy.VCRUNTIME140 ref: 00007FF73169F392

Strings

%%25%s], xrefs: 00007FF73169F3A2
file://%s%s%s, xrefs: 00007FF73169F26E
https, xrefs: 00007FF73169F2B0
%ld, xrefs: 00007FF73169F2DE
file, xrefs: 00007FF73169F23B
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF73169F562

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: mallocmemcpy
String ID: %%25%s]$%ld$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 4276657696-1832275178
Opcode ID: 7d32dc7c02c0576a480f03aa2b20523e87f0181136edf8925a4e73fa6a3427c9
Instruction ID: 8dabf47437682c4b089c490825810a9dff137d4d6a8bf1f9d43e18e66d0b679b
Opcode Fuzzy Hash: 7d32dc7c02c0576a480f03aa2b20523e87f0181136edf8925a4e73fa6a3427c9
Instruction Fuzzy Hash: FEA1A362E09BA2E5EB64EF91A5003A9B7AAFF44B84F8581B1CE4D03759DF7CD400E710

Function 00007FF7316A828C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 174COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A82CF
memcpy.VCRUNTIME140 ref: 00007FF7316A82F5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A83C8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8439
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8502

Strings

Expire Date, xrefs: 00007FF7316A840D
Public Key Algorithm: %s, xrefs: 00007FF7316A84D2
Public Key Algorithm, xrefs: 00007FF7316A84B8
Expire Date: %s, xrefs: 00007FF7316A8427

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3401966785-2901970132
Opcode ID: fbe24e366b728afa5db670c27b8319507fe6065f7f31e2c79264c5bae932625d
Instruction ID: 27265a6054fc3ddad702cb092f4ef9af9ae63162502c9529bc90df04af4e18d5
Opcode Fuzzy Hash: fbe24e366b728afa5db670c27b8319507fe6065f7f31e2c79264c5bae932625d
Instruction Fuzzy Hash: A56146A1E087A2E5EB18ABE180141B9A7A7FF05785F845535CE5F077D5EEBCE004E320

Function 00007FF7316A7716 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 169COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A774F
memcpy.VCRUNTIME140 ref: 00007FF7316A777A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: 742c0360e6210f7455115ce56e8553b7ac11c260097db8010f3a55c0742de8cc
Instruction ID: e11a421c65656b9d1472d579dc775b651ad26c8688012411b458447c654aa990
Opcode Fuzzy Hash: 742c0360e6210f7455115ce56e8553b7ac11c260097db8010f3a55c0742de8cc
Instruction Fuzzy Hash: 81613891E096B2E5FB18A7A184142B9AB93AF057C4F844536CE5F077D5EEADE005E320

Function 00007FF7316A17C0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF731684E28), ref: 00007FF7316A1950
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF731684E28), ref: 00007FF7316A1987
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF731684E28), ref: 00007FF7316A19AE

Strings

%sAuthorization: NTLM %s, xrefs: 00007FF7316A1968, 00007FF7316A1A14
NTLM, xrefs: 00007FF7316A17C6
Proxy-, xrefs: 00007FF7316A195E, 00007FF7316A1A0A
HTTP, xrefs: 00007FF7316A17D6

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1294909896-3948863929
Opcode ID: 28345fe83e5f92978302311b7c25afe45d2fd59016ff0eb21e1732458eff48fc
Instruction ID: a9e859df88ed8a504192322d75004c368af5dc2b118254179ef630d5e7a95896
Opcode Fuzzy Hash: 28345fe83e5f92978302311b7c25afe45d2fd59016ff0eb21e1732458eff48fc
Instruction Fuzzy Hash: 5A618B72A08B91D1EB60EF95E4483AAB3A6FB84B84F804036DE8D47794DFBCD445D720

Function 00007FF731698450 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73166B460: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166B4A4

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169856D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316985C5
memcpy.VCRUNTIME140 ref: 00007FF7316985EA

Strings

Got RTSP Session ID Line [%s], but wanted ID [%s], xrefs: 00007FF73169857E
Got a blank Session ID, xrefs: 00007FF731698517
Unable to read the CSeq header: [%s], xrefs: 00007FF7316984C2
CSeq:, xrefs: 00007FF73169846D
Session:, xrefs: 00007FF7316984DE
: %ld, xrefs: 00007FF731698491

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: __stdio_common_vsscanfmallocmemcpystrncmp
String ID: : %ld$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Unable to read the CSeq header: [%s]
API String ID: 1392894463-1168109407
Opcode ID: 18990fc156d9d11678551ccf624d1351fa5d6f5ee740d5d836fb751b64834d78
Instruction ID: c28ae2e9870e35b6d05414207aae45304a37cee53886980d826905ae2a2e2687
Opcode Fuzzy Hash: 18990fc156d9d11678551ccf624d1351fa5d6f5ee740d5d836fb751b64834d78
Instruction Fuzzy Hash: 83411A21E0C6A6E3FB50AF95A4402B9A792EF45B80FC46171DA5E473C9DF6CE505E330

Function 00007FF7316AC560 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 252stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AC5F8
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AC654
strchr.VCRUNTIME140 ref: 00007FF7316AC83C
strchr.VCRUNTIME140 ref: 00007FF7316AC8AA

Strings

APM0123456789:, xrefs: 00007FF7316AC835
<DIR>, xrefs: 00007FF7316AC780
0123456789-, xrefs: 00007FF7316AC8A3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$mallocrealloc
String ID: 0123456789-$<DIR>$APM0123456789:
API String ID: 359134164-4291660576
Opcode ID: 1572c55741b108669f971dfd891189aed3ed9b688e2cf8bed39c0b620db78256
Instruction ID: 04fd1158213dc867d79962ac54aa4295129620360a1bab1e95cb1a135d15245a
Opcode Fuzzy Hash: 1572c55741b108669f971dfd891189aed3ed9b688e2cf8bed39c0b620db78256
Instruction Fuzzy Hash: CBB17FB6E08B51D6EB24AF69D45033DA7A6FB44B58F948035CE4E07395CFB8E441E360

Function 00007FF73167DCB0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167DD0A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167DE0E
WSAIoctl.WS2_32 ref: 00007FF73167DF67
setsockopt.WS2_32 ref: 00007FF73167DF8F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167E086

Strings

We are completely uploaded and fine, xrefs: 00007FF73167DFFA
Failed to alloc scratch buffer!, xrefs: 00007FF73167DE20

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: malloc$Ioctlsetsockopt
String ID: Failed to alloc scratch buffer!$We are completely uploaded and fine
API String ID: 3352517165-607151321
Opcode ID: 37c91d115c048257879a0c65adaa0570cb7da73129e3d55efdf3d83ff34d8aa6
Instruction ID: c4f584887f7a7bee7d86f721f1adb8ac40592da1568a39844cbd794fe261d4eb
Opcode Fuzzy Hash: 37c91d115c048257879a0c65adaa0570cb7da73129e3d55efdf3d83ff34d8aa6
Instruction Fuzzy Hash: 18B18032E08AD2D5EB62AF65D4043FDA392EB44B98F484535CE4D0A789DFBC94A5D320

Function 00007FF73169E830 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169E877
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169E8DB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169EA0F

Part of subcall function 00007FF73168C9C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF731673D4F), ref: 00007FF73168C9EE

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169E90E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169EA4D

Strings

%s?%s, xrefs: 00007FF73169E869
Failed sending Gopher request, xrefs: 00007FF73169EA15

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: %s?%s$Failed sending Gopher request
API String ID: 111713529-132698833
Opcode ID: 164ea82d3232166ef85f91b6db07d9d597c5792fc24d443685aab8426ac854b5
Instruction ID: f254c365727efddb9196449b00e167dfe40d35df04c507ff35f0f8aeb0d8a7e2
Opcode Fuzzy Hash: 164ea82d3232166ef85f91b6db07d9d597c5792fc24d443685aab8426ac854b5
Instruction Fuzzy Hash: 2851E821F09AA2D2F711ABA6A4005B9A391FF85BE4F844231DE6D477D5DF7CD402E710

Function 00007FF731659510 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AA1D
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165AA4B
__std_exception_destroy.VCRUNTIME140 ref: 00007FF73165AA59
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AA93
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165AAE4

Strings

value, xrefs: 00007FF73165A989

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: value
API String ID: 1346393832-494360628
Opcode ID: 4a4d25d41ed406c1d0a011403156945727fdde6037d227963cedff3a9bb42d56
Instruction ID: 8f4892396bd887aba9a6e0064d44806efbb52e5665ab02b18158ff3d75c49d19
Opcode Fuzzy Hash: 4a4d25d41ed406c1d0a011403156945727fdde6037d227963cedff3a9bb42d56
Instruction Fuzzy Hash: 78613772E18A91D6EB10DBB5E8543ED6362EF443A4F405335DAAC02AD9DFBCE081D350

Function 00007FF731697500 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,0000006C,?,00000000), ref: 00007FF731697536
_open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0000006C,?,00000000), ref: 00007FF73169758B
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0000006C,?,00000000), ref: 00007FF7316975FC
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0000006C,?,00000000), ref: 00007FF731697609
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0000006C,?,00000000), ref: 00007FF73169771B

Strings

Can't get the size of %s, xrefs: 00007FF731697612
Can't open %s for writing, xrefs: 00007FF73169759B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _close$_fstat64_openstrchr
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 423814720-3544860555
Opcode ID: 47806318dad57eb09a6b322e9798bef99cc3e6e357c7198381fcfe81f338dd94
Instruction ID: 7403bbf50bf44f4e450ec5881da399d302be66204e3f8addc4608fad88570f70
Opcode Fuzzy Hash: 47806318dad57eb09a6b322e9798bef99cc3e6e357c7198381fcfe81f338dd94
Instruction Fuzzy Hash: E651C662F08AA2E2EB14AB6594103BDA3D7FF84BD4F848435DA4E47381DFBCE4019760

Function 00007FF73169F770 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73169F780
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdupstrtol
String ID: %%%02x
API String ID: 2999891020-4020994737
Opcode ID: 644ecf454b5406c55117dfc577d459684ad165775d5b9113ed441861368e03cd
Instruction ID: d2d842193df37588b62ff229b893b7747b975df75949b61e4a4f523edbb878b1
Opcode Fuzzy Hash: 644ecf454b5406c55117dfc577d459684ad165775d5b9113ed441861368e03cd
Instruction Fuzzy Hash: 4551E811E0D2B2E6FB61A7509010378AF969F41754F8A01F5DE9E063C1DEADE444F320

Function 00007FF73169F746 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F753
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc$_strdup
String ID: %%%02x
API String ID: 1496848336-4020994737
Opcode ID: bb92e0fb6e8724d6a603b74c0048d4e019eb1dcf875e4f0697c5b41cb2e9f126
Instruction ID: a4bf9b264bc12db47006278b1e38f30fb304493ea046776959ff999e0822fcaa
Opcode Fuzzy Hash: bb92e0fb6e8724d6a603b74c0048d4e019eb1dcf875e4f0697c5b41cb2e9f126
Instruction Fuzzy Hash: A041D611E0D2F2E6EB62AB516114378AF96AF06754F8A01F5DEDE063C1DEADE444F320

Function 00007FF7316A74AE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A74B1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 111713529-517259162
Opcode ID: 0fa73a337b14f544b56cbf689623e98a816b00dcf3c2286807af888b4a2c9cbe
Instruction ID: 68131e347f97bba396ed98ea84457caeb879635afcbd7ccc86e9d8becfd0d60d
Opcode Fuzzy Hash: 0fa73a337b14f544b56cbf689623e98a816b00dcf3c2286807af888b4a2c9cbe
Instruction Fuzzy Hash: 1D318591E097A2E4EF10ABE194141F9A7A76F05788FC85835CE4E17396EFBDE404E320

Function 00007FF7316A759D Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

Serial Number, xrefs: 00007FF7316A7892
GMT, xrefs: 00007FF7316A764E
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7316A76C1

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Serial Number$Signature Algorithm
API String ID: 1294909896-599393795
Opcode ID: 388a09dec5b697b908bc13682b02e5d7ea3e4acabdcfc6577ff0b92c602df413
Instruction ID: e49336279a70bbde7dff0a94b41d5448090acb03c63534988add403d8ff9b3a5
Opcode Fuzzy Hash: 388a09dec5b697b908bc13682b02e5d7ea3e4acabdcfc6577ff0b92c602df413
Instruction Fuzzy Hash: 7961F0A1E0D6F2E4EB10ABA594141B9FBA6AF01784FC49436CE8D07795DFBDE501E320

Function 00007FF7316A8895 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A88D8
memcpy.VCRUNTIME140 ref: 00007FF7316A88FE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A89D2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Strings

Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc$memcpy
String ID: Signature: %s$Signature
API String ID: 901724546-1663925961
Opcode ID: 88c815334131e338bb9b5bca162bc0b0591a3bf54374b822b0adf169f96e1fa6
Instruction ID: 1978008539cc9e9b84fc1e7b45de332f3177241657b096714fdf70b5635e8d3c
Opcode Fuzzy Hash: 88c815334131e338bb9b5bca162bc0b0591a3bf54374b822b0adf169f96e1fa6
Instruction Fuzzy Hash: 6F5178A1F086A2D1EF18AA9990143B9A796FB417D4F840136CE9F077D5EEACE005E321

Function 00007FF73166F7E0 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166F826
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166F852
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73166F87E

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup
String ID:
API String ID: 1169197092-0
Opcode ID: 1b0595316675f82772fc28900d3198f3d8a03ff6b87a63347f3563558c6d9905
Instruction ID: 13c591226fe562cb5c520daf572650eec4135f20f63350c43813dc64ac9438d6
Opcode Fuzzy Hash: 1b0595316675f82772fc28900d3198f3d8a03ff6b87a63347f3563558c6d9905
Instruction Fuzzy Hash: 71517F26F1ABA1D2EB55DF95E050128B7B4FB48B84B481179DF9D03B48DF38D4A1D710

Function 00007FF7316A74D7 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

Serial Number, xrefs: 00007FF7316A7892
GMT, xrefs: 00007FF7316A7536
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7316A7589

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Serial Number$Signature Algorithm
API String ID: 1294909896-3876350232
Opcode ID: 3c568e79d8b76ca8c0f4947349ea53ad1015d81a9fc9ab77821cedc04fbb5508
Instruction ID: 3c7b1e3d1eeafc9d5ba1c5b2eedabdc61159bb5ff71660c5a7212354d39161e4
Opcode Fuzzy Hash: 3c568e79d8b76ca8c0f4947349ea53ad1015d81a9fc9ab77821cedc04fbb5508
Instruction Fuzzy Hash: E25194A1E097A2E4EB10ABA194101F9A767BF05B88FC85436CE4E17295DFBDE505E320

Function 00007FF7316A8294 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A82CF
memcpy.VCRUNTIME140 ref: 00007FF7316A82F5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8439
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8502

Strings

Expire Date, xrefs: 00007FF7316A840D
Public Key Algorithm: %s, xrefs: 00007FF7316A84D2
Public Key Algorithm, xrefs: 00007FF7316A84B8
Expire Date: %s, xrefs: 00007FF7316A8427

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3401966785-2901970132
Opcode ID: 546c04391f3f1894b024eb3058d86346fbee1fd25c8aed46030c2e58979d9950
Instruction ID: 2b59164d31981934ffc81e68718aa5ddcd7e0a72dcd3b681daefa3725a1e871e
Opcode Fuzzy Hash: 546c04391f3f1894b024eb3058d86346fbee1fd25c8aed46030c2e58979d9950
Instruction Fuzzy Hash: 9B41B6A1E087A2E4EB14ABE194141F9A3A7BF05789F845535CE4D07795EFBCE104E320

Function 00007FF73168D270 Relevance: 11.3, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D33C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D34A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D358
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D366
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D374
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D382
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D390
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D39E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168D3AC

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 055e168fb65f423c57915a892bfce5b182b090623d16bc49fd49c5fdfd9f067a
Instruction ID: facd2c05072b2c7d067f4c246ceae7d7aa8eb04c524273b494c89a0641aaafdb
Opcode Fuzzy Hash: 055e168fb65f423c57915a892bfce5b182b090623d16bc49fd49c5fdfd9f067a
Instruction Fuzzy Hash: A4415172E08B62D2E721AF61E840238B3B5FB49F98F844535DA8D53755CF78D850E3A0

Function 00007FF73166A1B0 Relevance: 11.3, APIs: 9, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A22A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A234
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A23E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A248
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A252
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A25C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A266
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A270
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A279

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c643178a85888b15959d4e7ca118a99b6d7baaba478ac413579d56a64d74c09d
Instruction ID: 47406d4fd48cf24171165e7a68c32ffcde0bea8739262ff301a34772170ba378
Opcode Fuzzy Hash: c643178a85888b15959d4e7ca118a99b6d7baaba478ac413579d56a64d74c09d
Instruction Fuzzy Hash: 0B311836B08A61D2E720AF91E804229B375FB89FC4F485435DE9D03B58CEBDD841E750

Function 00007FF73166A2D0 Relevance: 11.3, APIs: 9, Instructions: 32COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A2E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A2F3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A2FD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A307
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A311
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A31B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A325
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A32F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166A338

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: aab127bf0e8542732e3c18ba64e321ddd3c5e6f1a73537df46da66dd3b5eae98
Instruction ID: f377e56ef92a45b6f4166ba26515abf2aeb83fbd9703161790970b61c5b58364
Opcode Fuzzy Hash: aab127bf0e8542732e3c18ba64e321ddd3c5e6f1a73537df46da66dd3b5eae98
Instruction Fuzzy Hash: 450188A6B14A51D2DB24AFA2E954138A332FF89F89B441435CE9E43728CF6CD855F360

Function 00007FF7316A4860 Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73166C540: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C576
Part of subcall function 00007FF73166C540: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C586
Part of subcall function 00007FF73166C540: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C594
Part of subcall function 00007FF73166C540: memset.VCRUNTIME140 ref: 00007FF73166C5CF

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A4929
memcpy.VCRUNTIME140 ref: 00007FF7316A4944
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A495E

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpymemset
String ID:
API String ID: 1579693990-0
Opcode ID: 9adbed3489a0455967ee38d16e91ff20980ce936b9dff803bb5791a7768888f6
Instruction ID: 9c9a7d4865baa0daae84b321072e4e710fe1ca266ea6d813038e987254ea843c
Opcode Fuzzy Hash: 9adbed3489a0455967ee38d16e91ff20980ce936b9dff803bb5791a7768888f6
Instruction Fuzzy Hash: F4919491F0D7A2E3FB54BA969850379A392BF55BC4F884034DE4D47786EFACE411A320

Function 00007FF731679920 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 217stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A35
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A4F

Strings

I32, xrefs: 00007FF731679A25, 00007FF731679A85
I64, xrefs: 00007FF731679A45, 00007FF731679AAF
Internal error removing splay node = %d, xrefs: 00007FF731679932

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strncmp
String ID: I32$I64$Internal error removing splay node = %d
API String ID: 1114863663-13178787
Opcode ID: d020502a0aad6548a9fc5c856e23caf1e5c9a0eb830765948bd8cbd63a349f29
Instruction ID: 096018763f04b8a3a01db76f7dab5b37307c19ef05eb9f0e1c62201f663d8b78
Opcode Fuzzy Hash: d020502a0aad6548a9fc5c856e23caf1e5c9a0eb830765948bd8cbd63a349f29
Instruction Fuzzy Hash: 23A1F132E08A92D6EB20EF55E4807BDBBE5FB49B58F858135CA8D42254DF7CD208D720

Function 00007FF731688240 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF73166B26A,?,?,?,?,?,?,?,00007FF73166B037), ref: 00007FF731688251
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF7316883F3
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF731688410

Strings

0123456789abcdef, xrefs: 00007FF7316883E2, 00007FF7316883EC
0123456789ABCDEF, xrefs: 00007FF731688402, 00007FF731688409
TRUE, xrefs: 00007FF73168837C

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$_errno
String ID: 0123456789ABCDEF$0123456789abcdef$TRUE
API String ID: 2644425738-1191287149
Opcode ID: 7c5d4e7d2faa273dc8e58ced809aa81b5d23591f7467f2b6c40110dc8b8441fb
Instruction ID: e4ea3e93f3e4f0da16697ceef0b85a6150d088aea22c9dafb90a89511acf4ad0
Opcode Fuzzy Hash: 7c5d4e7d2faa273dc8e58ced809aa81b5d23591f7467f2b6c40110dc8b8441fb
Instruction Fuzzy Hash: 0C514622F0D7A6E1EF61EB95A40017EF396AB46B88FC45035DA4D07B49DEBCE841D321

Function 00007FF731669ABC Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669AC2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669CB1

Strings

%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF731669F57
Added, xrefs: 00007FF731669F4D
Replaced, xrefs: 00007FF731669F41
FALSE, xrefs: 00007FF731669C8B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: 89921e5045aa1bf9a23ae42e992a4559efa58c6d9410c08d490ab42addd9fe22
Instruction ID: aee82cf56646e727d8a63341d697801850fb2419e2e4319514b2dbf5cf9ca7c7
Opcode Fuzzy Hash: 89921e5045aa1bf9a23ae42e992a4559efa58c6d9410c08d490ab42addd9fe22
Instruction Fuzzy Hash: 73615122E0D7A2E9FF71AB959444379E7F6AF05744F884136CE8E02695DFACE444E320

Function 00007FF731669C59 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669C5C

Part of subcall function 00007FF731688030: strchr.VCRUNTIME140 ref: 00007FF731688066

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669CB1

Strings

%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF731669F57
Added, xrefs: 00007FF731669F4D
Replaced, xrefs: 00007FF731669F41
FALSE, xrefs: 00007FF731669C8B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdup$strchr
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 3404610657-2292467869
Opcode ID: 718985d21e520d1b072cf07532dfd847f788abc06b80695c7eb07deb992d717e
Instruction ID: e944d54c4acefb023271df28815e54e04795fb071c785cb7dc3ef16f0b97e809
Opcode Fuzzy Hash: 718985d21e520d1b072cf07532dfd847f788abc06b80695c7eb07deb992d717e
Instruction Fuzzy Hash: 47616222E0D7A2E9FF71ABA59444379E7F6AF04744F884036DE8D02695DFACE444E320

Function 00007FF731690C00 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731690C4A
memcpy.VCRUNTIME140 ref: 00007FF731690D61
memcpy.VCRUNTIME140 ref: 00007FF731690DD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731690DFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731690E10

Strings

Failed to alloc scratch buffer!, xrefs: 00007FF731690C60

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freememcpy$malloc
String ID: Failed to alloc scratch buffer!
API String ID: 169112436-1446904845
Opcode ID: 7003f5548eb5358d85f7ebd30a04f5c6e39e6462f2b69b151650209b3d6d25c0
Instruction ID: 1dbf924cd39ff1bc7127efcfef28c9fc6494fa772e8dc77e282e5b194747d0a3
Opcode Fuzzy Hash: 7003f5548eb5358d85f7ebd30a04f5c6e39e6462f2b69b151650209b3d6d25c0
Instruction Fuzzy Hash: 6F51B972A18BD1E6EB20AFA6A0002AAB7A9FB09784F840035CF8D47751CF7CE154D720

Function 00007FF7316A870B Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Strings

GMT, xrefs: 00007FF7316A87BE
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7316A882F
Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Signature
API String ID: 2190258309-3231818857
Opcode ID: 55d78412daaa31d674ec054b636355c7addbf0a6c2a3f49e325662ff4e4aa6d3
Instruction ID: 8fe46570923cfab13941094faeab78c70a17f38c6b91b1c793fca90edc0bd5df
Opcode Fuzzy Hash: 55d78412daaa31d674ec054b636355c7addbf0a6c2a3f49e325662ff4e4aa6d3
Instruction Fuzzy Hash: 1C51F4A2E0C6E2E5EB10DBA5A4042BDF7AAFB45B81F845431CA8D03755DFBCD505E320

Function 00007FF731693B10 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF731693CB6

Part of subcall function 00007FF7316AAE40: memcpy.VCRUNTIME140 ref: 00007FF7316AAEE8
Part of subcall function 00007FF7316AAE40: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AAEF9

Strings

QUOT string not accepted: %s, xrefs: 00007FF731693CDF
We got a 421 - timeout!, xrefs: 00007FF731693CF5
FTP response aborted due to select/poll error: %d, xrefs: 00007FF731693CC4
*, xrefs: 00007FF731693C84
FTP response timeout, xrefs: 00007FF731693D23

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLastfreememcpy
String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout!
API String ID: 1248052217-2335292235
Opcode ID: 5d14121661d1e2f5dbcd0de15715932a0bc18030e3bf133a22cf6d3d745a1936
Instruction ID: 505ab76b905342f3d070dc93a5c71d4a78c1c55ae64050e2cae0990a408c0e37
Opcode Fuzzy Hash: 5d14121661d1e2f5dbcd0de15715932a0bc18030e3bf133a22cf6d3d745a1936
Instruction Fuzzy Hash: 37510B21F08AA3E6FB64B6B684103B99352BF84794F848175DE4D872C5EFACE445A310

Function 00007FF73169C8F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

recvfrom.WS2_32 ref: 00007FF73169C950
memcpy.VCRUNTIME140 ref: 00007FF73169C976
memchr.VCRUNTIME140 ref: 00007FF73169CA73

Strings

Received too short packet, xrefs: 00007FF73169C9A2
TFTP error: %s, xrefs: 00007FF73169CA90
Internal error: Unexpected packet, xrefs: 00007FF73169CA18

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memchrmemcpyrecvfrom
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 3107918033-477593554
Opcode ID: 3a54981905c914cdaef3556359282fe403773f15e8db7d6cbb4857878a6436a4
Instruction ID: 673ded19e2d027ac5b3c9d27bddd72291e584f25a85e42b689515a72248fd9dd
Opcode Fuzzy Hash: 3a54981905c914cdaef3556359282fe403773f15e8db7d6cbb4857878a6436a4
Instruction Fuzzy Hash: 0751E471E085A2E6EB64EF65D4103B9B392EB46B84F848132DA4D47789DF7CE405EB30

Function 00007FF7316523B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731656E10: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF73165240B), ref: 00007FF731656E8E
Part of subcall function 00007FF731656E10: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF73165240B), ref: 00007FF731656E9C
Part of subcall function 00007FF731656E10: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF73165240B), ref: 00007FF731656EB2

Part of subcall function 00007FF731653BF0: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF731651DCB), ref: 00007FF731653C36

Part of subcall function 00007FF731655E10: memcpy.VCRUNTIME140(?,?,?,00007FF731651DFA), ref: 00007FF731655EA1

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316524A9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316524E8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652536
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652584

Strings

at line , xrefs: 00007FF7316523FC
, column , xrefs: 00007FF731652439

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: at line $, column
API String ID: 2665656946-191570568
Opcode ID: ac706bb0521000e4c115238f0d9df125bc0f969b470b4f5ee90fe16b4f1feced
Instruction ID: 2a4ab03db5fa14f6338c6034aa0a31115015b9519f6ce218541ec63b7f578761
Opcode Fuzzy Hash: ac706bb0521000e4c115238f0d9df125bc0f969b470b4f5ee90fe16b4f1feced
Instruction Fuzzy Hash: 6C51C6A2F04A92D5FB00EBB5D4543AC6372EB487A8F405234DE6D13BDADEB8D485E350

Function 00007FF731654A40 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,?,?,00007FF73165318B,?,?,?,00007FF731653144), ref: 00007FF731654AD3
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF73165318B,?,?,?,00007FF731653144), ref: 00007FF731654B27
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,00000000,?,?,00007FF73165318B,?,?,?,00007FF731653144), ref: 00007FF731654B4E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF73165318B,?,?,?,00007FF731653144), ref: 00007FF731654B76
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF73165318B,?,?,?,00007FF731653144), ref: 00007FF731654BBC
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF73165318B,?,?,?,00007FF731653144), ref: 00007FF731654BC3
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF73165318B,?,?,?,00007FF731653144), ref: 00007FF731654BD0

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 5dcba8bc086b18adc160d8fe20d3abbad6873a0da564532fe75aa746724f9a3a
Instruction ID: c43f0b3777832ab19946517d32641c1b873e42a60538ec96159e649ef0a9a65f
Opcode Fuzzy Hash: 5dcba8bc086b18adc160d8fe20d3abbad6873a0da564532fe75aa746724f9a3a
Instruction Fuzzy Hash: 2151B432A08A51D2EB60DF5BE0A0338E7A2EB84F95F54C675CE5E437A4DF79D442A310

Function 00007FF7316A1470 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF731684E06), ref: 00007FF7316A15CD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF731684E06), ref: 00007FF7316A15E3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A15F5

Strings

%sAuthorization: Negotiate %s, xrefs: 00007FF7316A15AE
Negotiate, xrefs: 00007FF7316A1476, 00007FF7316A1552
Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 00007FF7316A1521
Proxy-, xrefs: 00007FF7316A159D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 1294909896-1255959952
Opcode ID: 3f6686c5872a1f6a81ecd9e0f058412ef29e7e2cd2025b5abae98a3b82803512
Instruction ID: 1992c300ed423a60ad033204a0adfdaec726650e1f119249478122c458fe3f84
Opcode Fuzzy Hash: 3f6686c5872a1f6a81ecd9e0f058412ef29e7e2cd2025b5abae98a3b82803512
Instruction Fuzzy Hash: E551E7B2E09662E5FB11EBA5D4402BDA7A6FB41B94F884031DA8D83681DFBDE451D320

Function 00007FF73169F7C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 1fb06e9a3e7450c4a3794c0b93c4f63385b47844a9cf2e3dc595b16c47b35eb1
Instruction ID: e2caa26647456e57d96381f2efe1558377500fecdadbc7fbb879385154d8dd88
Opcode Fuzzy Hash: 1fb06e9a3e7450c4a3794c0b93c4f63385b47844a9cf2e3dc595b16c47b35eb1
Instruction Fuzzy Hash: 8841D611E0D2F2E6EB62AB556110379AF96AF01754F8A01F5DEDE063C1DEADE444F320

Function 00007FF73169F7B7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: dfaed6e386e33724cb2e223900adcbd9f7fef9935f9687bffa3bbf8d2aa51031
Instruction ID: 23577c268459835bce1f66bf59287d8af6757287c379589b2764e2030f96cb17
Opcode Fuzzy Hash: dfaed6e386e33724cb2e223900adcbd9f7fef9935f9687bffa3bbf8d2aa51031
Instruction Fuzzy Hash: D241E511E0D2F2E6FB62A7556110378AF969F02754F8A01F1DEDE063C1DEADE444E320

Function 00007FF73169F762 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: b67b34d9d2b74a6abba1901238562642ff15dceaa1a23bc772bb3e51d676fca3
Instruction ID: 86b4665c8575a0ca6d01865fb68848899356a60ae91af16b413b329ffbf5e689
Opcode Fuzzy Hash: b67b34d9d2b74a6abba1901238562642ff15dceaa1a23bc772bb3e51d676fca3
Instruction Fuzzy Hash: B341E611E0D2F2E6FB62AB956110378AF969F06754F8A01F1DE9E063C1DEADE444F320

Function 00007FF73169F738 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 3c17b8edd8f51791b30496a62c6b8e61968bdc908898effc3d30ade1595102bd
Instruction ID: 87b3e14d2c2b82b96d1daeed0f0528322d2fe510ba5d4ddf475f190f5966cc28
Opcode Fuzzy Hash: 3c17b8edd8f51791b30496a62c6b8e61968bdc908898effc3d30ade1595102bd
Instruction Fuzzy Hash: 3C41E611E0D2F2E6FB62AB556110378AF969F02754F8A01F1DE9E063C1DEADE444F320

Function 00007FF73169F72A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 2e3edc563f2aee38bc4da222f14dc07a5d5f3b87b8ef437c646bcd55731b9087
Instruction ID: 6ec5a03e34454e2f0fbaa10ff6edbe0928b5dde3df961689b810cfa7e334b640
Opcode Fuzzy Hash: 2e3edc563f2aee38bc4da222f14dc07a5d5f3b87b8ef437c646bcd55731b9087
Instruction Fuzzy Hash: 7341E611E0D2F2E6FB62AB656110378AF969F02754F8A01F1DE9E063C1DEADE444F320

Function 00007FF73169F71C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: a5c0cff52b00059ef7d8c77f212d0b1658b3423eb890fb7911eff90761143d53
Instruction ID: 04b814884b345aee493d1afbb76ad26a341c775d27a55853ead33977cfdaf6d9
Opcode Fuzzy Hash: a5c0cff52b00059ef7d8c77f212d0b1658b3423eb890fb7911eff90761143d53
Instruction Fuzzy Hash: 7941D511E0D2F2E6FB62AB556110378AF969F02754F8A01F1DE9E063C1DEADE444F320

Function 00007FF73169F7ED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F82D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169F87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169F93A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169FA3B

Strings

%%%02x, xrefs: 00007FF73169F8E3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: eebc2a546fc8e6feac9b87d948e5f37beee0bb11b8e0f088ce828c99f435c154
Instruction ID: a232c66f81fe68b4d3d199a4aa4e155a6d377e567bf0bd62d324e205fe8b4de5
Opcode Fuzzy Hash: eebc2a546fc8e6feac9b87d948e5f37beee0bb11b8e0f088ce828c99f435c154
Instruction Fuzzy Hash: 9741E511E0D2F2E6FB62AB556110378AF969F06750F8A01F1DE9E063C1DEADE444E320

Function 00007FF73169D440 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73169D458
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73169D5C1

Strings

set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 00007FF73169D59C
gfff, xrefs: 00007FF73169D4CC
gfff, xrefs: 00007FF73169D538
Connection time-out, xrefs: 00007FF73169D47B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
API String ID: 1670930206-870032562
Opcode ID: 293506947766e32d74f725f200bba93e5a6cab1f91c5436f01adaa20fbc03ab6
Instruction ID: eaa5a77cfe3020b9c827c03c132e18e767606b0980b15607c906238868f884b5
Opcode Fuzzy Hash: 293506947766e32d74f725f200bba93e5a6cab1f91c5436f01adaa20fbc03ab6
Instruction Fuzzy Hash: 0A411372F24625D3DB20DF6AE400668B3A1F798F88F905032DE0C8B789DE79E541CB40

Function 00007FF7316848D0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7316849B6
strchr.VCRUNTIME140 ref: 00007FF7316849C9
strchr.VCRUNTIME140 ref: 00007FF7316849DB

Strings

Expect: 100-continue, xrefs: 00007FF731684A38
100-continue, xrefs: 00007FF7316849F6
Expect:, xrefs: 00007FF73168495E
Expect, xrefs: 00007FF731684937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr
String ID: 100-continue$Expect$Expect:$Expect: 100-continue
API String ID: 2830005266-711804848
Opcode ID: 7e7249d2413e93b8756c8e5a769afa0f3ec6f63a671b70d6ce7e4fc1b7ebd840
Instruction ID: 2983df14410f9e4e7ad78791c3e4171d65ff6fca68893a8a9bcd487329f8b20b
Opcode Fuzzy Hash: 7e7249d2413e93b8756c8e5a769afa0f3ec6f63a671b70d6ce7e4fc1b7ebd840
Instruction Fuzzy Hash: 43412D21F0C7A2E2EF14FB9AA4002B8E792DF45784FC85034DE4D0BB8ADE9CE4419724

Function 00007FF73167CCA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 106COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73167CDEA

Strings

the ioctl callback returned %d, xrefs: 00007FF73167CD95
ioctl callback returned error %d, xrefs: 00007FF73167CDAF
Cannot rewind mime/post data, xrefs: 00007FF73167CE20
seek callback returned error %d, xrefs: 00007FF73167CD3E
necessary data rewind wasn't possible, xrefs: 00007FF73167CDF5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: fseek
String ID: Cannot rewind mime/post data$ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
API String ID: 623662203-959247533
Opcode ID: 4a180bee4e4fa4266d05dc575f122d72706373429b7470aa6994d42db28c7cb0
Instruction ID: 0589c380d29e2370eb4b9e2823f16ea2a9923762070304747b23369a02fea834
Opcode Fuzzy Hash: 4a180bee4e4fa4266d05dc575f122d72706373429b7470aa6994d42db28c7cb0
Instruction Fuzzy Hash: C541C572E04A92D1EB50EFA694403B85393EB84B84F885031DE0E4B399DFBDE490D760

Function 00007FF7316A864E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Strings

GMT, xrefs: 00007FF7316A86A4
Signature, xrefs: 00007FF7316A8A0F
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7316A86E4
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Signature
API String ID: 2190258309-3662781045
Opcode ID: 950803be5321596d8ae6dcd6400d6715bd22c82becce96dbb6edd16642afa6e7
Instruction ID: 410e6846b810ef50068fecc60c9fbb827232621323aad62aa7d692121d52fa36
Opcode Fuzzy Hash: 950803be5321596d8ae6dcd6400d6715bd22c82becce96dbb6edd16642afa6e7
Instruction Fuzzy Hash: 8441B262E08AA2E1EB10EFA5E4001F9E3AAFB45784FC86032DA8D17755DFBCD545D320

Function 00007FF7316A7411 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

%s%lx, xrefs: 00007FF7316A7466
Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%s%lx$Serial Number$Signature Algorithm
API String ID: 1294909896-659367561
Opcode ID: f392083efe6b65ded1fc2e6bc662f49a9fc365949f050ff65cdf9f05b9f96eba
Instruction ID: 28a593d4cd011869e55de9d7ad05a177c153903eea3bb548a87839c0dc652f07
Opcode Fuzzy Hash: f392083efe6b65ded1fc2e6bc662f49a9fc365949f050ff65cdf9f05b9f96eba
Instruction Fuzzy Hash: FF41BB91F0D6A2E4EF10ABE594141F9AB97AF05788FC45831CE4E17796EE7DE004E360

Function 00007FF731690750 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169078D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316907FE

Strings

., xrefs: 00007FF7316907F7

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: .
API String ID: 1865132094-916926321
Opcode ID: 027f7fe9b366bf7d7183bdacec28f6c9f86bb076554f293a86ea0004c285c0c6
Instruction ID: 868e643e63806e048c3ae100e9a40bf26b8d5b4eda1ac6eee3eba4ea99b720c2
Opcode Fuzzy Hash: 027f7fe9b366bf7d7183bdacec28f6c9f86bb076554f293a86ea0004c285c0c6
Instruction Fuzzy Hash: 0D41B622F08F65E2FB10EB959500379A3AAFB44B80F854075DA4D8B680DFBCE451E7A0

Function 00007FF7316A771E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A774F
memcpy.VCRUNTIME140 ref: 00007FF7316A777A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: 25f84c5534454b8c43c74e32c76f92ce0ee4c5d2a495e4f678ebbaf9449bc15d
Instruction ID: 5fa31de185e80e2d04ea5615c9ecbc0852d0e7653a8a52a479c374e3e7e43f13
Opcode Fuzzy Hash: 25f84c5534454b8c43c74e32c76f92ce0ee4c5d2a495e4f678ebbaf9449bc15d
Instruction Fuzzy Hash: 3341B6A1E097A2E0EB10ABA294141F9A763BF05788FC45435CE0E17795EFBDE504E320

Function 00007FF7316A889D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A88D8
memcpy.VCRUNTIME140 ref: 00007FF7316A88FE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Strings

Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$memcpy
String ID: Signature: %s$Signature
API String ID: 3519880569-1663925961
Opcode ID: 41a64bd3ee70ac3280c524507bdb8a6bfecaf95fafe27d1a23f5f35e8675915e
Instruction ID: 943ce2d1f55f01ae90f8a5374f244901fada408466bb4c69aa9dfaeaf6598c80
Opcode Fuzzy Hash: 41a64bd3ee70ac3280c524507bdb8a6bfecaf95fafe27d1a23f5f35e8675915e
Instruction Fuzzy Hash: 4131C5A1F09B92D1EF20EB96A4142B9A3A6BF45BD4F841532CE5D17795EF7CE001D310

Function 00007FF73168F276 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73166B460: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73166B4A4

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168F2B4
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73168F2C6

Strings

Select failed, xrefs: 00007FF73168F358
OK [UIDVALIDITY %19[0123456789]], xrefs: 00007FF73168F298
Mailbox UIDVALIDITY has changed, xrefs: 00007FF73168F2FE

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: __stdio_common_vsscanf_strdupfree
String ID: Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
API String ID: 860312144-3309259123
Opcode ID: 4f8b19885a3942946affcb2a731a69568565c9aeb0bd8ea935e111cb0f4ff412
Instruction ID: 612598e8e94ecc655d2b26871704118e5913a5356a74ad3706efb61901a83cca
Opcode Fuzzy Hash: 4f8b19885a3942946affcb2a731a69568565c9aeb0bd8ea935e111cb0f4ff412
Instruction Fuzzy Hash: 3B31A032E0C662E2EB60FB90E4001BDA366FF45B84F944072CA4D47A55DFACE851E3A1

Function 00007FF7316A79A8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A79DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7EC9

Strings

Start Date: %s, xrefs: 00007FF7316A7EB7
Start Date, xrefs: 00007FF7316A7E9D
FALSE, xrefs: 00007FF7316A79D1
TRUE, xrefs: 00007FF7316A79CA

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: Start Date: %s$FALSE$Start Date$TRUE
API String ID: 1865132094-176635895
Opcode ID: 26fd87226f7b76be0d7ca323069a9011490084f438441079654d859d0cb0e761
Instruction ID: ee5cf853bc1d4824d9a19b480e9d6736b8d520ebe40a574c2a4e608d710dbf03
Opcode Fuzzy Hash: 26fd87226f7b76be0d7ca323069a9011490084f438441079654d859d0cb0e761
Instruction Fuzzy Hash: EC21D3A1F0C6E2E5EB20AB91A4542B9B7A7FB05788FC88431CA4E07355DF7DE440D320

Function 00007FF7316A8625 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A8628
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: Signature: %s$Signature
API String ID: 1941130848-1663925961
Opcode ID: ca1245fe2eff767ec2f233e59202265185292fa145f8adc7ec0566ffc5c026f4
Instruction ID: cd3231a98bd0b99458d073fa46755667bc525ef1d33e8ed1aeb9963ec1a73249
Opcode Fuzzy Hash: ca1245fe2eff767ec2f233e59202265185292fa145f8adc7ec0566ffc5c026f4
Instruction Fuzzy Hash: 2C216562F08B92D5EB50EB95A4542BAA3A6FF45784F841431DE4D17725EF7CD001D710

Function 00007FF73166F990 Relevance: 10.0, APIs: 8, Instructions: 33COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9A1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9B1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9BF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9CD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9DB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9E9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166F9F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731673196), ref: 00007FF73166FA05

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6067c455441f06eacc75c484e81e95a2b8bf68b1b5c4620927136906145762a9
Instruction ID: 1ea423ae2c38efe426cb9c64c1353ef20306ec2dfd340e5f6f5402cc6c2c4bbc
Opcode Fuzzy Hash: 6067c455441f06eacc75c484e81e95a2b8bf68b1b5c4620927136906145762a9
Instruction Fuzzy Hash: A801D776A08B11D2D710AF61E58423CB3B5FB89F887501529CEDE43718CF78C4A5E360

Function 00007FF731672A60 Relevance: 9.2, APIs: 6, Instructions: 161COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7316732DB), ref: 00007FF731672A77
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7316732DB), ref: 00007FF731672AA8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 4fe3cdd50797a9d4038df01a147244b90b8d9f1f8f08ad952520229b325114c1
Instruction ID: 267e8213e6864a7d03f6ecadfa5a513f26479b4680a3fa2db9fa58def135b6d3
Opcode Fuzzy Hash: 4fe3cdd50797a9d4038df01a147244b90b8d9f1f8f08ad952520229b325114c1
Instruction Fuzzy Hash: 4E91AD22A09BC1D9D7159F7894403ED77A1F759B28F48023ACFAC0B3C6CF6991A4D721

Function 00007FF73165C640 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF73165C72A
memcpy.VCRUNTIME140 ref: 00007FF73165C739
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165C76D
memcpy.VCRUNTIME140 ref: 00007FF73165C774
memcpy.VCRUNTIME140 ref: 00007FF73165C783
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73165C7A8

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: a20e593d4bd82ef9cc10abe2e2397c5f0dd4fde0d56d9362464a2f7d70bc2716
Instruction ID: 25f7632d34d6aaeed7c7deddc90bdb780c595e812f79ca1627d24312281661ef
Opcode Fuzzy Hash: a20e593d4bd82ef9cc10abe2e2397c5f0dd4fde0d56d9362464a2f7d70bc2716
Instruction Fuzzy Hash: 5F31E1A1B18A61E1EF14EB5295141B8E36AEF48BE0F940631DE6D07BC5CFBCE085D320

Function 00007FF731679140 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF731679225
VerSetConditionMask.KERNEL32 ref: 00007FF731679234
VerSetConditionMask.KERNEL32 ref: 00007FF731679246
VerSetConditionMask.KERNEL32 ref: 00007FF731679258
VerSetConditionMask.KERNEL32 ref: 00007FF73167926E
VerifyVersionInfoA.KERNEL32 ref: 00007FF731679281

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 886a942f540bc7cf8f29631a9320e31e516c52bfc616a14f4d3cfc983c6169fc
Instruction ID: 81d5f44398ac55cdff447c2322e5e311e630c81d4436f37e9b44a8f84967647e
Opcode Fuzzy Hash: 886a942f540bc7cf8f29631a9320e31e516c52bfc616a14f4d3cfc983c6169fc
Instruction Fuzzy Hash: 9341F822E1C6A1D6F330EB51B4147BAF3E1EBD5301F419239EAC903A54DE7DE495AB10

Function 00007FF7316A824F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8439
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8502

Strings

Expire Date, xrefs: 00007FF7316A840D
Public Key Algorithm: %s, xrefs: 00007FF7316A84D2
Public Key Algorithm, xrefs: 00007FF7316A84B8
Expire Date: %s, xrefs: 00007FF7316A8427

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 1294909896-2901970132
Opcode ID: 7c92a4bbe7371fb4b1d8e617a56d88ad3c7bf77f1d7e34ffe023260c47be8e9d
Instruction ID: 40dc6431dee77f04cdfd51aa2947a741a71e8c15bb3dbdd19c4887a76e0afd7b
Opcode Fuzzy Hash: 7c92a4bbe7371fb4b1d8e617a56d88ad3c7bf77f1d7e34ffe023260c47be8e9d
Instruction Fuzzy Hash: 7041C5A1E087A2A4EB10ABA194141F9B7A7FF05789F885535CE5E07795EF7CE104D320

Function 00007FF7316A2BE0 Relevance: 9.1, APIs: 6, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,?,?,00007FF7316A219F), ref: 00007FF7316A2C26
strchr.VCRUNTIME140(00000000,?,?,00007FF7316A219F), ref: 00007FF7316A2C36
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00007FF7316A219F), ref: 00007FF7316A2C60
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A2C95
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A2CBA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A2CDC

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupstrchr$mallocstrncpy
String ID:
API String ID: 2121287944-0
Opcode ID: f3e0fd5fc6c556495a85d1937cda66a0595a23ab214d23e79ede491f7e511163
Instruction ID: 3e31cb8dce698d527ff26f84dd85f72a39f391bff496e8fa90a17e05ad612421
Opcode Fuzzy Hash: f3e0fd5fc6c556495a85d1937cda66a0595a23ab214d23e79ede491f7e511163
Instruction Fuzzy Hash: 1F31A322E0DB91DAEB54FF92A440279A7A2BF49B80F544638DE5F03791DFBCE0509310

Function 00007FF7316AE190 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE239
memcpy.VCRUNTIME140 ref: 00007FF7316AE255
memcpy.VCRUNTIME140 ref: 00007FF7316AE26C
memcpy.VCRUNTIME140 ref: 00007FF7316AE287
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AE2BA

Strings

PLAIN, xrefs: 00007FF7316AE19B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy$freemalloc
String ID: PLAIN
API String ID: 3313557100-4000620671
Opcode ID: b2f10b0df633edde4c663c154711e900b01d618fb6a07a779d575b7840397b43
Instruction ID: 807d8c929d6332461d9e549d6ce8b1e4bc79eb01433906984f71aa4e6cc55d26
Opcode Fuzzy Hash: b2f10b0df633edde4c663c154711e900b01d618fb6a07a779d575b7840397b43
Instruction Fuzzy Hash: C731F3A6E08B91D2EB10DF91E4502AAB791FB45BE8F848631DE9C077D5DE7CE015D320

Function 00007FF7316A76DF Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: 7b7e3b5bfc8c0bbd38473bdcac9e04d71a842dd77c58079ce5dae42441d08063
Instruction ID: b9dc96ac0ab076c2383318adca63d448dc4564dfbfbdc3027cb9533979705f52
Opcode Fuzzy Hash: 7b7e3b5bfc8c0bbd38473bdcac9e04d71a842dd77c58079ce5dae42441d08063
Instruction Fuzzy Hash: 2A41BAA5F097A2E4EB10ABA194141F9A766BF05BC8F885436CE4E17795DF7CE104E320

Function 00007FF731690271 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316902F6
memcpy.VCRUNTIME140 ref: 00007FF731690311
strchr.VCRUNTIME140 ref: 00007FF73169032D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169033E

Strings

Got unexpected pop3-server response, xrefs: 00007FF731690291
CAPA, xrefs: 00007FF731690354

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: callocfreememcpystrchr
String ID: CAPA$Got unexpected pop3-server response
API String ID: 2887963327-1591402739
Opcode ID: 7b13aeeb5f174c84a05b40aad520cf0a66e54b04a4a91b3024b38faf5081b1cc
Instruction ID: 3f6e7372f0a112bbf5a31c36d82efc61bcb311d0c27c961abf807df61cb8770d
Opcode Fuzzy Hash: 7b13aeeb5f174c84a05b40aad520cf0a66e54b04a4a91b3024b38faf5081b1cc
Instruction Fuzzy Hash: FC310361F0CBA2F3EB09AB9195402B9A39ABF01354F844175CA1E83391CFBCF465E320

Function 00007FF7316A8580 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Strings

%s%lx, xrefs: 00007FF7316A85DD
Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%s%lx$Signature
API String ID: 2190258309-1406629954
Opcode ID: 9264e6448cedd647a91235911ff1229aaed000e140e40ead4778aa69a6d9dffe
Instruction ID: 31205ef1cd933411a74fea96b54d07f47398e2196d99ee430afcefe75324418b
Opcode Fuzzy Hash: 9264e6448cedd647a91235911ff1229aaed000e140e40ead4778aa69a6d9dffe
Instruction Fuzzy Hash: DD31E5A2F086A2E5EB20ABA5E4542B9A3A6FF45BC4FC41431DE4D07755EE6DE000E720

Function 00007FF7316A7481 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: ea154de60150d50552c2718d6fc22c5b5b235f255668f2ffea73f60108924b44
Instruction ID: c9cee3619199789f8cbb5dd858ead61748ab2c98d21b69d3ea99f15e977eaf8b
Opcode Fuzzy Hash: ea154de60150d50552c2718d6fc22c5b5b235f255668f2ffea73f60108924b44
Instruction Fuzzy Hash: 87318791E097A2E4EF10ABE194140F9A767AF05788FC45835CE4E17396EEBDE404E320

Function 00007FF731698610 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731698621
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169868D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169869F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupcallocfree
String ID:
API String ID: 1236595397-0
Opcode ID: e8613d0294d1cc7f92a55901f0896a61e06b1b620139e0056f4eaf019247f7ed
Instruction ID: ae0e1746d8964d0536a1c722e07ba92a0a671cf84ebe868159f86ca5e64cc703
Opcode Fuzzy Hash: e8613d0294d1cc7f92a55901f0896a61e06b1b620139e0056f4eaf019247f7ed
Instruction Fuzzy Hash: 0231E232E08B99C2EB40DB64E0103BDA7A1EB86B88F981074DE8C0B794DF7DD4919720

Function 00007FF7316A74BF Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7316A9140: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A918C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: bd3d540a2484f9cd3a53e73c16194a4881832abcfbe8509155d6b2d58ebfcfa6
Instruction ID: 9159d7143e20a4c869af51f76266da0760b9473eb28150bb8906c5ded6d1a020
Opcode Fuzzy Hash: bd3d540a2484f9cd3a53e73c16194a4881832abcfbe8509155d6b2d58ebfcfa6
Instruction Fuzzy Hash: B731A991E097A2E4EF10ABE194140F9A767AF05788FC45835CE4E17396EF7DE400E320

Function 00007FF7316A7499 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7316AAC50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AAC85

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A78BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7963

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

Serial Number, xrefs: 00007FF7316A7892
Serial Number: %s, xrefs: 00007FF7316A78AC
Signature Algorithm: %s, xrefs: 00007FF7316A7951
Signature Algorithm, xrefs: 00007FF7316A7937

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: db235a4450c5f349b9ab72eb30da38325840abdeb67f20acb983d19fc2a4c14d
Instruction ID: 9afbd9b61bceb39dae19852b4144a7f4f1b28267736d3fb6b43d7542b0405add
Opcode Fuzzy Hash: db235a4450c5f349b9ab72eb30da38325840abdeb67f20acb983d19fc2a4c14d
Instruction Fuzzy Hash: C331A891E097A2E4EF10ABE194140F9A767AF05788FC45836CE4E17396EF7CE400E320

Function 00007FF7316962A3 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316962BF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169633B

Strings

SITE NAMEFMT 1, xrefs: 00007FF73169631C
OS/400, xrefs: 00007FF731696309

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemalloc
String ID: OS/400$SITE NAMEFMT 1
API String ID: 3061335427-2049154998
Opcode ID: ad2d57b8bdb64e64066a1e9082085b36c03f6f800f1ceea49132c5796a990990
Instruction ID: 5063a65ac8eb8a4a66eac8a68189a49b84b1d1785c72dcbbe1ad782352cb1401
Opcode Fuzzy Hash: ad2d57b8bdb64e64066a1e9082085b36c03f6f800f1ceea49132c5796a990990
Instruction Fuzzy Hash: 9331B431E0D7E2D2F771ABA5A5503B8A362BB45784F8080B1CA8D53685DEBCE446F720

Function 00007FF73166B9B0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF73166B9E3
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF73166B9F7
CloseHandle.KERNEL32 ref: 00007FF73166BA04
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF73166BA26
closesocket.WS2_32 ref: 00007FF73166BA44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF73166BA5D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: 8733a8bd44e2f7f02a246a01e5749e81d6759ab44664e7c36cc05855e83f8b24
Instruction ID: d8f33f05742c9a2cd84523b56a7183cd57a9fd232e1f42bc1e0b893267d5bf02
Opcode Fuzzy Hash: 8733a8bd44e2f7f02a246a01e5749e81d6759ab44664e7c36cc05855e83f8b24
Instruction Fuzzy Hash: 20212F36B08A51D6E720EF92E58026DA371FB89B91F444135CF8E03B55CFB9E4A5D710

Function 00007FF731669BE8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7316880E0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731688101

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669CB1

Strings

%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF731669F57
Added, xrefs: 00007FF731669F4D
Replaced, xrefs: 00007FF731669F41
FALSE, xrefs: 00007FF731669C8B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _errno_strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 2151398962-2292467869
Opcode ID: fe4fbd5b161871837b2c6627368ccb15061f77f956633df05ad5df12efc7a7c4
Instruction ID: 1b507cb2ae881e2c765ed5a27a9210e2545085b0afa363f8c75927ddc5fc5a77
Opcode Fuzzy Hash: fe4fbd5b161871837b2c6627368ccb15061f77f956633df05ad5df12efc7a7c4
Instruction Fuzzy Hash: D3616422D0C7A2E9FF71AB9594443B9E7F6AF04744F884136DE8D02695DFACE444E320

Function 00007FF731669ADD Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731688030: strchr.VCRUNTIME140 ref: 00007FF731688066

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731669CB1

Strings

%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF731669F57
Added, xrefs: 00007FF731669F4D
Replaced, xrefs: 00007FF731669F41
FALSE, xrefs: 00007FF731669C8B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupstrchr
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 3727083984-2292467869
Opcode ID: cb176cf49a18697cb9ff187e0e2f934d8353dd0dd209865de60e80541dbafc35
Instruction ID: 03807c6898e80a620d644a6207aed721cb56ecfd5cca364483b9f815c7aa2e3c
Opcode Fuzzy Hash: cb176cf49a18697cb9ff187e0e2f934d8353dd0dd209865de60e80541dbafc35
Instruction Fuzzy Hash: E4617222E0D7A2E9FF71ABA59444379E7F6AF04744F884036DE8D02695DFACE444E320

Function 00007FF731682AE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731682CED
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731682D05

Strings

The requested URL returned error: %d, xrefs: 00007FF731682C8E
Forcing HTTP/1.1 for NTLM, xrefs: 00007FF731682BA9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: Forcing HTTP/1.1 for NTLM$The requested URL returned error: %d
API String ID: 1865132094-1204028548
Opcode ID: a5ad95a8d7228f168eaad1fb3b6ca0d0b0f4a4159d4623a918b39f703ac308c2
Instruction ID: 5d251191168efc8f469919c0825664dfd8080fc46d051865dd8dd9d318e9e27e
Opcode Fuzzy Hash: a5ad95a8d7228f168eaad1fb3b6ca0d0b0f4a4159d4623a918b39f703ac308c2
Instruction Fuzzy Hash: 2351CB71E0C6A2E1F7A4AFE4C1403F9A792EB49788F880039DA4E47A85DF6CE450D330

Function 00007FF731652650 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731654350: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654381

Part of subcall function 00007FF731653C70: memcpy.VCRUNTIME140 ref: 00007FF731653CC3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652722
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731652770
__std_exception_copy.VCRUNTIME140 ref: 00007FF7316527C0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73165280D

Strings

out_of_range, xrefs: 00007FF731652696

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$__std_exception_copy
String ID: out_of_range
API String ID: 2484256320-3053435996
Opcode ID: 416aaa0d375e5eec63550c4ab23ce1862656c62d6f6218db7ac47a387bde8a41
Instruction ID: 434badeaf478ab2ad4b4876eda0c49120d50261650e070798d0e5eef987ad05e
Opcode Fuzzy Hash: 416aaa0d375e5eec63550c4ab23ce1862656c62d6f6218db7ac47a387bde8a41
Instruction Fuzzy Hash: 1651B272F18B52E9FB00DFA5D4503AC7366EB48798F808235EA5D02AD9DFB8E195D310

Function 00007FF731654350 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654381
memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF731654446
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF73165449A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7316544A1

Part of subcall function 00007FF7316AFB48: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73165442E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF7316AFB62

Strings

https://keyauth.win/api/1.2/, xrefs: 00007FF731654352

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: https://keyauth.win/api/1.2/
API String ID: 1155477157-3933380396
Opcode ID: 80e07f2ec084bafb4c9b2edb4020a5aa9b86da915471fa139b76f77608c9046b
Instruction ID: 00049f67e13bb6c3f1696f3964d2b2c58c406142451f580e8144e2a2f43de973
Opcode Fuzzy Hash: 80e07f2ec084bafb4c9b2edb4020a5aa9b86da915471fa139b76f77608c9046b
Instruction Fuzzy Hash: 88310AA2F0A6A595EF19EA9795202789752DF04FF4F840670CE3D077D5EEBCE4829310

Function 00007FF73167F890 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167F8FA
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167F96B
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73167F9CB

Strings

:%u, xrefs: 00007FF73167F90E, 00007FF73167F974
Hostname in DNS cache was stale, zapped, xrefs: 00007FF73167F9F2

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: tolower$_time64
String ID: :%u$Hostname in DNS cache was stale, zapped
API String ID: 4068448496-2924501231
Opcode ID: a1bcfb6b737e128f22dc2304d54d207902b239ab6957f751d3e806f713f45f87
Instruction ID: 7f71647cf56432619a75d88c466e2d7b9b86906a58905c6124469eefc1fa8959
Opcode Fuzzy Hash: a1bcfb6b737e128f22dc2304d54d207902b239ab6957f751d3e806f713f45f87
Instruction Fuzzy Hash: F541F822E186A2E5EB10FB51E4407B9A766FB44B98FC54232DE6D07785DF7CE005D310

Function 00007FF731697350 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73168C9C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF731673D4F), ref: 00007FF73168C9EE

_open.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73169740F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169745B
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731697472
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169748B

Strings

Couldn't open file %s, xrefs: 00007FF731697439

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_close_openmalloc
String ID: Couldn't open file %s
API String ID: 3412525164-447283422
Opcode ID: 7856573c67e4ecf729b0dc835e39a869844de092acf3b00592fb5aa2bffd79d6
Instruction ID: e75528c25bdc321a53361e5173b0f42a5ce991f5f1f103b464da77e2f7668abb
Opcode Fuzzy Hash: 7856573c67e4ecf729b0dc835e39a869844de092acf3b00592fb5aa2bffd79d6
Instruction Fuzzy Hash: 4841E032E08AA1D2EB149F65E40027AE7A2FB45B94F888071DA9D47785CFBCE001DB20

Function 00007FF7316766C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF73167673E

Part of subcall function 00007FF731662E40: GetLastError.KERNEL32 ref: 00007FF731662E62
Part of subcall function 00007FF731662E40: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731662E6A

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167675C
recv.WS2_32 ref: 00007FF731676787
WSAGetLastError.WS2_32 ref: 00007FF731676799

Strings

Recv failure: %s, xrefs: 00007FF7316767C5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ErrorLast$_errnofreememcpyrecv
String ID: Recv failure: %s
API String ID: 267823591-4276829032
Opcode ID: 9f37ef25d2cbde7e44d61f655dfd075aa7a26731cbe2d316d942a178f3c2f71e
Instruction ID: 766a142f4e03bfce704645e2a63ba222ba4374ede3eeba04b18b0dd92e26e01d
Opcode Fuzzy Hash: 9f37ef25d2cbde7e44d61f655dfd075aa7a26731cbe2d316d942a178f3c2f71e
Instruction Fuzzy Hash: 7F31CE76F05B61D1EB11AF96E8802B9A3A1BB48FD8F904135CE1D07384EEBCD456E350

Function 00007FF73167D150 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73167D245
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73167D2A4

Strings

Connection died, tried %d times before giving up, xrefs: 00007FF73167D208
REFUSED_STREAM, retrying a fresh connect, xrefs: 00007FF73167D1DB
Connection died, retrying a fresh connect, xrefs: 00007FF73167D22F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: Connection died, retrying a fresh connect$Connection died, tried %d times before giving up$REFUSED_STREAM, retrying a fresh connect
API String ID: 1865132094-195851662
Opcode ID: b2f75524ccea4e637de733992f4f779450420ae890607c224c1569b4bb52aa83
Instruction ID: afe4eba3563a089e37393f4bc9306fbcc9d49fc0f797b05cb3b3892cf04d6498
Opcode Fuzzy Hash: b2f75524ccea4e637de733992f4f779450420ae890607c224c1569b4bb52aa83
Instruction Fuzzy Hash: D841E532F0CA92D1EB55EB65E4403A9A792EB84B88F888431DB5D07796CFBCD491D710

Function 00007FF731691710 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73169174B
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731691791
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316917F6

Strings

RCPT TO:<%s@%s>, xrefs: 00007FF7316917CD
RCPT TO:<%s>, xrefs: 00007FF7316917DB

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfreestrpbrk
String ID: RCPT TO:<%s>$RCPT TO:<%s@%s>
API String ID: 1812939018-579818044
Opcode ID: e8bf0f1166062040c79a1d659e28989542820538a677ba05d44a4a9e570ddb35
Instruction ID: bf1b5ea51a61ef77213af228f3ba26f3e21d3dfd70737682c636e849d3a7ea92
Opcode Fuzzy Hash: e8bf0f1166062040c79a1d659e28989542820538a677ba05d44a4a9e570ddb35
Instruction Fuzzy Hash: 5931E862E18B81D2EB01EB65E4402B9E7A2FB85B90F888235DA5E077D1DFBCD541D310

Function 00007FF7316A9640 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A966D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9B36

Strings

FALSE, xrefs: 00007FF7316A9662
%s: %s, xrefs: 00007FF7316A9B21
TRUE, xrefs: 00007FF7316A965B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: %s: %s$FALSE$TRUE
API String ID: 1865132094-3430445539
Opcode ID: 3825d031a93768815eb6b5328640b0091a31a05f0c4b0cbf60904bbfdb54b7ed
Instruction ID: d5f15cdd023ba7cc285d3f5ab0e47c709393fed10dd39b840123d64eba112b01
Opcode Fuzzy Hash: 3825d031a93768815eb6b5328640b0091a31a05f0c4b0cbf60904bbfdb54b7ed
Instruction Fuzzy Hash: 61016591E087A2E6EF61AB96A4503F6A392BB05B84FD44435CE4E03751DFACE145E320

Function 00007FF7316A4C70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7316A4BD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A1665), ref: 00007FF7316A4BF6
Part of subcall function 00007FF7316A4BD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A1665), ref: 00007FF7316A4C17
Part of subcall function 00007FF7316A4BD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A1665), ref: 00007FF7316A4C32
Part of subcall function 00007FF7316A4BD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A1665), ref: 00007FF7316A4C40
Part of subcall function 00007FF7316A4BD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A1665), ref: 00007FF7316A4C52

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A4CF6

Strings

NTLM, xrefs: 00007FF7316A4CAE, 00007FF7316A4D60
HTTP, xrefs: 00007FF7316A4C7A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: HTTP$NTLM
API String ID: 2190258309-4188377180
Opcode ID: d700e50b9f6d607d8b3a74ecd7020a60d0401cc3b52875f11de2c358a72f89e2
Instruction ID: ca2c2889f704476ea9307d2317d7f93a9473e8a1bb4214b087a9ef84a30e6b21
Opcode Fuzzy Hash: d700e50b9f6d607d8b3a74ecd7020a60d0401cc3b52875f11de2c358a72f89e2
Instruction Fuzzy Hash: C6618C72A09B91D2E7609F56E84026AB3A6FB88B84F944035DF8D43B58DF7CD454DB10

Function 00007FF73169237B Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731692430

Strings

Failure sending ABOR command: %s, xrefs: 00007FF731692551
Remembering we are in dir "%s", xrefs: 00007FF7316924C8
control connection looks dead, xrefs: 00007FF731692622
ABOR, xrefs: 00007FF73169252B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$Remembering we are in dir "%s"$control connection looks dead
API String ID: 1294909896-1891748601
Opcode ID: d1dbb01f54f92b8f2f1cdad09fed6d72f8988b886edd537990e46cf6e09fd01c
Instruction ID: 11d78339ce7f4beb95b114cd209fb77618c486ba1614026708f1b2f767f818d1
Opcode Fuzzy Hash: d1dbb01f54f92b8f2f1cdad09fed6d72f8988b886edd537990e46cf6e09fd01c
Instruction Fuzzy Hash: 1C51C861D0D6A2E3EBA5F7B090503B9A352EB45364FC04279DA6E076C2DFFCE445A360

Function 00007FF7316AA675 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA6B8
memcpy.VCRUNTIME140 ref: 00007FF7316AA6DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA7AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA7FF

Strings

TRUE, xrefs: 00007FF7316AA809

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: TRUE
API String ID: 3401966785-3412697401
Opcode ID: c025a0c3dc1ec3e80a8e52a6cec06fdbfe740c0ae21a7d2b85079ddef5b95d9f
Instruction ID: 188f0916ee93ce6ba9c007ce2f5332449287ade42d9d037a26e2a15e664aa9bb
Opcode Fuzzy Hash: c025a0c3dc1ec3e80a8e52a6cec06fdbfe740c0ae21a7d2b85079ddef5b95d9f
Instruction Fuzzy Hash: 4F417BA9F186F291FB069A558914379ABA3EB417E0F844637CA6F433C5DDACD081E320

Function 00007FF7316A9989 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A99CC
memcpy.VCRUNTIME140 ref: 00007FF7316A99F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9AC9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9B36

Strings

%s: %s, xrefs: 00007FF7316A9B21

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: %s: %s
API String ID: 3401966785-1451338302
Opcode ID: dc1ef0588320f42d92b7cff0719b3b8cc03c3838bfdfd30c54a14f295920d0a3
Instruction ID: 5e45d4a707b22e339198dd4225fb1005cf0d5b2240d1db6f5d849b1fb2203d9d
Opcode Fuzzy Hash: dc1ef0588320f42d92b7cff0719b3b8cc03c3838bfdfd30c54a14f295920d0a3
Instruction Fuzzy Hash: D4413B91E092F196EF28AA9650243B59793AB45BE0F98423ACF9F077C5DE9CD045E320

Function 00007FF7316A7B93 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 125COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7EC9

Strings

Start Date: %s, xrefs: 00007FF7316A7EB7
Start Date, xrefs: 00007FF7316A7E9D
GMT, xrefs: 00007FF7316A7C4E
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7316A7CC1

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Start Date: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Start Date
API String ID: 1294909896-619256714
Opcode ID: b593b65929af07077842564f2cb30784d05489b30c400f16d670199426e054dd
Instruction ID: eb3f077f2b18fb8298ba4bec88c7a7a830c990349868b1710c916d74073dbd30
Opcode Fuzzy Hash: b593b65929af07077842564f2cb30784d05489b30c400f16d670199426e054dd
Instruction Fuzzy Hash: 8951E5E1E0C6E2E4EB10AF9595141B8F7A6FB05780FC49471CA8E06754DFBDE641E320

Function 00007FF7316A7AD0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7EC9

Strings

Start Date: %s, xrefs: 00007FF7316A7EB7
GMT, xrefs: 00007FF7316A7B2C
Start Date, xrefs: 00007FF7316A7E9D
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7316A7B7F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Start Date: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Start Date
API String ID: 1294909896-2752585153
Opcode ID: 4741d83406359ee3f7d6043eaef330398b2e05172c69b4ec56a369e3b47ed9a8
Instruction ID: b168c5aa07b904052ac2bc1eab810226e21083658c3700d013696219d47301f6
Opcode Fuzzy Hash: 4741d83406359ee3f7d6043eaef330398b2e05172c69b4ec56a369e3b47ed9a8
Instruction Fuzzy Hash: 513193A1E0CAA2E4EB10AFA594101B9F797FB05784FC88471CB4D16295DFBDE544E320

Function 00007FF7316A885E Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Strings

Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: 7e941dfaf5f8a2d93b432d2b7afcc53c8c33386750d809cd1a2bcc3477fb2b98
Instruction ID: 5ca029a84b6b68ed083cd419ee5996830d0592864209733e3fc53e8ebbf5df25
Opcode Fuzzy Hash: 7e941dfaf5f8a2d93b432d2b7afcc53c8c33386750d809cd1a2bcc3477fb2b98
Instruction Fuzzy Hash: 0B21E062F08AD2D6EB109BA6E4042FAA3A6FB48BD8F880532DE5D53795DF7CD101D310

Function 00007FF7316928D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169299B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316929B4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316929C8

Strings

QUIT, xrefs: 00007FF7316928FF
Failure sending QUIT command: %s, xrefs: 00007FF731692923

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Failure sending QUIT command: %s$QUIT
API String ID: 1294909896-1162443993
Opcode ID: 807ef8fa226970ae5b9040265797cb9f53c43fdafe48f57b89e976fbdb420d33
Instruction ID: 97108da0268ecf1fd4858c754458fe75d299405827c86a36492e31fd1dea1bab
Opcode Fuzzy Hash: 807ef8fa226970ae5b9040265797cb9f53c43fdafe48f57b89e976fbdb420d33
Instruction Fuzzy Hash: 3D319631F087A2E2EB90EFA2D4443B9B396FB45B84F844039DA4E07655DF6CD051E360

Function 00007FF7316894D0 Relevance: 7.6, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316758B0), ref: 00007FF731689505
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316758B0), ref: 00007FF73168951A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316758B0), ref: 00007FF73168952F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316758B0), ref: 00007FF73168955C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316758B0), ref: 00007FF731689565
memcpy.VCRUNTIME140(?,?,?,00007FF7316758B0), ref: 00007FF731689599

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$calloc$memcpy
String ID:
API String ID: 3478730034-0
Opcode ID: 551880f0cf651d9d3cd7b3d72f1750254fa78b1a94682acab546ab4d6fd1212c
Instruction ID: 90e65c7045b7e0bbe73112917df6cdbc0b6303d4eacfc423e781f804476644b5
Opcode Fuzzy Hash: 551880f0cf651d9d3cd7b3d72f1750254fa78b1a94682acab546ab4d6fd1212c
Instruction Fuzzy Hash: 2F21C471E08B92D6E724AF62A410239B7A2FB89BD4F844234DE9E17794DF7CD450E720

Function 00007FF731698740 Relevance: 7.6, APIs: 5, Instructions: 62stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731698771
strchr.VCRUNTIME140 ref: 00007FF73169879D
strchr.VCRUNTIME140 ref: 00007FF7316987B4
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316987D3

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$_strdupmalloc
String ID:
API String ID: 4236146995-0
Opcode ID: ac77d55da153c51ce4b0da4844e3ee0dc72817ed75bc1a3428b20dbaeaf331c7
Instruction ID: 8d0bb80107158defbf718643948dd7c160dc826a44954fcdadaf98da1db0be1d
Opcode Fuzzy Hash: ac77d55da153c51ce4b0da4844e3ee0dc72817ed75bc1a3428b20dbaeaf331c7
Instruction Fuzzy Hash: B9219D62F15B85D2EB81DF6190443ACA3E2EB89B84F481135DE4D0B748EF79D491D730

Function 00007FF7316A85F8 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Strings

Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: 0524c1bf4175a93633869f3fc57a9e9334e9eb6c4924e45b541d7c896293409d
Instruction ID: 79366edf91ad82ebac157700cfc20bc961679d9a4b52aa2dc3d3ab4e644fcf5f
Opcode Fuzzy Hash: 0524c1bf4175a93633869f3fc57a9e9334e9eb6c4924e45b541d7c896293409d
Instruction Fuzzy Hash: AF21E5A2F08692E5EB10EB95E4102FAA366FF447C4F841432DE4D07715EE7CD001D320

Function 00007FF7316A8636 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7316A9140: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A918C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: 0e76b6a316340a42a1bc527b4a0993da5b2c0cb114230e1b1a20d8241241b9a3
Instruction ID: f55ed5bda621e50e0b2cf4cd4533bf853f6d677c8c72d6df5ec9e1180ffdc6b8
Opcode Fuzzy Hash: 0e76b6a316340a42a1bc527b4a0993da5b2c0cb114230e1b1a20d8241241b9a3
Instruction Fuzzy Hash: C52171A2F08A92D5EB10EB96E4542EAA3A6FF85788F841432DE4D17725EF7CD001D710

Function 00007FF7316A8610 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7316AAC50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AAC85

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A8A8C

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

Signature, xrefs: 00007FF7316A8A0F
Signature: %s, xrefs: 00007FF7316A8A27

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: 7e4034373774d43b519a8af8c2c682e0bc05bde0d65ec1908a57987c2b653275
Instruction ID: 9213318b85dc1ace6a1c47582a69acddd17660344e2456f689307b2b79f94042
Opcode Fuzzy Hash: 7e4034373774d43b519a8af8c2c682e0bc05bde0d65ec1908a57987c2b653275
Instruction Fuzzy Hash: D12171A2F08A92E6EB50EB96E4542EAA3A6FF85784F841432DE4D17725EF7CD001D710

Function 00007FF731663580 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF731662EB9), ref: 00007FF73166381F

Strings

Unrecoverable error in call to nameserver, xrefs: 00007FF73166380C
Host not found, try again, xrefs: 00007FF731663815
Host not found, xrefs: 00007FF7316637E8
No data record of requested type, xrefs: 00007FF731663803

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strncpy
String ID: Host not found$Host not found, try again$No data record of requested type$Unrecoverable error in call to nameserver
API String ID: 3301158039-3625861382
Opcode ID: 1ff2dce18e257e774129ac5e1c4637ee97025658beddbabc7998c3cc9fc065be
Instruction ID: 4eb25bfd4c616e6508af23668a703f9b855d4c14ae5b8c44e537455a683cb6d6
Opcode Fuzzy Hash: 1ff2dce18e257e774129ac5e1c4637ee97025658beddbabc7998c3cc9fc065be
Instruction Fuzzy Hash: 8211E761E0C693F0FB18A7D9E5542B897B2EF85740FC98035C61E06785CEECE481E220

Function 00007FF73166B540 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF73166B9E3
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF73166B9F7
CloseHandle.KERNEL32 ref: 00007FF73166BA04
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF73166BA26
closesocket.WS2_32 ref: 00007FF73166BA44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF73166BA5D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: 059db627849e2e226bb10930d3277cc3b65913901b4ea62fb5c050b9fbc6cc93
Instruction ID: 9b23b5f46ef20ccd8a4457fb6903bb5c4a1b5ee773d21fa05a50fa9b04a2d75a
Opcode Fuzzy Hash: 059db627849e2e226bb10930d3277cc3b65913901b4ea62fb5c050b9fbc6cc93
Instruction Fuzzy Hash: 4611EC36B04A51D6E710EF92E180229B371FB89B91F544135DF8E03B44CFB9E4A5D710

Function 00007FF7316AA335 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316AA35B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA7FF

Strings

FALSE, xrefs: 00007FF7316AA350
TRUE, xrefs: 00007FF7316AA809

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: FALSE$TRUE
API String ID: 1865132094-1412513891
Opcode ID: f1a68c5537dbf8c23db2369df14daea5e9d1e5d646dd923bf12f28056a1744cf
Instruction ID: 6097c0fafe1c7708eabfdf0351a7a4d76534f8ef31218daaf2a1c7e85132c235
Opcode Fuzzy Hash: f1a68c5537dbf8c23db2369df14daea5e9d1e5d646dd923bf12f28056a1744cf
Instruction Fuzzy Hash: EE41F9E6F0A7B5E4FF119AA59414278A7E3AB05794FA44536CE4F073C0EEADE441E320

Function 00007FF73169C380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99networkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73169C3C1
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF73169C400
WSAGetLastError.WS2_32 ref: 00007FF73169C458

Strings

TFTP response timeout, xrefs: 00007FF73169C41A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _time64$ErrorLast
String ID: TFTP response timeout
API String ID: 3339832089-3820788777
Opcode ID: 1741c2b3a3ef580584a93da6dde3718fcfcede63748f4220ffc3383607af794c
Instruction ID: 35fbf952446036a41aad3c4949a76a266da92632a89fd9afe152ef34abe54901
Opcode Fuzzy Hash: 1741c2b3a3ef580584a93da6dde3718fcfcede63748f4220ffc3383607af794c
Instruction Fuzzy Hash: 3441C432F09A51D2EB60AFA5D8002B9A792EB49BA4F808235DE2D477D5DFBCD401D760

Function 00007FF731676430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676555
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676570

Strings

..., xrefs: 00007FF7316764D8
..., xrefs: 00007FF7316764C2

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: fwrite
String ID: ...$...
API String ID: 3559309478-2253869979
Opcode ID: 8108603736209bb098f9a9e31943748ac7ad89f18f806ab5dd93ef5962823fb4
Instruction ID: 4dd0ff68c3babfaddbaa64e70931bc620af584366cf61cdc89407e583cfc430f
Opcode Fuzzy Hash: 8108603736209bb098f9a9e31943748ac7ad89f18f806ab5dd93ef5962823fb4
Instruction Fuzzy Hash: 7731C231E18A91E1FB64EB51E4147F9A3A2FB84B94F848231CA5E03794CFBDE055D790

Function 00007FF731684A70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316844A9), ref: 00007FF731684AFD

Strings

Failed to alloc memory for big header!, xrefs: 00007FF731684B08
Rejected %zu bytes header (max is %d)!, xrefs: 00007FF731684A9B

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: realloc
String ID: Failed to alloc memory for big header!$Rejected %zu bytes header (max is %d)!
API String ID: 471065373-1365219457
Opcode ID: 4c44fc8c2847de9bbbd9c680b45044438693ee4e238ce7601bbe6f48ff3c2ebb
Instruction ID: 47c9818eda606677ad862e58b79bafe8cb183d09b47ce3f94241e6df091a82b5
Opcode Fuzzy Hash: 4c44fc8c2847de9bbbd9c680b45044438693ee4e238ce7601bbe6f48ff3c2ebb
Instruction Fuzzy Hash: 38217C32B18A94D6EB44EB66E4802ADA362FB49BC4F444036EF5D03B59DF7CD5A2D340

Function 00007FF731664C53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731664CE2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731664CFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731664D1B

Strings

:, xrefs: 00007FF731664CD6

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: 18a252802a4c2c691ca69fad7a51561af876a6c654b711007ac977ba48ab96a6
Instruction ID: add443c51ad11518767f502caa69a58216a33ef4c6045687cd8e5d26893147db
Opcode Fuzzy Hash: 18a252802a4c2c691ca69fad7a51561af876a6c654b711007ac977ba48ab96a6
Instruction Fuzzy Hash: E9217F22A09B96D6EB61AF55A5003A9B3B1FB84B94F844135CF9D43784EF7CD410D720

Function 00007FF73168E820 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

LIST "%s" *, xrefs: 00007FF73168E8A7
%s%s, xrefs: 00007FF73168E853

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID:
String ID: %s%s$LIST "%s" *
API String ID: 0-1744359683
Opcode ID: 24136d207ae102c5ea7ef9a2db057a650322fa4e370001de2a68ccbc906af9fe
Instruction ID: ff8f7865e689fcff4b4a0184b8a6f4be4d56d92aa1a4d3b6969efac5dcde31c7
Opcode Fuzzy Hash: 24136d207ae102c5ea7ef9a2db057a650322fa4e370001de2a68ccbc906af9fe
Instruction Fuzzy Hash: 14119D22F18662E1EB14EB96E4801BCA3A2BB48BC4F844531DE0E17B51DFACE551D350

Function 00007FF7316A7AA1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A7AA4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7EC9

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

Start Date: %s, xrefs: 00007FF7316A7EB7
Start Date, xrefs: 00007FF7316A7E9D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: Start Date: %s$Start Date
API String ID: 3985033223-2389359183
Opcode ID: c3b8626d892d8b0656b9452877c82dfeb00f746fadc55ff2821d253b1793e36a
Instruction ID: 33ac441c04213a5f018ca8a4eb83e86b06d3457451c7283363b12f8e31b56f9b
Opcode Fuzzy Hash: c3b8626d892d8b0656b9452877c82dfeb00f746fadc55ff2821d253b1793e36a
Instruction Fuzzy Hash: 5E01D491E0C6A2E1EB10AB9154241B9B7A7BF05785FC89871CB4A061A5EFBDA504E331

Function 00007FF7316829D0 Relevance: 6.3, APIs: 5, Instructions: 82stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF731682A34
strchr.VCRUNTIME140 ref: 00007FF731682A47
strchr.VCRUNTIME140 ref: 00007FF731682A59
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731682A8B
memcpy.VCRUNTIME140 ref: 00007FF731682AB5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strchr$mallocmemcpy
String ID:
API String ID: 320687583-0
Opcode ID: 0199e1b4cc222dfa996a3a7a7b04aa24882031ec62ccacbaa9e0b16e1c7dd0e8
Instruction ID: 97583925f32d8ab06565548cee2b3f4a5a4404b04ef648b36bab2878f843b2bb
Opcode Fuzzy Hash: 0199e1b4cc222dfa996a3a7a7b04aa24882031ec62ccacbaa9e0b16e1c7dd0e8
Instruction Fuzzy Hash: 42210911E0D6A2E1EF65AB5291502B9E7D39F48BC4F8C8135DE8E07B86DF6CD501D220

Function 00007FF7316AA4EF Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA7FF

Strings

GMT, xrefs: 00007FF7316AA59E
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7316AA611
TRUE, xrefs: 00007FF7316AA809

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
API String ID: 1294909896-910067264
Opcode ID: 175b8fed516aa4291b1f46da496cdeccca5547fd3abd262188f1c2dcfda0c20d
Instruction ID: 232e14b10724c10e6b5674028405ebf4bca44c6c410f51a6f9dfa259f72577c5
Opcode Fuzzy Hash: 175b8fed516aa4291b1f46da496cdeccca5547fd3abd262188f1c2dcfda0c20d
Instruction Fuzzy Hash: F451E7E2E086F5E4EB119F95A904179EBA7EB01780FD49037DA8D02754DFBCD441E324

Function 00007FF7316A9800 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9B36

Strings

GMT, xrefs: 00007FF7316A98BE
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7316A992A
%s: %s, xrefs: 00007FF7316A9B21

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %s: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s
API String ID: 1294909896-2632828617
Opcode ID: 2d567fc7870b19634a2cbb62e17730c428280785e8b13154c206ba112d2b15db
Instruction ID: edfe095344db24e7f540e01d35c07ca5022b2cee5ffa4bbd609c0afaff51f1a6
Opcode Fuzzy Hash: 2d567fc7870b19634a2cbb62e17730c428280785e8b13154c206ba112d2b15db
Instruction Fuzzy Hash: F741D8A1E0C6B1E5EB609F95A4042B9E796FB01B90FD58431CE8D03755CFBCE446E320

Function 00007FF73165D5C0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73165D1D8), ref: 00007FF73165D69E
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73165D1D8), ref: 00007FF73165D6CC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73165D1D8), ref: 00007FF73165D735

Part of subcall function 00007FF7316AFB48: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73165442E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF731651B89), ref: 00007FF7316AFB62

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73165D742

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemset
String ID:
API String ID: 2942768764-0
Opcode ID: e313eb31bb9c36e5e7182acaf55df2307521fd66a11ad611a39392af3f5df12e
Instruction ID: faa8ab40cd29f4fcf76fbe57e2c50472a05343e5139054bbc86a51e41ba25988
Opcode Fuzzy Hash: e313eb31bb9c36e5e7182acaf55df2307521fd66a11ad611a39392af3f5df12e
Instruction Fuzzy Hash: 9341F6B2F05AA1E5EF14EFA5D41427DA362BB44BA0F948631CB6D037C5DF6CE0519320

Function 00007FF7316607C0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7316608A0
memcpy.VCRUNTIME140 ref: 00007FF7316608CD
memcpy.VCRUNTIME140 ref: 00007FF7316608DC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73166090E

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: f57466c40c565452301723b37a3341091d7968150f5e4cfc42a57b952f741096
Instruction ID: effcc0d9423250ea155eea52ceef043f3df1c433315eebad83e894b4aa3aaccf
Opcode Fuzzy Hash: f57466c40c565452301723b37a3341091d7968150f5e4cfc42a57b952f741096
Instruction Fuzzy Hash: 9031D521E19F51D1EF20EB52A54026AA3A2EB04BE0F954639DEAD077C5DF7CE0819390

Function 00007FF7316AB170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00007FF73168D31B), ref: 00007FF7316AB1CE

Strings

%s, xrefs: 00007FF7316AB1A4

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: 352856b1eae17858e1b077f2ee5fd32b90ad45b0c77a443594dcac492bc27cdb
Instruction ID: 4352fdb43dbf1e9dbad295bce03148f84d9f4ea5c658b9b41d9ccda503b3cb7f
Opcode Fuzzy Hash: 352856b1eae17858e1b077f2ee5fd32b90ad45b0c77a443594dcac492bc27cdb
Instruction Fuzzy Hash: 3341BE32A18B91D2EB50EB55B4401AEB3A1FB85BA0F444139DF9E03BA1DF7CE491D310

Function 00007FF7316AB5B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00007FF73168EB60,?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?), ref: 00007FF7316AB603
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AB68C

Strings

%s, xrefs: 00007FF7316AB5D5

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: ab711b374cce4f61b9c1c04fbc7c9437e1ddaaeae5eb021ca5eae824c80ea905
Instruction ID: 5bc08b33d449f7d7367690d31dc6bcdb5a52ca3c7c601555b234f2ce9a51284e
Opcode Fuzzy Hash: ab711b374cce4f61b9c1c04fbc7c9437e1ddaaeae5eb021ca5eae824c80ea905
Instruction Fuzzy Hash: 9441A372A18B91D2EB11EB6AB4401AAF3A1FB45B94F444134DF8E03BA1DF7CE091D710

Function 00007FF731660A50 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF731660B2F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF731660B6C
memcpy.VCRUNTIME140 ref: 00007FF731660B76
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731660BA9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: b48b9fb4136db3c1fc78f3a36e8555c0a0b74b4d90e57a5bfe19da46bb14fc38
Instruction ID: bb14d9fa975ec2dd5c3943e2f2efda76e123b58916ecd98de49d6a80542cb164
Opcode Fuzzy Hash: b48b9fb4136db3c1fc78f3a36e8555c0a0b74b4d90e57a5bfe19da46bb14fc38
Instruction Fuzzy Hash: 52311062F09B65E5EF10AF52A50036CA3A2EB04BD4F888635DE6D077C5CFBDE051A320

Function 00007FF7316AA435 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA7FF

Strings

GMT, xrefs: 00007FF7316AA489
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7316AA4DB
TRUE, xrefs: 00007FF7316AA809

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$TRUE
API String ID: 1294909896-918878739
Opcode ID: 6c645be8e5b1f5d6d945d0e325e0d0960cc81af97aaf99509a56fb7c7365217d
Instruction ID: 6f9fec56b86f7bd87f08a5ee02580aa656102db8fac650ed9fbcc1fd51e8ff3b
Opcode Fuzzy Hash: 6c645be8e5b1f5d6d945d0e325e0d0960cc81af97aaf99509a56fb7c7365217d
Instruction Fuzzy Hash: 1E31E2A6E09AE6E4EB11DFA5D9041B9E7A3FB44B84FC45032DA4E03694DFBCE541D320

Function 00007FF731696B0D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731696B44

Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676555
Part of subcall function 00007FF731676430: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF731676570

Strings

%s%s, xrefs: 00007FF731696B14
Wildcard - "%s" skipped by user, xrefs: 00007FF731696BAD
Wildcard - START of "%s", xrefs: 00007FF731696B4D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: fwrite$free
String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
API String ID: 3468156532-1133524294
Opcode ID: 85b19cdabee01aa8169689ccd1cff8ffe183e717a987165f202e7447560ac795
Instruction ID: 6204d959623adc527543807aba72022319e3f1da5be706cd5996e4f37085f728
Opcode Fuzzy Hash: 85b19cdabee01aa8169689ccd1cff8ffe183e717a987165f202e7447560ac795
Instruction Fuzzy Hash: 8D417436E08B91D5EB20EF66E4441ADA362EF84B85F854036DE4E4B385DFBCE441D320

Function 00007FF7316A9745 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9B36

Strings

GMT, xrefs: 00007FF7316A9799
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7316A97E9
%s: %s, xrefs: 00007FF7316A9B21

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: %s: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 1294909896-1153420294
Opcode ID: f3e28e3f91499ebf32120d26d22ad79634019ec5771c8a1804892b3f14b7e7f3
Instruction ID: 58ba465b9baa44dc8a9ed7b2a0caedc4870e95b8cb09c49ab351bc9ba859eca9
Opcode Fuzzy Hash: f3e28e3f91499ebf32120d26d22ad79634019ec5771c8a1804892b3f14b7e7f3
Instruction Fuzzy Hash: 9D31A4A2E08BA1E5EB60AFD194406F9B796FB45B84FE44032CE4D03655DFBCD545E320

Function 00007FF7316AA67D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA6B8
memcpy.VCRUNTIME140 ref: 00007FF7316AA6DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA7FF

Strings

TRUE, xrefs: 00007FF7316AA809

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemallocmemcpy
String ID: TRUE
API String ID: 3056473165-3412697401
Opcode ID: acf237168278095a5ad18c07f63b861f156cdde06034463f095727a3b20c5360
Instruction ID: 4da73736dbeb5a72729a38e4e0fd3f3fb917e0368a6acfda79cb267fc18afdee
Opcode Fuzzy Hash: acf237168278095a5ad18c07f63b861f156cdde06034463f095727a3b20c5360
Instruction Fuzzy Hash: 582127A9F096A290EF02DA9699103759763AB44BE4F944132CD1E037C4DEBCD081D310

Function 00007FF731670B80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2
memcpy.VCRUNTIME140 ref: 00007FF731670C0D

Part of subcall function 00007FF731665F60: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731665F75

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670C42

Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF731666097
Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF7316660A3

Strings

%s:, xrefs: 00007FF731670BEC

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$malloc$memcpy
String ID: %s:
API String ID: 901724546-64597662
Opcode ID: 7873c5d0c5948a78ce4733ab3e2681e264897296f48dbc720c30851681a58c1d
Instruction ID: d7dbded6789c1cbcf825e658d28ee0b967ad868eed5747c9d1532174317d6f8a
Opcode Fuzzy Hash: 7873c5d0c5948a78ce4733ab3e2681e264897296f48dbc720c30851681a58c1d
Instruction Fuzzy Hash: 6921E422A08BA5E1DB10DF52E9501AAB3A5FB44FE8F880231EE5D07395DF7CD545C360

Function 00007FF7316A9991 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A99CC
memcpy.VCRUNTIME140 ref: 00007FF7316A99F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9B36

Strings

%s: %s, xrefs: 00007FF7316A9B21

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemallocmemcpy
String ID: %s: %s
API String ID: 3056473165-1451338302
Opcode ID: b82b03f04f390be818fbb6db6f418002d24d1c316bb8b4d2d42c20403c707f8a
Instruction ID: 0483e296ccc3ece69c80f29337e7a4937888624eadd5fa84e5a8bccb73285201
Opcode Fuzzy Hash: b82b03f04f390be818fbb6db6f418002d24d1c316bb8b4d2d42c20403c707f8a
Instruction Fuzzy Hash: 8421D091E087A2D1EF60AA92A4103B6E352BF45BE4F984132CE5D07BD5DFACE0459310

Function 00007FF7316A79EA Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A7EC9

Strings

%s%lx, xrefs: 00007FF7316A7A45
Start Date: %s, xrefs: 00007FF7316A7EB7
Start Date, xrefs: 00007FF7316A7E9D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Start Date: %s$%s%lx$Start Date
API String ID: 1294909896-3519493645
Opcode ID: 685cbd80c030dd2c6b8e0356103f785b027d0646e53f3bb5b06b1b57ae0b9610
Instruction ID: 435cc6cf7f217e1fe70e32ec4a97e9230c0fd64d7d9776d9e3deb498980e1f4f
Opcode Fuzzy Hash: 685cbd80c030dd2c6b8e0356103f785b027d0646e53f3bb5b06b1b57ae0b9610
Instruction Fuzzy Hash: 6C21C791F0C2A2E4EF10ABE594142B9A793AF05784FC49871CB0E46695DEAEE504E330

Function 00007FF731679C1D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A35
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A4F

Strings

I32, xrefs: 00007FF731679A25
I64, xrefs: 00007FF731679A45

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: ac4d088b5b4cb0edd8e0ae16900b4eb76ded520f9b3fbbc3f0ac6101dcccb983
Instruction ID: 87279f3e428a060ee6e72b4a8cd5f59231c41a822903eef123e788dbceb61195
Opcode Fuzzy Hash: ac4d088b5b4cb0edd8e0ae16900b4eb76ded520f9b3fbbc3f0ac6101dcccb983
Instruction Fuzzy Hash: 40210132E0D57391EF21AB61D4506B8BBE69B05B48F899130CA4A42294CFACE600E7B0

Function 00007FF7316A3A70 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316A47D9,00000000,?,?,00007FF7316A3D96), ref: 00007FF7316A3A99
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316A47D9,00000000,?,?,00007FF7316A3D96), ref: 00007FF7316A3AD0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7316A47D9,00000000,?,?,00007FF7316A3D96), ref: 00007FF7316A3AE2
memcpy.VCRUNTIME140(?,?,?,00007FF7316A47D9,00000000,?,?,00007FF7316A3D96), ref: 00007FF7316A3B0A

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: freemallocmemcpyrealloc
String ID:
API String ID: 3881842442-0
Opcode ID: f977fe82b170d04b32b457185a74ddf0502a1c6528f5c0329a6fcf7a66f72f91
Instruction ID: 13b3c9b327f28a5f1c3e050d34db5e2f637c84abfcb4b57ece070f09bee497d8
Opcode Fuzzy Hash: f977fe82b170d04b32b457185a74ddf0502a1c6528f5c0329a6fcf7a66f72f91
Instruction Fuzzy Hash: 91216D66A09B91C2DB44CF56E090229B3A1FB88FC8B888035DF5E47759DF78D491C710

Function 00007FF73168C880 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C8A8
GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C8CE
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C8EF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF731670DF9,?,?,?,?,00007FF73167019B), ref: 00007FF73168C900

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: realloc$EnvironmentVariablefree
String ID:
API String ID: 2828309815-0
Opcode ID: 5919ed26601e5a1983441ff13bfa5010129d55b5ebbfabf283f15f6243ff0c7b
Instruction ID: 6d3906cc05542d7ced651aa334fa034248f7bbb07c1e69e61ed5f172e159a954
Opcode Fuzzy Hash: 5919ed26601e5a1983441ff13bfa5010129d55b5ebbfabf283f15f6243ff0c7b
Instruction Fuzzy Hash: 1111A721F09752D1EB60AB52658027AE3D6BB48BC0F440075DE8D43F44DEBCE440A754

Function 00007FF7316ADC60 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7316ADC9D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316ADCAD
WideCharToMultiByte.KERNEL32 ref: 00007FF7316ADCDC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316ADCE9

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 691b6e5f2e5f0e80202c136731c855dd7b1e8b803b645f1d4182ee7e7330f53a
Instruction ID: 5b2f1759362846a0e8877c76d36b902b14192097ec149f58975b45b3fa7e1f6f
Opcode Fuzzy Hash: 691b6e5f2e5f0e80202c136731c855dd7b1e8b803b645f1d4182ee7e7330f53a
Instruction Fuzzy Hash: 3C118B35F09B91D6E714AFA6B800169B7A5FF88B80B884038DF8A43B15DFB8E611D750

Function 00007FF7316822A0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316822FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73168231A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731682323

Strings

Proxy-Connection: Keep-Alive, xrefs: 00007FF7316822B0

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID: Proxy-Connection: Keep-Alive
API String ID: 1294909896-2835282938
Opcode ID: 940235ba96ecd116c11ce8e31b952d266a1eb65064ca4e9b5e6f911fc8cbd765
Instruction ID: b72e2882c149d3696f394279e7e1003c3de6fdf3437188f76012cf4f4bcea909
Opcode Fuzzy Hash: 940235ba96ecd116c11ce8e31b952d266a1eb65064ca4e9b5e6f911fc8cbd765
Instruction Fuzzy Hash: 2201C462F04651D2FB156B95F4503A9A3A1AF48BF0F444234DEA9077D0DFBCD885E360

Function 00007FF73166BA70 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,00007FF73166BA22,?,?,?,00000000), ref: 00007FF73166BA81
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BA22,?,?,?,00000000), ref: 00007FF73166BA8A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73166BA22,?,?,?,00000000), ref: 00007FF73166BA94
closesocket.WS2_32 ref: 00007FF73166BAB2

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$CriticalDeleteSectionclosesocket
String ID:
API String ID: 3086658127-0
Opcode ID: 2c8760eac0806ac4aa8723237bf3783410c6d585aa1a93ed934bdf19cfdcb40a
Instruction ID: 1769015668984d7c0060917b025545e09a40d7363950f3e2f835489e24b4334a
Opcode Fuzzy Hash: 2c8760eac0806ac4aa8723237bf3783410c6d585aa1a93ed934bdf19cfdcb40a
Instruction Fuzzy Hash: 83015212E18A92C3E714EF75C8601786321FFE9F1CB416325DE6E011A59FA8E5D0D310

Function 00007FF731679B0A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A35
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A4F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731679A92

Strings

I32, xrefs: 00007FF731679A25
I64, xrefs: 00007FF731679A45

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: 89454fb526bf0e432c533c576cda4cd321a1537bb584723e0669b3bfcf89d262
Instruction ID: 362e6488b7950786ba406c1a8ab61c99167abfc9ff600df3a83eb230ad33c644
Opcode Fuzzy Hash: 89454fb526bf0e432c533c576cda4cd321a1537bb584723e0669b3bfcf89d262
Instruction Fuzzy Hash: EBF0E921F1E563D0EF15BB929850AB5A7E69F49B94F885035C91A816D4CE6CE200E370

Function 00007FF731679B12 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A35
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7316798E8), ref: 00007FF731679A4F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF731679A92

Strings

I32, xrefs: 00007FF731679A25
I64, xrefs: 00007FF731679A45

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: 559271b8de5394c04adcda180b7cde2114d229b2169a1a980bd2519a6ba06669
Instruction ID: 96afedeefe66d0379d3f157f2620ebc9bbecf879c4e9ad12c87b39b9873c67b7
Opcode Fuzzy Hash: 559271b8de5394c04adcda180b7cde2114d229b2169a1a980bd2519a6ba06669
Instruction Fuzzy Hash: 4EF0E921F1A563D0EF15BB929850AB5A7E69F49B94F885035C91A816D4CE6CE200E370

Function 00007FF7316A1B00 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF731676EB6), ref: 00007FF7316A1B14

Strings

%lx, xrefs: 00007FF7316A1DFA

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _errno
String ID: %lx
API String ID: 2918714741-1448181948
Opcode ID: 80c34f630e15ed1a23192204764717f9e83153c5307471567d3b3e133f06cf10
Instruction ID: f716d450fc71a91893a3891d8c7a9acb92c111993f9e7cdcaa4529900f91937c
Opcode Fuzzy Hash: 80c34f630e15ed1a23192204764717f9e83153c5307471567d3b3e133f06cf10
Instruction Fuzzy Hash: AE817CA2E0C1F1D5E768AB65945027DFBD2FB85790F544236EAAE422C0DEBCD841DB20

Function 00007FF73168D820 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF73168D203), ref: 00007FF73168D8F2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF73168D203), ref: 00007FF73168D943

Strings

(){ %*], xrefs: 00007FF73168D83D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupmalloc
String ID: (){ %*]
API String ID: 3515966317-731572209
Opcode ID: bdd1c43b3494f96c2aad5221c01ac2cadb3a7930ebfd7d110b4e8fbb3137c04d
Instruction ID: 00e13ec2974c05602e7a5589b65f211b060c32d40ca9d19337a947e64feefd91
Opcode Fuzzy Hash: bdd1c43b3494f96c2aad5221c01ac2cadb3a7930ebfd7d110b4e8fbb3137c04d
Instruction Fuzzy Hash: 59316B13D0C6A5E4FF216BA16840378ABD39F56768FC94131DA9E03BC3CE6DA405E231

Function 00007FF731679630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731679650
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316796AB

Strings

, xrefs: 00007FF731679663

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: mallocrealloc
String ID:
API String ID: 948496778-3916222277
Opcode ID: a2ff660f8911486f5e09a836224ee4278f170a739adc915ed60c233465fbcead
Instruction ID: 078960939e60e341d28d71de24cc875a8ebf45802cefb1e0b4da12cd46a45bb0
Opcode Fuzzy Hash: a2ff660f8911486f5e09a836224ee4278f170a739adc915ed60c233465fbcead
Instruction Fuzzy Hash: FE11D372A09F91C1EB449F56E100268B3A1FB08FE4F844235EE9E07798EF78D490C350

Function 00007FF731677950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FF7316779CF
setsockopt.WS2_32 ref: 00007FF7316779FE

Strings

@, xrefs: 00007FF73167795F

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: getsockoptsetsockopt
String ID: @
API String ID: 194641219-2726393805
Opcode ID: 2a4013e67eaf20f38f0cc8df687051bb739da5ee28b32884e97c5335b44393c9
Instruction ID: 92787325945114843c1f1aa011a1a78c751b1f7fb35a6d3f63da4c3fb0439302
Opcode Fuzzy Hash: 2a4013e67eaf20f38f0cc8df687051bb739da5ee28b32884e97c5335b44393c9
Instruction Fuzzy Hash: 20119472E081A2D6F720EF91E404665F7A2FB85344F944034DA89466E4DFFDE589DB20

Function 00007FF7316AA408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316AA40F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316AA7FF

Strings

TRUE, xrefs: 00007FF7316AA809

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfree
String ID: TRUE
API String ID: 1865132094-3412697401
Opcode ID: be029bd6a1667cbe2f6cba47e9e4bccf039cfda38148d3da651511633063af34
Instruction ID: b2f3f52a9d66fed61a4177c0dd0fc71bf69290fb1e003650acbc579a753b2054
Opcode Fuzzy Hash: be029bd6a1667cbe2f6cba47e9e4bccf039cfda38148d3da651511633063af34
Instruction Fuzzy Hash: 1B019BAAF096A5E4EB02DB95D904279A7A3BB04BD4F844436CE4F07394DEBCD081D320

Function 00007FF7316A9718 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7316A971F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316A9B36

Part of subcall function 00007FF731670B80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731670BD2

Strings

%s: %s, xrefs: 00007FF7316A9B21

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: %s: %s
API String ID: 3985033223-1451338302
Opcode ID: e8e740b37246a4764d6c3ce1eb164d90d97fc3f94e3ec7d35f47fa24bbdef41c
Instruction ID: 2601ec9f655e4b3694345182e84f49d27199a092e5336cdc7fbeebd5b69eee97
Opcode Fuzzy Hash: e8e740b37246a4764d6c3ce1eb164d90d97fc3f94e3ec7d35f47fa24bbdef41c
Instruction Fuzzy Hash: CCF04451E0C6A1E1EB61AB92A8007F6D3526F45BC4FD84431CE5D07756DFACD146E320

Function 00007FF73166C540 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF731666097
Part of subcall function 00007FF731666070: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731670670,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7316624A1), ref: 00007FF7316660A3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C576
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C586
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73166C594
memset.VCRUNTIME140 ref: 00007FF73166C5CF

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: eaa7c906f893e631f80e24afcd7594a9ff7dc79e7c09c795ab08258e7351f13f
Instruction ID: ac7f6d5fb37dcf26fe89977564391171b16ef1cfa5ef22aa87117d0dfbc4ba63
Opcode Fuzzy Hash: eaa7c906f893e631f80e24afcd7594a9ff7dc79e7c09c795ab08258e7351f13f
Instruction Fuzzy Hash: 7621F832E18B91E3E314DB22D6903A8A370FB99744F519225EB9943A11DFB4F1F1D350

Function 00007FF7316AB750 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73168D5D3), ref: 00007FF7316AE6E6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73168D5D3), ref: 00007FF7316AE705
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73168D5D3), ref: 00007FF7316AE71F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73168D5D3), ref: 00007FF7316AE72D

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4dc756646f465d19538aa0d0ebc42b3fd6a2a7856d82e2757587a04e2cbd417f
Instruction ID: 83a2417fb19d5ae5166cda5d858ad0b9726c521f9daa605fd02fb006590fac9b
Opcode Fuzzy Hash: 4dc756646f465d19538aa0d0ebc42b3fd6a2a7856d82e2757587a04e2cbd417f
Instruction Fuzzy Hash: 7D112B76E08A51D2EB54AF65E59033CA3A6FF84F88F944435CA8E02764CF7CD850E320

Function 00007FF731693540 Relevance: 5.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF731693578
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73169359E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316935BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7316935CE

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c78045512bd42d14feec1b2225692ea8de54b7c52051612741a62dcf1c59137d
Instruction ID: d9755da8ac0a1acb05a26a99eaba8715776782c478f991c48e0d0da4499f7172
Opcode Fuzzy Hash: c78045512bd42d14feec1b2225692ea8de54b7c52051612741a62dcf1c59137d
Instruction Fuzzy Hash: 78112836A04B50D6D7509F65E580368B3A4F788F88F88403ADE8E57328CF38E895E760

Function 00007FF7316A5180 Relevance: 5.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A127E), ref: 00007FF7316A51A6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A127E), ref: 00007FF7316A51C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A127E), ref: 00007FF7316A51E2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7316A127E), ref: 00007FF7316A51F0

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a9be8488605f3ddb21fcd3ebe878c33e1fc0cdb249d0500abf06e90a83e44b1c
Instruction ID: a2284bd38ff9aeca39aa181002742633add897549a00892a2bb90470706445bf
Opcode Fuzzy Hash: a9be8488605f3ddb21fcd3ebe878c33e1fc0cdb249d0500abf06e90a83e44b1c
Instruction Fuzzy Hash: 2C11D376A04B11D2DB04EF66E99013CB3BAFB94F887500026CA9E43768CF78D850E390

Function 00007FF7316A2B20 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731678D45,?,?,00000000,00007FF731671A01,?,?,00000000,00007FF731671F35), ref: 00007FF7316A2B30
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731678D45,?,?,00000000,00007FF731671A01,?,?,00000000,00007FF731671F35), ref: 00007FF7316A2B56
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731678D45,?,?,00000000,00007FF731671A01,?,?,00000000,00007FF731671F35), ref: 00007FF7316A2B64
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF731678D45,?,?,00000000,00007FF731671A01,?,?,00000000,00007FF731671F35), ref: 00007FF7316A2B72

Memory Dump Source

Source File: 00000000.00000002.3964985108.00007FF731651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731650000, based on PE: true

Associated: 00000000.00000002.3964970404.00007FF731650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965025998.00007FF7316B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965045023.00007FF7316C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3965058606.00007FF7316CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731650000_AimPrivStoreAtt117.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6c82a7f5d3641403fc023f898a11a514918f0a9b425e138897a8f8dbfb6ab1b0
Instruction ID: b768c148e9d164b0e12c1f5688d7bd67d2f6b840fbde6fcba437bb18b0dc1966
Opcode Fuzzy Hash: 6c82a7f5d3641403fc023f898a11a514918f0a9b425e138897a8f8dbfb6ab1b0
Instruction Fuzzy Hash: 29F0E776A04B01D2DB14AF62E994128B3B5FF98F88B514535CEAE43768CF78C864E360

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AimPrivStoreAtt117.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
AimPrivStoreAtt117.exe

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre