Edit tour

Windows Analysis Report
PlusPrivStoreAtt116.exe

Overview

General Information

Sample name:	PlusPrivStoreAtt116.exe
Analysis ID:	1590901
MD5:	d4a125241862eb0a4bd1afcf362d914f
SHA1:	c3c418450fe4cd0768e214a270374f6e1c8e37f3
SHA256:	29c141ee54b805226e0fe7eafe994ec3b461a648861497964acff28d35ba78b8
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

PlusPrivStoreAtt116.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\PlusPrivStoreAtt116.exe" MD5: D4A125241862EB0A4BD1AFCF362D914F)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7728 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7848 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7876 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7896 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7952 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7968 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7984 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7996 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 8020 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8036 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8064 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8080 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8116 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8132 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8164 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8176 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7196 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1200 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 6660 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 3088 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 6836 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5528 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 4308 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1552 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 3256 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 1888 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1988 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 316 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2168 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3380 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PlusPrivStoreAtt116.exe	Virustotal: Detection: 41%			Perma Link
Source: PlusPrivStoreAtt116.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.2% probability

Machine Learning detection for sample

Source: PlusPrivStoreAtt116.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406A84D strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,_strdup,CertOpenStore,GetLastError,free,free,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,malloc,fread,fclose,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,calloc,CertFreeCertificateContext,fclose,free,CertFreeCertificateContext,free,calloc,	1_2_00007FF7A406A84D
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A408D750 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	1_2_00007FF7A408D750
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A408F840 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_00007FF7A408F840
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A40863E0 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,malloc,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,	1_2_00007FF7A40863E0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406CAD0 CryptAcquireContextA,CryptCreateHash,	1_2_00007FF7A406CAD0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406CB30 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_00007FF7A406CB30
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406CB20 CryptHashData,	1_2_00007FF7A406CB20
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4069B40 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	1_2_00007FF7A4069B40
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4069C10 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	1_2_00007FF7A4069C10
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4086D00 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,malloc,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,free,	1_2_00007FF7A4086D00

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: -----BEGIN PUBLIC KEY-----		1_2_00007FF7A404F9F0
Source: PlusPrivStoreAtt116.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

1_2_00007FF7A4079410

Source: unknown	HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.7:49759 version: TLS 1.2

Source: PlusPrivStoreAtt116.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Plus\x64\Release\EpicGames.pdb source: PlusPrivStoreAtt116.exe
Source:	Binary string: .D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Plus\x64\Release\EpicGames.pdb source: PlusPrivStoreAtt116.exe

Source: global traffic

HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 74Content-Type: application/x-www-form-urlencoded

Source: Joe Sandbox View

IP Address: 104.26.1.5 104.26.1.5

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: 1_2_00007FF7A4056600 recv,WSAGetLastError,

1_2_00007FF7A4056600

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: keyauth.win

Source: unknown

HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 74Content-Type: application/x-www-form-urlencoded

Source: PlusPrivStoreAtt116.exe	String found in binary or memory: http://167.114.85.75/plusattnewhvcionprivate.exe
Source: PlusPrivStoreAtt116.exe	String found in binary or memory: http://167.114.85.75/plusattnewhvcionprivate.exeC:
Source: PlusPrivStoreAtt116.exe	String found in binary or memory: http://167.114.85.75/plushvcioffbronkzatualizadoh79.exe
Source: PlusPrivStoreAtt116.exe	String found in binary or memory: http://167.114.85.75/plushvcioffbronkzatualizadoh79.exeC:
Source: PlusPrivStoreAtt116.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: PlusPrivStoreAtt116.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: PlusPrivStoreAtt116.exe, 00000001.00000003.1520531906.0000016AF330B000.00000004.00000020.00020000.00000000.sdmp, PlusPrivStoreAtt116.exe, 00000001.00000003.1520643858.0000016AF3327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.cc/panel/bronkzware/Loader
Source: PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/
Source: PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/og5e
Source: PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/pace
Source: PlusPrivStoreAtt116.exe, 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmp, PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/6)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown	HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.7:49759 version: TLS 1.2

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: 1_2_00007FF7A408D750 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

1_2_00007FF7A408D750

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A40585D0	1_2_00007FF7A40585D0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406A84D	1_2_00007FF7A406A84D
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4059290	1_2_00007FF7A4059290
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4057290	1_2_00007FF7A4057290
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4041E40	1_2_00007FF7A4041E40
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A405FEA0	1_2_00007FF7A405FEA0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4041AA0	1_2_00007FF7A4041AA0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A403956D	1_2_00007FF7A403956D
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A40685D0	1_2_00007FF7A40685D0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A408D750	1_2_00007FF7A408D750
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A403974B	1_2_00007FF7A403974B
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4041750	1_2_00007FF7A4041750
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A408F7D0	1_2_00007FF7A408F7D0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406A90C	1_2_00007FF7A406A90C
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406A915	1_2_00007FF7A406A915
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A405A150	1_2_00007FF7A405A150
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A40631A0	1_2_00007FF7A40631A0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A40492A0	1_2_00007FF7A40492A0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A403D310	1_2_00007FF7A403D310
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4075300	1_2_00007FF7A4075300
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A40863E0	1_2_00007FF7A40863E0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4079E30	1_2_00007FF7A4079E30
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4080E90	1_2_00007FF7A4080E90
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A403DEA0	1_2_00007FF7A403DEA0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4081EC0	1_2_00007FF7A4081EC0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A406CEE0	1_2_00007FF7A406CEE0
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4050F10	1_2_00007FF7A4050F10
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4031000	1_2_00007FF7A4031000
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A407DB30	1_2_00007FF7A407DB30
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A403AC0D	1_2_00007FF7A403AC0D
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A403EC30	1_2_00007FF7A403EC30
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4053C40	1_2_00007FF7A4053C40
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4065CF0	1_2_00007FF7A4065CF0

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A4056280 appears 380 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A4059790 appears 36 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A405ABB0 appears 37 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A405AC40 appears 33 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A4056400 appears 326 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A40596C0 appears 46 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A4050B50 appears 70 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A4090B6C appears 47 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A405AD20 appears 34 times
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: String function: 00007FF7A4043940 appears 49 times

Source: classification engine

Classification label: mal56.evad.winEXE@68/18@2/2

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: 1_2_00007FF7A4042620 GetLastError,_errno,FormatMessageA,strchr,strncpy,_errno,_errno,GetLastError,SetLastError,

1_2_00007FF7A4042620

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03

Source: PlusPrivStoreAtt116.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PlusPrivStoreAtt116.exe	Virustotal: Detection: 41%
Source: PlusPrivStoreAtt116.exe	ReversingLabs: Detection: 65%

Source: PlusPrivStoreAtt116.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I32I64%ld.%ld$@

Source: unknown	Process created: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe "C:\Users\user\Desktop\PlusPrivStoreAtt116.exe"
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PlusPrivStoreAtt116.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PlusPrivStoreAtt116.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PlusPrivStoreAtt116.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PlusPrivStoreAtt116.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PlusPrivStoreAtt116.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PlusPrivStoreAtt116.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PlusPrivStoreAtt116.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PlusPrivStoreAtt116.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: PlusPrivStoreAtt116.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Plus\x64\Release\EpicGames.pdb source: PlusPrivStoreAtt116.exe
Source:	Binary string: .D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\BACKUP BOTS PRIVATE STORE\Loader Valorant Plus\x64\Release\EpicGames.pdb source: PlusPrivStoreAtt116.exe

Source: PlusPrivStoreAtt116.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PlusPrivStoreAtt116.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PlusPrivStoreAtt116.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PlusPrivStoreAtt116.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PlusPrivStoreAtt116.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: 1_2_00007FF7A4059290 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,GetProcAddress,if_nametoindex,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoA,QueryPerformanceFrequency,

1_2_00007FF7A4059290

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro

Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Window / User API: threadDelayed 2690			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2257			Jump to behavior

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_1-47790

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

API coverage: 5.2 %

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe TID: 7672

Thread sleep time: -134500s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Last function: Thread delayed

Source: PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: 1_2_00007FF7A409067C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF7A409067C

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: 1_2_00007FF7A4090A18 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

1_2_00007FF7A4090A18

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

1_2_00007FF7A4059290

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A409067C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7A409067C
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4090824 SetUnhandledExceptionFilter,	1_2_00007FF7A4090824
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4090384 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF7A4090384

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Code function: 1_2_00007FF7A4090894 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF7A4090894

Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4065370 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,	1_2_00007FF7A4065370
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4075300 calloc,strchr,strncpy,strchr,strncpy,strchr,strtoul,strchr,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,	1_2_00007FF7A4075300
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A407BE00 calloc,calloc,calloc,bind,WSAGetLastError,	1_2_00007FF7A407BE00
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A4057F40 memset,strncmp,strncmp,strchr,htons,atoi,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	1_2_00007FF7A4057F40
Source: C:\Users\user\Desktop\PlusPrivStoreAtt116.exe	Code function: 1_2_00007FF7A407C060 calloc,calloc,calloc,bind,WSAGetLastError,	1_2_00007FF7A407C060

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PlusPrivStoreAtt116.exe	42%	Virustotal		Browse
PlusPrivStoreAtt116.exe	66%	ReversingLabs	Win64.Trojan.Lazy
PlusPrivStoreAtt116.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://keyauth.cc/panel/bronkzware/Loader	0%	Avira URL Cloud	safe
http://167.114.85.75/plushvcioffbronkzatualizadoh79.exe	0%	Avira URL Cloud	safe
http://167.114.85.75/plusattnewhvcionprivate.exeC:	0%	Avira URL Cloud	safe
http://167.114.85.75/plusattnewhvcionprivate.exe	0%	Avira URL Cloud	safe
http://167.114.85.75/plushvcioffbronkzatualizadoh79.exeC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
keyauth.win	104.26.1.5	true	false	high
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
time.windows.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.1/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://167.114.85.75/plusattnewhvcionprivate.exe	PlusPrivStoreAtt116.exe	false	Avira URL Cloud: safe	unknown
http://167.114.85.75/plushvcioffbronkzatualizadoh79.exeC:	PlusPrivStoreAtt116.exe	false	Avira URL Cloud: safe	unknown
http://167.114.85.75/plushvcioffbronkzatualizadoh79.exe	PlusPrivStoreAtt116.exe	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.1/pace	PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://167.114.85.75/plusattnewhvcionprivate.exeC:	PlusPrivStoreAtt116.exe	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.1/og5e	PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	PlusPrivStoreAtt116.exe	false		high
https://curl.haxx.se/docs/http-cookies.html#	PlusPrivStoreAtt116.exe	false		high
https://keyauth.cc/panel/bronkzware/Loader	PlusPrivStoreAtt116.exe, 00000001.00000003.1520531906.0000016AF330B000.00000004.00000020.00020000.00000000.sdmp, PlusPrivStoreAtt116.exe, 00000001.00000003.1520643858.0000016AF3327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.2/	PlusPrivStoreAtt116.exe, 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmp, PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://keyauth.win/api/1.2/6)	PlusPrivStoreAtt116.exe, 00000001.00000002.3300477205.0000016AF32CC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.1.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590901
Start date and time:	2025-01-14 16:52:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PlusPrivStoreAtt116.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@68/18@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 48 Number of non-executed functions: 223
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 51.145.123.29, 13.107.253.45, 172.202.163.200
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.1.5	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse
	CCuITQzvd4.exe	Get hash	malicious	Unknown	Browse
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Get hash	malicious	Unknown	Browse
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.6030.29502.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Generic.36879400.484.7364.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	ak3o7AZ3mH.exe	Get hash	malicious	Babadeda, Conti, Mimikatz	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
s-part-0017.t-0009.fb-t-msedge.net	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fjobuli.in%2Fwinner%2FsXtxg%2FbWFyc2hhLnJvd2xhbmRAY2hlcm9rZWVicmljay5jb20=?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fmessagupdates.courtfilepro.com%2FVTtMa	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	P-04071A.xls	Get hash	malicious	Unknown	Browse	13.107.253.45
	P-04071A.xls	Get hash	malicious	Unknown	Browse	13.107.253.45
	1736856908fb16676aec3e4c808c4bd5cde8e123cc70360266f85ec0ed17050bca6456c9dd274.dat-decoded.exe	Get hash	malicious	XWorm	Browse	13.107.253.45
	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	13.107.253.45
	RFQ____PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://Rtasia-sharepoint.zonivarnoth.ru/ITb4aThU/#Deddie.chan@rtasia.com.hk	Get hash	malicious	Unknown	Browse	13.107.253.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	email.eml	Get hash	malicious	unknown	Browse	172.64.41.3
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	http://brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.26.1.5
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	104.26.1.5
	http://vionicstore.shop	Get hash	malicious	Unknown	Browse	104.26.1.5
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	104.26.1.5
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	104.26.1.5

Process:	C:\Users\user\Desktop\PlusPrivStoreAtt116.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	3.644169459123466
Encrypted:	false
SSDEEP:	3:rRRqmIEaGj3F/9Dqa+U4W42oJXWWxbF2To3G3oJXWWxbFWXqowvxOwVGt:H041lxwhHawhwcV4
MD5:	DF552214087F20ACF423B1FA912CAF62
SHA1:	4CB23050703E757BFE05C0E4B28314D673B08693
SHA-256:	98F76FD5FEA096224BD97E3EA6A315E01A5218E57EE59ADD7DD8F691F4FCCA51
SHA-512:	07754C89FDDC1391628BFBC470B8B67ED73583EAACBA4F30E0F3F17FBCFCD148E06620E3698666CA2BA068F9FE0A2F913322DFF9C1B11B106FB89B779F9A777A
Malicious:	false
Preview:	....##########################################################..[ Selecione uma opcao: ]..##########################################################....[1] Iniciar Valorant Plus (HVCI DESLIGADO): ..[2] Iniciar Valorant Plus (HVCI HABILITADO): ....[+] Selecione a opcao:

\Device\Null

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.003997527334849
Encrypted:	false
SSDEEP:	3:HnRthLK5a6eCMABe:HRoJPO
MD5:	DF5DC1ABC0D52F3C9E931E26A7C0065C
SHA1:	EE84123D3B3BC440C63DFE65FF5616BE2B0904D5
SHA-256:	F7167A2FACDE50428D8D2697A1CDFF075DE809323DD16D62B65CDD103B2A9A6D
SHA-512:	9B2253CE41880D22A2DDF4F886BB6CB22FF0C981400CD9D03A1FCA81DE5FAEB86C26B85B66ECEC960816D7BBE9740843890F2FCCD334B6D274295A32A8E6A4E9
Malicious:	false
Preview:	The system cannot find the file specified...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.420350102147237
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PlusPrivStoreAtt116.exe
File size:	510'464 bytes
MD5:	d4a125241862eb0a4bd1afcf362d914f
SHA1:	c3c418450fe4cd0768e214a270374f6e1c8e37f3
SHA256:	29c141ee54b805226e0fe7eafe994ec3b461a648861497964acff28d35ba78b8
SHA512:	0e860929f32f69fd1bc89799fd84ac64b96516fed0123ab9c5a2afbef1e87de6c51f90b9cf0d5d1f6dd1726fc26e6118bc780a8bd43ea54a215689959bfa53f0
SSDEEP:	12288:GKYt4C6iIzrAjqDKE22zDzN5ofEwN/PXMk:Gt4C63zriea2zHNyEwpXMk
TLSH:	45B47D56A7A817E9D1A7C03CC547C603E7B6B4991311DBDB43A0CA792F237E26E3A710
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._...B...PHe.^...PH..v...PH..\...PH..R...PH..P.......A...V...x.......?...9H..T...9H..W...9Hg.W...9H..W...RichV..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140060368
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x677DDEDD [Wed Jan 8 02:11:41 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	551e5f19de2baa264d46ee5c6718793c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FED14938288h
dec eax
add esp, 28h
jmp 00007FED14937BD7h
int3
int3
jmp 00007FED1493853Eh
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00001D9Bh]
dec eax
mov ecx, ebx
call dword ptr [00001D8Ah]
call dword ptr [00001DE4h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00001DE0h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00001DD4h]
test eax, eax
je 00007FED14937D69h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00019492h]
call 00007FED14937F2Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00019579h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00019509h], eax
dec eax
mov eax, dword ptr [00019562h]
dec eax
mov dword ptr [000193D3h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [000194D7h], eax
mov dword ptr [000193ADh], C0000409h
mov dword ptr [000193A7h], 00000001h
mov dword ptr [000000B1h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x77318	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7f000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7a000	0x405c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0x4ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x71090	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x71100	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x70f50	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x62000	0x858	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x606e8	0x60800	f6be6f4c0ca7f222fea58e8729dc8f93	False	0.5324744980569949	data	6.334595345552807	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x62000	0x16ec4	0x17000	5baa9e49913892291fedbb67715bfaf7	False	0.379585597826087	data	5.59957998743783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x79000	0xe08	0x400	cef7bcba2c4bb58f5386ec5b3ae9f7f8	False	0.2138671875	data	2.4461568678801138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x7a000	0x405c	0x4200	1f44589aeb34f25d94952a45d7939e4f	False	0.47407670454545453	data	5.699721075250355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7f000	0x1e8	0x200	9682c2bd23621eded0bee00be928ba8f	False	0.54296875	data	4.772037401703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0x4ec	0x600	cac0ac8c6a84a9b40000852c8a3bff36	False	0.5149739583333334	data	4.845798537474806	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x7f060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	ReadFile, PeekNamedPipe, WaitForMultipleObjects, CreateFileA, GetFileSizeEx, WideCharToMultiByte, RtlCaptureContext, GetModuleHandleA, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FreeLibrary, GetSystemDirectoryA, QueryPerformanceFrequency, VerSetConditionMask, SleepEx, GetEnvironmentVariableA, EnterCriticalSection, FormatMessageA, SetLastError, CloseHandle, GetCurrentProcess, DeleteCriticalSection, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetModuleHandleW, GetCurrentProcessId, GetCurrentThreadId, GetFileType, MultiByteToWideChar, WaitForSingleObjectEx, MoveFileExA, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, LeaveCriticalSection, GetSystemTimeAsFileTime, GetProcAddress, GetLastError, InitializeCriticalSectionEx, GetConsoleWindow, SetConsoleTitleA, SetConsoleTextAttribute, SetConsoleScreenBufferInfoEx, GetConsoleScreenBufferInfoEx, SetConsoleMode, GetConsoleMode, Sleep, RtlLookupFunctionEntry, GetStdHandle, OutputDebugStringW, InitializeSListHead
USER32.dll	MessageBoxA, MoveWindow, GetWindowRect, GetWindowLongA, SetWindowLongA
ADVAPI32.dll	CryptEncrypt, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey
SHELL32.dll	ShellExecuteA
MSVCP140.dll	?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Xlength_error@std@@YAXPEBD@Z, _Thrd_detach, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?_Random_device@std@@YAIXZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Xbad_function_call@std@@YAXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
urlmon.dll	URLDownloadToFileA
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertOpenStore, CertCloseStore
WS2_32.dll	ntohl, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, __WSAFDIsSet, ioctlsocket, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, listen
VCRUNTIME140.dll	__std_exception_destroy, __std_exception_copy, memcpy, memcmp, _CxxThrowException, __std_terminate, __C_specific_handler, strchr, __current_exception_context, strrchr, __current_exception, memchr, memset, strstr, memmove
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_errno, __sys_nerr, _invalid_parameter_noinfo_noreturn, strerror, exit, _getpid, system, _beginthreadex, _register_thread_local_exe_atexit_callback, terminate, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _c_exit, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, __p___argv, __p___argc
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, calloc, realloc, malloc, _set_new_mode, free
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vfprintf, fseek, feof, __p__commode, fputc, ftell, _lseeki64, _read, _write, _close, _open, __acrt_iob_func, __stdio_common_vsscanf, fgets, fputs, fopen, fflush, __stdio_common_vsprintf, fread, fclose, _set_fmode, fwrite
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtoul, strtoull, strtoll, strtol, strtod
api-ms-win-crt-locale-l1-1-0.dll	localeconv, _configthreadlocale
api-ms-win-crt-time-l1-1-0.dll	_time64, _gmtime64
api-ms-win-crt-string-l1-1-0.dll	strpbrk, strcspn, strcmp, strncmp, strncpy, strspn, isupper, tolower, _strdup
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-filesystem-l1-1-0.dll	_stat64, _access, _unlink, _fstat64
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dclass

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:54:00.501523972 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:00.501549006 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:00.501883984 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:00.540780067 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:00.540796041 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:00.997945070 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:00.998097897 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:01.004832029 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:01.004844904 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:01.005090952 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:01.010730028 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:01.051330090 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:01.185031891 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:01.185116053 CET	443	49759	104.26.1.5	192.168.2.7
Jan 14, 2025 16:54:01.185210943 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:01.204555035 CET	49759	443	192.168.2.7	104.26.1.5
Jan 14, 2025 16:54:01.204571962 CET	443	49759	104.26.1.5	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:53:40.246463060 CET	49370	53	192.168.2.7	1.1.1.1
Jan 14, 2025 16:54:00.453460932 CET	55775	53	192.168.2.7	1.1.1.1
Jan 14, 2025 16:54:00.460644007 CET	53	55775	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:53:40.246463060 CET	192.168.2.7	1.1.1.1	0x249b	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:54:00.453460932 CET	192.168.2.7	1.1.1.1	0x87f2	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:53:40.253575087 CET	1.1.1.1	192.168.2.7	0x249b	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 16:53:50.955216885 CET	1.1.1.1	192.168.2.7	0x7f45	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 16:53:50.955216885 CET	1.1.1.1	192.168.2.7	0x7f45	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 16:53:50.955216885 CET	1.1.1.1	192.168.2.7	0x7f45	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:54:00.460644007 CET	1.1.1.1	192.168.2.7	0x87f2	No error (0)	keyauth.win		104.26.1.5	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:54:00.460644007 CET	1.1.1.1	192.168.2.7	0x87f2	No error (0)	keyauth.win		172.67.72.57	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:54:00.460644007 CET	1.1.1.1	192.168.2.7	0x87f2	No error (0)	keyauth.win		104.26.0.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

keyauth.win

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49759	104.26.1.5	443	7560	C:\Users\user\Desktop\PlusPrivStoreAtt116.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:54:01 UTC	128	OUT	POST /api/1.1/ HTTP/1.1 Host: keyauth.win Accept: / Content-Length: 74 Content-Type: application/x-www-form-urlencoded
2025-01-14 15:54:01 UTC	74	OUT	Data Raw: 74 79 70 65 3d 69 6e 69 74 26 76 65 72 3d 32 2e 36 26 6e 61 6d 65 3d 4c 6f 61 64 65 72 20 50 72 69 6e 63 69 70 61 6c 20 7c 20 50 72 69 76 61 74 65 20 53 74 6f 72 65 26 6f 77 6e 65 72 69 64 3d 39 57 49 76 54 56 4a 61 39 6d Data Ascii: type=init&ver=2.6&name=Loader Principal \| Private Store&ownerid=9WIvTVJa9m
2025-01-14 15:54:01 UTC	1323	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:54:01 GMT Content-Type: application/json; charset=UTF-8 Content-Length: 475 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NJM8LArUobaV58EZQPxqlCXhkjnCO5PkHe7AsjVuls4482Hbjr59llpk%2F5DTU%2FNTNiFrbzjSmQJC74y7iF6Sham8iYK5ZvLzRfkuO7D0%2BMMEYjaBcUdm0s%2FripDt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Acknowledge: Credit to VaultCord.com X-Powered-By: VaultCord.com content-security-policy: upgrade-insecure-requests permissions-policy: accelerometer=(), camera=(), fullscreen=, geolocation=(self), gyroscope=(), microphone=(), payment= referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains x-content-security-policy: img-src ; media-src data:; x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Server: cloudflare CF-RAY: 901ecd5cbb180f43-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1532&rtt_var=587&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2346&recv_bytes=862&delivery_rate=1906005&cwnd=32&unsent_bytes=0&cid=23987d8a36dea621&ts=197&x=0"
2025-01-14 15:54:01 UTC	46	IN	Data Raw: 7b 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 63 6f 64 65 22 3a 36 38 2c 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a Data Ascii: {"success":true,"code":68,"message":"Initializ
2025-01-14 15:54:01 UTC	429	IN	Data Raw: 65 64 22 2c 22 73 65 73 73 69 6f 6e 69 64 22 3a 22 38 61 33 31 32 39 33 39 22 2c 22 61 70 70 69 6e 66 6f 22 3a 7b 22 6e 75 6d 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4f 6e 6c 69 6e 65 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4b 65 79 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 32 2e 36 22 2c 22 63 75 73 74 6f 6d Data Ascii: ed","sessionid":"8a312939","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() function in latest example","version":"2.6","custom

Target ID:	1
Start time:	10:53:52
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\PlusPrivStoreAtt116.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PlusPrivStoreAtt116.exe"
Imagebase:	0x7ff7a4030000
File size:	510'464 bytes
MD5 hash:	D4A125241862EB0A4BD1AFCF362D914F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:53:52
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:53:53
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:53:53
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:53:54
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:53:54
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:53:54
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:53:55
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:53:56
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:53:56
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff642ad0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:53:56
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:53:56
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff642ad0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:53:56
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:53:57
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 8036, Parent PID: 8020

General

Target ID:	15
Start time:	10:53:57
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:53:58
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 8080, Parent PID: 8064

General

Target ID:	17
Start time:	10:53:58
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:53:58
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 8132, Parent PID: 8116

General

Target ID:	20
Start time:	10:53:58
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:53:59
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 8176, Parent PID: 8164

General

Target ID:	22
Start time:	10:53:59
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff642ad0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:53:59
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 1200, Parent PID: 7196

General

Target ID:	24
Start time:	10:54:00
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff642ad0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:54:00
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 3088, Parent PID: 7560

General

Target ID:	26
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 6836, Parent PID: 3088

General

Target ID:	27
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 4308, Parent PID: 5528

General

Target ID:	29
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 3256, Parent PID: 1552

General

Target ID:	31
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff777230000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff642ad0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:54:01
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:54:02
Start date:	14/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff642ad0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:54:02
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff78c7d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	98

Executed Functions

Function 00007FF7A405FEA0 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405FF78
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405FF85
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060058
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40600DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060183
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406021A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40602E5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406031D
strchr.VCRUNTIME140 ref: 00007FF7A4060497
strchr.VCRUNTIME140 ref: 00007FF7A40604AA
strchr.VCRUNTIME140 ref: 00007FF7A40604BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40605C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060633
memcpy.VCRUNTIME140 ref: 00007FF7A406065A
strchr.VCRUNTIME140 ref: 00007FF7A406066E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060682
strstr.VCRUNTIME140 ref: 00007FF7A40608B8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40609F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060B69

Part of subcall function 00007FF7A40596C0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4059733

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060C1C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060CA1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060EFA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060F10
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4060F1F

Part of subcall function 00007FF7A4062270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40622CA

strchr.VCRUNTIME140 ref: 00007FF7A40614D7
strchr.VCRUNTIME140 ref: 00007FF7A40614EA
strchr.VCRUNTIME140 ref: 00007FF7A40614FC

Part of subcall function 00007FF7A4062270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40622EA
Part of subcall function 00007FF7A4062270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40622F3

strchr.VCRUNTIME140 ref: 00007FF7A406174F
strchr.VCRUNTIME140 ref: 00007FF7A4061762
strchr.VCRUNTIME140 ref: 00007FF7A4061774

Part of subcall function 00007FF7A40648A0: strchr.VCRUNTIME140 ref: 00007FF7A4064986
Part of subcall function 00007FF7A40648A0: strchr.VCRUNTIME140 ref: 00007FF7A4064999
Part of subcall function 00007FF7A40648A0: strchr.VCRUNTIME140 ref: 00007FF7A40649AB

Strings

1.0, xrefs: 00007FF7A4060C00
;type=, xrefs: 00007FF7A40608AE
Range: bytes=%s, xrefs: 00007FF7A40609FE
Last-Modified, xrefs: 00007FF7A406115B
Accept-Encoding: %s, xrefs: 00007FF7A40602F2
Accept, xrefs: 00007FF7A4060973
Cookie: , xrefs: 00007FF7A406100E, 00007FF7A4061084
Content-Type, xrefs: 00007FF7A4060387, 00007FF7A40616BD
%s, xrefs: 00007FF7A4061453
0, xrefs: 00007FF7A40618C6, 00007FF7A40619C5
100-continue, xrefs: 00007FF7A4061516, 00007FF7A4061796
Accept: */*, xrefs: 00007FF7A4060985
Host:%s, xrefs: 00007FF7A40606C6
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00007FF7A40611F4
http, xrefs: 00007FF7A406081B
Referer: %s, xrefs: 00007FF7A406024E
%s , xrefs: 00007FF7A4060C33
Cookie, xrefs: 00007FF7A40602A2
Content-Range: bytes %s/%I64d, xrefs: 00007FF7A4060BB6
Transfer-Encoding: chunked, xrefs: 00007FF7A406058F
?%s, xrefs: 00007FF7A4060D0B
%s?%s, xrefs: 00007FF7A4060075
%x, xrefs: 00007FF7A4061875
upload completely sent off: %I64d out of %I64d bytes, xrefs: 00007FF7A4061A7E
Failed sending POST request, xrefs: 00007FF7A40613A9, 00007FF7A40615ED
Content-Range, xrefs: 00007FF7A4060B4E
Content-Type: application/x-www-form-urlencoded, xrefs: 00007FF7A40616D1
PUT, xrefs: 00007FF7A4060018
Failed sending HTTP POST request, xrefs: 00007FF7A406197B
Host:, xrefs: 00007FF7A4060691
POST, xrefs: 00007FF7A4060025
Host: %s%s%s:%d, xrefs: 00007FF7A4060782
multipart/form-data, xrefs: 00007FF7A40603CA
Proxy-Connection: Keep-Alive, xrefs: 00007FF7A4060D9F, 00007FF7A4060DB4
File already completely uploaded, xrefs: 00007FF7A4060B09
OPTIONS, xrefs: 00007FF7A406000B
Failed sending PUT request, xrefs: 00007FF7A4061349
Host, xrefs: 00007FF7A40605C9
Accept-Encoding, xrefs: 00007FF7A40602C1
Transfer-Encoding:, xrefs: 00007FF7A406044E
Invalid TIMEVALUE, xrefs: 00007FF7A4061123
Proxy-Connection, xrefs: 00007FF7A4060D73
;type=%c, xrefs: 00007FF7A4060921
%s%s, xrefs: 00007FF7A40610B0
If-Modified-Since, xrefs: 00007FF7A406116D
Content-Length: 0, xrefs: 00007FF7A4061370
Chunky upload is not supported by HTTP 1.0, xrefs: 00007FF7A406059C
chunked, xrefs: 00007FF7A40604D6
GET, xrefs: 00007FF7A4060032
Content-Length: %I64d, xrefs: 00007FF7A40612CB, 00007FF7A4061420, 00007FF7A40616A5
Could not seek stream, xrefs: 00007FF7A4060A68
ftp://%s:%s@%s, xrefs: 00007FF7A4060CCB
ftp, xrefs: 00007FF7A4060889
Content-Range: bytes %s%I64d/%I64d, xrefs: 00007FF7A4060BA8
Referer, xrefs: 00007FF7A4060233
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF7A4060EDB
Could only read %I64d bytes from the input, xrefs: 00007FF7A4060B25
Content-Range: bytes 0-%I64d/%I64d, xrefs: 00007FF7A4060B84
Failed sending HTTP request, xrefs: 00007FF7A4061646
%s%s=%s, xrefs: 00007FF7A4061029
1.1, xrefs: 00007FF7A4060C0E
Expect, xrefs: 00007FF7A4061474, 00007FF7A40616E9
HEAD, xrefs: 00007FF7A405FFE1
Content-Length, xrefs: 00007FF7A40612B4, 00007FF7A4061409, 00007FF7A406168E
Host: %s%s%s, xrefs: 00007FF7A406073D
Range, xrefs: 00007FF7A40609D2
Transfer-Encoding, xrefs: 00007FF7A406042D
If-Unmodified-Since, xrefs: 00007FF7A4061164
Expect:, xrefs: 00007FF7A4061495, 00007FF7A406170A
User-Agent, xrefs: 00007FF7A406003D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$strchr$_strdup$callocmemcpystrstr
String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s: %s, %02d %s %4d %02d:%02d:%02d GMT$%s?%s$%x$0$1.0$1.1$100-continue$;type=$;type=%c$?%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified$OPTIONS$POST$PUT$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp$ftp://%s:%s@%s$http$multipart/form-data$upload completely sent off: %I64d out of %I64d bytes
API String ID: 2045874074-4264080130
Opcode ID: 4168fa95d65f54a1e0795bddf3cd2d3dada032a491ce2ca990e0fbb27d0a3f89
Instruction ID: 7399ef7eda52c052c3c3f8ed8b764b2c52bf65d1804eac10a72917a9f88c7127
Opcode Fuzzy Hash: 4168fa95d65f54a1e0795bddf3cd2d3dada032a491ce2ca990e0fbb27d0a3f89
Instruction Fuzzy Hash: 4103C631B0A642A5FB54EF2394802BAE791EF40784F8640B5DE0E476B5DF7EE461E321

Function 00007FF7A4041E40 Relevance: 124.5, APIs: 58, Strings: 13, Instructions: 288
processsleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7A408FB18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF7A40343FE,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A408FB32

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4041EA4
_Thrd_detach.MSVCP140 ref: 00007FF7A4041ED3
GetStdHandle.KERNEL32 ref: 00007FF7A4041EEE
GetConsoleMode.KERNELBASE ref: 00007FF7A4041EFF
SetConsoleMode.KERNELBASE ref: 00007FF7A4041F12
GetStdHandle.KERNEL32 ref: 00007FF7A4041F1D
GetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF7A4041F34
SetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF7A4041F59
GetConsoleMode.KERNELBASE ref: 00007FF7A4041F67
SetConsoleMode.KERNELBASE ref: 00007FF7A4041F7B
GetConsoleWindow.KERNELBASE ref: 00007FF7A4041F81
GetWindowLongA.USER32 ref: 00007FF7A4041F92
SetWindowLongA.USER32 ref: 00007FF7A4041FA8
GetConsoleWindow.KERNELBASE ref: 00007FF7A4041FAE
GetWindowRect.USER32 ref: 00007FF7A4041FBF
MoveWindow.USER32 ref: 00007FF7A4041FE7
GetStdHandle.KERNEL32 ref: 00007FF7A4041FF2
SetConsoleTextAttribute.KERNELBASE ref: 00007FF7A4042000
GetStdHandle.KERNEL32 ref: 00007FF7A4042017
SetConsoleTextAttribute.KERNELBASE ref: 00007FF7A4042025
GetStdHandle.KERNEL32 ref: 00007FF7A4042048
SetConsoleTextAttribute.KERNELBASE ref: 00007FF7A4042056
GetStdHandle.KERNEL32 ref: 00007FF7A404206D
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A404207B

Part of subcall function 00007FF7A4042380: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A40423A4
Part of subcall function 00007FF7A4042380: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A40423C5

GetStdHandle.KERNEL32 ref: 00007FF7A4042092
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A40420A0
GetStdHandle.KERNEL32 ref: 00007FF7A40420B7
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A40420C5
GetStdHandle.KERNEL32 ref: 00007FF7A40420DC
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A40420EA
GetStdHandle.KERNEL32 ref: 00007FF7A4042101
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A404210F
GetStdHandle.KERNEL32 ref: 00007FF7A4042132
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A4042140
GetStdHandle.KERNEL32 ref: 00007FF7A4042157
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A4042165
GetStdHandle.KERNEL32 ref: 00007FF7A404217C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A404218A
GetStdHandle.KERNEL32 ref: 00007FF7A40421AD
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A40421BB
GetStdHandle.KERNEL32 ref: 00007FF7A40421D2
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A40421E0
GetStdHandle.KERNEL32 ref: 00007FF7A40421F7
SetConsoleTextAttribute.KERNEL32 ref: 00007FF7A4042205
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF7A4042223
URLDownloadToFileA.URLMON ref: 00007FF7A404227A
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042286
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042293
Sleep.KERNEL32 ref: 00007FF7A404229E
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40422A6
URLDownloadToFileA.URLMON ref: 00007FF7A40422FA
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042306
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042313
Sleep.KERNEL32 ref: 00007FF7A404231E
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042326
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042334
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7A4042363
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7A4042372

Strings

Iniciar Valorant Plus (HVCI DESLIGADO): , xrefs: 00007FF7A4042115
Iniciar Valorant Plus (HVCI HABILITADO): , xrefs: 00007FF7A4042190
start C:\Windows\System32\config\SerHuStinsHostDialog.exe, xrefs: 00007FF7A404228C
##########################################################, xrefs: 00007FF7A4042037
start C:\Windows\System32\config\ServceHubeinssDialog.exe, xrefs: 00007FF7A404230C
[ Selecione uma opcao: ], xrefs: 00007FF7A404205C
http://167.114.85.75/plushvcioffbronkzatualizadoh79.exe, xrefs: 00007FF7A4042232
C:\Windows\System32\config\ServceHubeinssDialog.exe, xrefs: 00007FF7A40422C4
http://167.114.85.75/plusattnewhvcionprivate.exe, xrefs: 00007FF7A40422B2
##########################################################, xrefs: 00007FF7A4042081
Selecione a opcao: , xrefs: 00007FF7A404220B
C:\Windows\System32\config\SerHuStinsHostDialog.exe, xrefs: 00007FF7A4042243
cd C:\, xrefs: 00007FF7A404227F, 00007FF7A40422FF

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: Console$Handle$AttributeText$Window$Modesystem$BufferCpp_error@std@@DownloadFileInfoLongScreenSleepThrow_exit$??5?$basic_istream@D@std@@@std@@MoveRectThrd_detachU?$char_traits@V01@__acrt_iob_func__stdio_common_vfprintf_beginthreadexmallocterminate
String ID: Iniciar Valorant Plus (HVCI DESLIGADO): $ Iniciar Valorant Plus (HVCI HABILITADO): $ Selecione a opcao: $##########################################################$##########################################################$C:\Windows\System32\config\SerHuStinsHostDialog.exe$C:\Windows\System32\config\ServceHubeinssDialog.exe$[ Selecione uma opcao: ]$cd C:\$http://167.114.85.75/plusattnewhvcionprivate.exe$http://167.114.85.75/plushvcioffbronkzatualizadoh79.exe$start C:\Windows\System32\config\SerHuStinsHostDialog.exe$start C:\Windows\System32\config\ServceHubeinssDialog.exe
API String ID: 3379756739-3894013811
Opcode ID: 7d6ccfdcf208f1ed3c30f3b331a260dc6719f22fd9a96427a0c815ad178a38ab
Instruction ID: 87e5e10d068b0cdd8d794d2e400774aaed1890ecec01b47927eba304018139c5
Opcode Fuzzy Hash: 7d6ccfdcf208f1ed3c30f3b331a260dc6719f22fd9a96427a0c815ad178a38ab
Instruction Fuzzy Hash: 79D16531A0B50396EB04BF22EC9417BB361EF84751F810A79F51E066B6DF3EE554A360

Function 00007FF7A406A84D Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A406A9A8
strchr.VCRUNTIME140 ref: 00007FF7A406A9D4
strchr.VCRUNTIME140 ref: 00007FF7A406AA0E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406AA32
strchr.VCRUNTIME140 ref: 00007FF7A406AB42
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406AB5A

Strings

schannel: ALPN, offering %s, xrefs: 00007FF7A406B085
LocalMachineGroupPolicy, xrefs: 00007FF7A406AAFC
LocalMachineEnterprise, xrefs: 00007FF7A406AB1B
CurrentUser, xrefs: 00007FF7A406AA22
schannel: Failed to read cert file %s, xrefs: 00007FF7A406AF09
Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00007FF7A406AA47
http/1.1, xrefs: 00007FF7A406B077
http/1.1, xrefs: 00007FF7A406B063
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 00007FF7A406AE14
Users, xrefs: 00007FF7A406AAC6
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF7A406ADE9
schannel: AcquireCredentialsHandle failed: %s, xrefs: 00007FF7A406AFC5
CurrentUserGroupPolicy, xrefs: 00007FF7A406AADD
schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00007FF7A406ABC0
Services, xrefs: 00007FF7A406AAA7
schannel: unable to allocate memory, xrefs: 00007FF7A406AECC, 00007FF7A406B157
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF7A406B043
Microsoft Unified Security Protocol Provider, xrefs: 00007FF7A406AF4F
LocalMachine, xrefs: 00007FF7A406AA63
schannel: TLS 1.3 is not yet supported, xrefs: 00007FF7A406A8DB
CurrentService, xrefs: 00007FF7A406AA85
schannel: Failed to get certificate location or file for %s, xrefs: 00007FF7A406AF32
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 00007FF7A406AE5F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$_strdupstrncmpstrtol
String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$Services$Unable to set ciphers to passed via SSL_CONN_CONFIG$Users$http/1.1$http/1.1$schannel: ALPN, offering %s$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: TLS 1.3 is not yet supported$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.
API String ID: 707411602-3372543188
Opcode ID: 05868821c97f94baf6164b8d17389528a2746141e5772ed87361180ad4809c89
Instruction ID: a03a4ec549f21cc3360966aa3aead632e231a470e3086a4ff88e37e4b3105c80
Opcode Fuzzy Hash: 05868821c97f94baf6164b8d17389528a2746141e5772ed87361180ad4809c89
Instruction Fuzzy Hash: 0142D33170A74295EB14AF13D8906BAA3A0FF45784F824175DA4E077B1DFBEE424E721

Function 00007FF7A4059290 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF7A40592B8
WSACleanup.WS2_32 ref: 00007FF7A40592D3
GetModuleHandleA.KERNEL32 ref: 00007FF7A4059324
GetProcAddress.KERNEL32 ref: 00007FF7A4059350
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405936A
LoadLibraryA.KERNEL32 ref: 00007FF7A405938D
GetProcAddress.KERNEL32 ref: 00007FF7A40593AA
LoadLibraryExA.KERNELBASE ref: 00007FF7A40593C0
GetSystemDirectoryA.KERNEL32 ref: 00007FF7A40593D6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40593EE
GetSystemDirectoryA.KERNEL32 ref: 00007FF7A4059402
LoadLibraryA.KERNEL32 ref: 00007FF7A4059470
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405947C
GetProcAddress.KERNEL32 ref: 00007FF7A40594A8
VerSetConditionMask.KERNEL32 ref: 00007FF7A4059531
VerSetConditionMask.KERNEL32 ref: 00007FF7A4059544
VerSetConditionMask.KERNEL32 ref: 00007FF7A4059553
VerSetConditionMask.KERNEL32 ref: 00007FF7A4059562
VerSetConditionMask.KERNEL32 ref: 00007FF7A4059572
VerifyVersionInfoA.KERNEL32 ref: 00007FF7A4059583
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7A405959F

Strings

iphlpapi.dll, xrefs: 00007FF7A4059356
if_nametoindex, xrefs: 00007FF7A405949E
kernel32, xrefs: 00007FF7A405930B
AddDllDirectory, xrefs: 00007FF7A40593A0
LoadLibraryExA, xrefs: 00007FF7A405933E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ConditionMask$AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleInfoModulePerformanceQueryStartupVerifyVersionfreemallocstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 2612373469-2794540096
Opcode ID: de4467785da5013e920e77c5cee71bf5eccab42b814541a419c8975c411fe98b
Instruction ID: bdd8fedf4b2147c67873156869adeef955dec4484562f43b8fd9263d6e751970
Opcode Fuzzy Hash: de4467785da5013e920e77c5cee71bf5eccab42b814541a419c8975c411fe98b
Instruction Fuzzy Hash: 9891A621A0E78285E720AF12A8843BBB391FF89B80F868575D94E07775DF3DE4659720

Function 00007FF7A40585D0 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF7A405866C
socket.WS2_32 ref: 00007FF7A40586B5
htons.WS2_32 ref: 00007FF7A4058741
setsockopt.WS2_32 ref: 00007FF7A40587A3
WSAGetLastError.WS2_32 ref: 00007FF7A40587AD
getsockopt.WS2_32 ref: 00007FF7A405884F
setsockopt.WS2_32 ref: 00007FF7A405887E
setsockopt.WS2_32 ref: 00007FF7A40588BD
WSAIoctl.WS2_32 ref: 00007FF7A405894A
WSAGetLastError.WS2_32 ref: 00007FF7A4058954

Part of subcall function 00007FF7A40655A0: ioctlsocket.WS2_32 ref: 00007FF7A40655B9

Part of subcall function 00007FF7A405E0C0: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF7A404613F), ref: 00007FF7A405E0D7

connect.WS2_32 ref: 00007FF7A4058A7B
WSAGetLastError.WS2_32 ref: 00007FF7A4058A98

Part of subcall function 00007FF7A4042E10: GetLastError.KERNEL32 ref: 00007FF7A4042E32
Part of subcall function 00007FF7A4042E10: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042E3A

Part of subcall function 00007FF7A4056400: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4056525
Part of subcall function 00007FF7A4056400: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4056540

Part of subcall function 00007FF7A4056EE0: closesocket.WS2_32 ref: 00007FF7A4056F23

Strings

@, xrefs: 00007FF7A40587E7
Could not set TCP_NODELAY: %s, xrefs: 00007FF7A40587CA
Immediate connect fail for %s: %s, xrefs: 00007FF7A4058AC8
Trying %s:%ld..., xrefs: 00007FF7A405874F
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00007FF7A40588CA
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00007FF7A405895D
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00007FF7A4058B3E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast$setsockopt$fwrite$CounterIoctlPerformanceQuery_errnoclosesocketconnectgetsockopthtonsioctlsocketmemcpysocket
String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3453287622-3868455274
Opcode ID: dbb5cd4517bb968bcac715a938c16f0401d988df0ca92266df0104945dc9420d
Instruction ID: 747be276a51e6c0b2ce955321ce02779a43cb7328cded64fd877dbe4e78f7b27
Opcode Fuzzy Hash: dbb5cd4517bb968bcac715a938c16f0401d988df0ca92266df0104945dc9420d
Instruction Fuzzy Hash: 5AF1F532A0A24286F750AF27D4842BFA390FB44784F828475EE4D476B5DF3EE564EB11

Function 00007FF7A4065370 Relevance: 24.1, APIs: 16, Instructions: 127
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF7A40653B1
htonl.WS2_32 ref: 00007FF7A40653DE
setsockopt.WS2_32 ref: 00007FF7A4065415
bind.WS2_32 ref: 00007FF7A4065430
getsockname.WS2_32 ref: 00007FF7A406544C
listen.WS2_32 ref: 00007FF7A4065461
socket.WS2_32 ref: 00007FF7A4065478
connect.WS2_32 ref: 00007FF7A4065497
accept.WS2_32 ref: 00007FF7A40654AE
send.WS2_32 ref: 00007FF7A40654FC
recv.WS2_32 ref: 00007FF7A406551A
memcmp.VCRUNTIME140 ref: 00007FF7A4065535
closesocket.WS2_32 ref: 00007FF7A4065541

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: socket$acceptbindclosesocketconnectgetsocknamehtonllistenmemcmprecvsendsetsockopt
String ID:
API String ID: 3699910901-0
Opcode ID: 41927ea1387b75350c3ebf46daa169a36e0fbdbc2e22d370c80ef841000f6fad
Instruction ID: d8ccb7f066c0dec2642612cc1406dcea919be8f5e78c70c754802de3aecbea43
Opcode Fuzzy Hash: 41927ea1387b75350c3ebf46daa169a36e0fbdbc2e22d370c80ef841000f6fad
Instruction Fuzzy Hash: 2D51DF31609A4286DB50BF26E89416AF362EB40BB4F814730EA7E436F4DF7DD499D710

Function 00007FF7A4057290 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to connect to %s port %ld: %s, xrefs: 00007FF7A40577BE
After %I64dms connect time, move on!, xrefs: 00007FF7A4057455
Connection failed, xrefs: 00007FF7A4057676
connect to %s port %ld failed: %s, xrefs: 00007FF7A405750D
Connection time-out, xrefs: 00007FF7A4057379

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
API String ID: 0-3307081561
Opcode ID: c48996a20b67154a06dffc38494323cf43a5c0cced136d840c2590770bea82d0
Instruction ID: bbeceec2eeaef0d46d7d85df83332c1f25e8f8034236259a973fe424806be65b
Opcode Fuzzy Hash: c48996a20b67154a06dffc38494323cf43a5c0cced136d840c2590770bea82d0
Instruction Fuzzy Hash: 78E12532B0A68282EB14AF2695846BFAB50FB44794F818275DE5D037F1DF3EE421E711

Function 00007FF7A4041AA0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A40408F0: memcpy.VCRUNTIME140(?,0000006E00000006,?,FFFFFFFF,00007FF7A40311F9), ref: 00007FF7A4040928

SleepEx.KERNELBASE ref: 00007FF7A4041C5F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4041CD3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4041D14
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4041D4C

Strings

PRIVATE STORE - , xrefs: 00007FF7A4041C7B
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789, xrefs: 00007FF7A4041AF9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Sleepmemcpy
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$PRIVATE STORE -
API String ID: 18138616-2486835083
Opcode ID: 02c974ba3ea694fb1581b36dc1d3936bca2f7c19c08318b0ff3533f4e3fd965b
Instruction ID: cd565a63328ea892923b6103cf6794ac7bf54df6ce75e99f0ce017c90772e3a4
Opcode Fuzzy Hash: 02c974ba3ea694fb1581b36dc1d3936bca2f7c19c08318b0ff3533f4e3fd965b
Instruction Fuzzy Hash: CC811772B2968186EB00EF26E4842AFB362FB94394F914236EA5D07AF5DF3DD050D710

Function 00007FF7A4056600 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7A405660C
WSAGetLastError.WS2_32 ref: 00007FF7A405661B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 9297357e9789c547a433d17009090a850aba96bb81910332f5902cd5212cb4f3
Instruction ID: 6c0e048b31969fae7c37be3cded2b20317b11841492a31959e7a4896e9b99370
Opcode Fuzzy Hash: 9297357e9789c547a433d17009090a850aba96bb81910332f5902cd5212cb4f3
Instruction Fuzzy Hash: 85E02621F0660943FF286B72F8A573A1294DB48732F844BB8DA3E863E0DE3C44E65710

Function 00007FF7A4032AB0 Relevance: 40.7, APIs: 16, Strings: 7, Instructions: 402
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40328B7
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032927
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032987
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40329D7
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032A27

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032C58

Part of subcall function 00007FF7A40348D0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4034990

Part of subcall function 00007FF7A408FB18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF7A40343FE,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A408FB32

Part of subcall function 00007FF7A4034320: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034351

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032CA8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032CE7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032D35
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032D74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032E28
memcpy.VCRUNTIME140 ref: 00007FF7A4032E4D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032F23
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032F6A
ShellExecuteA.SHELL32 ref: 00007FF7A4033062
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403306A
MessageBoxA.USER32 ref: 00007FF7A40330A0
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40330B1
Sleep.KERNEL32 ref: 00007FF7A4033119
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4033121
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A4033128

Part of subcall function 00007FF7A4033170: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403327F
Part of subcall function 00007FF7A4033170: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40332C0

Part of subcall function 00007FF7A4033C40: memcpy.VCRUNTIME140 ref: 00007FF7A4033C93

Part of subcall function 00007FF7A40332E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40333C0

Part of subcall function 00007FF7A40333E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40334C0

Strings

sessionid, xrefs: 00007FF7A4032EAE
success, xrefs: 00007FF7A4032E86
open, xrefs: 00007FF7A4033059
invalidver, xrefs: 00007FF7A4032FE9
download, xrefs: 00007FF7A4033025
Failure, xrefs: 00007FF7A4033097
message, xrefs: 00007FF7A4032FB3, 00007FF7A4033071

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$system$exitmemcpy$Concurrency::cancel_current_taskExecuteMessageShellSleepmalloc
String ID: Failure$download$invalidver$message$open$sessionid$success
API String ID: 3283070336-3881042241
Opcode ID: 1d9b411b40bc9a0d335268b4121ff1fd53ff6ab73f3897d94a4ed14f8e470e53
Instruction ID: da20124e13451720a9d483631634d69ed5d926027780d341b08fb52af2d3fa09
Opcode Fuzzy Hash: 1d9b411b40bc9a0d335268b4121ff1fd53ff6ab73f3897d94a4ed14f8e470e53
Instruction Fuzzy Hash: 8F023A22A0978285EB04EF36D5803AEB761FB45794F815674EA6C03AF6DF3EE094D350

Function 00007FF7A406BED0 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF7A406C511
memcpy.VCRUNTIME140 ref: 00007FF7A406C52D

Strings

schannel: renegotiating SSL/TLS connection, xrefs: 00007FF7A406C328
schannel: Curl_read_plain returned CURLE_RECV_ERROR, xrefs: 00007FF7A406C09D
schannel: unable to re-allocate memory, xrefs: 00007FF7A406C00D, 00007FF7A406C476
schannel: server closed the connection, xrefs: 00007FF7A406C3A4
schannel: remote party requests renegotiation, xrefs: 00007FF7A406C2F2
schannel: server closed abruptly (missing close_notify), xrefs: 00007FF7A406C4BE
schannel: renegotiation failed, xrefs: 00007FF7A406C49E
schannel: Curl_read_plain returned error %d, xrefs: 00007FF7A406C271
schannel: can't renogotiate, encrypted data available, xrefs: 00007FF7A406C4B2
schannel: failed to decrypt data, need more data, xrefs: 00007FF7A406C43A
schannel: server indicated shutdown in a prior call, xrefs: 00007FF7A406BF98
schannel: SSL/TLS connection renegotiated, xrefs: 00007FF7A406C36F
schannel: failed to read data from server: %s, xrefs: 00007FF7A406C462
schannel: enough decrypted data is already available, xrefs: 00007FF7A406BF55
schannel: can't renogotiate, an error is pending, xrefs: 00007FF7A406C492
schannel: an unrecoverable error occurred in a prior call, xrefs: 00007FF7A406BF75

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy
String ID: schannel: Curl_read_plain returned CURLE_RECV_ERROR$schannel: Curl_read_plain returned error %d$schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: can't renogotiate, an error is pending$schannel: can't renogotiate, encrypted data available$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server closed abruptly (missing close_notify)$schannel: server closed the connection$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
API String ID: 3510742995-857957974
Opcode ID: a248729e05c5a164a4cded72e3c22de02dfaf7ecce5ddd1b6ceda931908bb9be
Instruction ID: 0bc8b776cbc9125c25327808dba9ebffdaa383f551b88aae3c2ffbacb4fd7fe9
Opcode Fuzzy Hash: a248729e05c5a164a4cded72e3c22de02dfaf7ecce5ddd1b6ceda931908bb9be
Instruction Fuzzy Hash: 4702E032B0AA4181EB60EF0AD88436BB7A4FB40B94F924176DE4E473B4DFBAD450D711

Function 00007FF7A406B360 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406B450
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406B4A1
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406B4E4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406B5C7
memcpy.VCRUNTIME140 ref: 00007FF7A406B669
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406B6D2
memcpy.VCRUNTIME140 ref: 00007FF7A406B7AA
memset.VCRUNTIME140 ref: 00007FF7A406B977
CertFreeCertificateContext.CRYPT32 ref: 00007FF7A406B9DA

Strings

SSL: public key does not match pinned public key!, xrefs: 00007FF7A406B9BC, 00007FF7A406B9E4
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7A406BA1A
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 00007FF7A406B884
schannel: unable to allocate memory, xrefs: 00007FF7A406BACF
SSL: failed retrieving public key from server certificate, xrefs: 00007FF7A406B9FA
schannel: next InitializeSecurityContext failed: %s, xrefs: 00007FF7A406B86E, 00007FF7A406BA82
schannel: SNI or certificate check failed: %s, xrefs: 00007FF7A406B83B
schannel: unable to re-allocate memory, xrefs: 00007FF7A406B4F2
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 00007FF7A406B7D6

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: malloc$memcpy$CertCertificateContextFreefreememsetrealloc
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 860210379-3059304359
Opcode ID: 97b15636c902424c44a3963cf3d924265bea320a0c79efaab36c3c2d44ec8d35
Instruction ID: f8de4576d08cca4edb019d5c51c62a8c3db35082289e86a84abd385a44ba9074
Opcode Fuzzy Hash: 97b15636c902424c44a3963cf3d924265bea320a0c79efaab36c3c2d44ec8d35
Instruction Fuzzy Hash: 9A12A072B0AB8185E760AF2AD8803ABB7A0FB44B85F910175CA8E477B0DF7ED451D711

Function 00007FF7A406A580 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7A406A651
GetProcAddress.KERNEL32 ref: 00007FF7A406A661

Strings

schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00007FF7A406A632
schannel: ALPN, offering %s, xrefs: 00007FF7A406B085
Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 00007FF7A406AFFF
http/1.1, xrefs: 00007FF7A406B077
http/1.1, xrefs: 00007FF7A406B063
wine_get_version, xrefs: 00007FF7A406A65A
schannel: unable to allocate memory, xrefs: 00007FF7A406B157
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF7A406B043
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00007FF7A406B21C, 00007FF7A406B263
schannel: SNI or certificate check failed: %s, xrefs: 00007FF7A406B23D
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00007FF7A406B2F9
ntdll, xrefs: 00007FF7A406A64A
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7A406A6F2

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Unrecognized parameter passed via CURLOPT_SSLVERSION$http/1.1$http/1.1$ntdll$schannel: ALPN, offering %s$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 1646373207-2477831187
Opcode ID: 10b3639ac4156d1e6dcbd89b31d7d7416f6e26047d03e936fee46af19bc1507d
Instruction ID: da0d81f33b1f9eb5f1461c73bf8eaffc699ba47ec1ee661bbe544dcd23be0969
Opcode Fuzzy Hash: 10b3639ac4156d1e6dcbd89b31d7d7416f6e26047d03e936fee46af19bc1507d
Instruction Fuzzy Hash: 3D020332B09B8199E710AF26D8802EFB7A4FB45784F824175DA4E077B1DF79D460EB11

Function 00007FF7A404BBC0 Relevance: 28.7, APIs: 19, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BBF2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BC8D
InitializeCriticalSectionEx.KERNEL32 ref: 00007FF7A404BCA6

Part of subcall function 00007FF7A4065370: socket.WS2_32 ref: 00007FF7A40653B1

DeleteCriticalSection.KERNEL32 ref: 00007FF7A404BCE0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BCEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BCF4
closesocket.WS2_32 ref: 00007FF7A404BD12
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BD48
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A404BD4E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404BD7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BD97
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404BDA0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A404BDD5
EnterCriticalSection.KERNEL32 ref: 00007FF7A404BDF6
LeaveCriticalSection.KERNEL32 ref: 00007FF7A404BE0A
CloseHandle.KERNEL32 ref: 00007FF7A404BE17
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BE42
closesocket.WS2_32 ref: 00007FF7A404BE5B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BE6F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$CriticalSection$_errno_strdupclosesocket$CloseDeleteEnterHandleInitializeLeavecallocmallocsocket
String ID:
API String ID: 259767416-0
Opcode ID: 41a72df7b2bc5e60e2d0debc56844bab2a497cda2f686a918ca564a9ee16b53c
Instruction ID: a9e04a76ad46dcd34db8cb67ebea7196a249cef04ff19c07a7ee33aff6c67f36
Opcode Fuzzy Hash: 41a72df7b2bc5e60e2d0debc56844bab2a497cda2f686a918ca564a9ee16b53c
Instruction Fuzzy Hash: FC815122A06B8186E624EF22E49027AB370FB94754F425675DB9E03772DF79E0E4D310

Function 00007FF7A4053230 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON

Download Yara Rule

Strings

No more connections allowed to host %s: %zu, xrefs: 00007FF7A40539C2
NTLM-proxy picked AND auth done set, clear picked!, xrefs: 00007FF7A4053AB0
No connections available in cache, xrefs: 00007FF7A4053C2B
ftp@example.com, xrefs: 00007FF7A40533EF
Re-using existing connection! (#%ld) with %s %s, xrefs: 00007FF7A4053913
anonymous, xrefs: 00007FF7A40533E8
host, xrefs: 00007FF7A4053900
proxy, xrefs: 00007FF7A40538F2
NTLM picked AND auth done set, clear picked!, xrefs: 00007FF7A4053A82
No connections available., xrefs: 00007FF7A40539D1

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host %s: %zu$Re-using existing connection! (#%ld) with %s %s$anonymous$ftp@example.com$host$proxy
API String ID: 0-760484938
Opcode ID: 88e9fff4c20cfb3387b05bb6273276a309f0730b87b5b8ee6ee5db605b16326a
Instruction ID: cb6a8f4a32a8fc75d32c6e0beec1f858cc35d68942abe5c9b3643bcdeffbaaa5
Opcode Fuzzy Hash: 88e9fff4c20cfb3387b05bb6273276a309f0730b87b5b8ee6ee5db605b16326a
Instruction Fuzzy Hash: 2B42E862A0ABC291EB59AF2295803BAA390FB45B84F858175CF5D47771DF3EE070D321

Function 00007FF7A4058F70 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,?,00007FF7A4082DCA,?,?,?,?,00007FF7A40592FB), ref: 00007FF7A4058F84
GetProcAddress.KERNEL32(?,?,00007FF7A4082DCA,?,?,?,?,00007FF7A40592FB), ref: 00007FF7A4058FA9
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00007FF7A4082DCA,?,?,?,?,00007FF7A40592FB), ref: 00007FF7A4058FBC

Strings

kernel32, xrefs: 00007FF7A4058F7D
AddDllDirectory, xrefs: 00007FF7A4059003
LoadLibraryExA, xrefs: 00007FF7A4058F9A

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: 3fc36237d5a699e2f99facc73201d44ad9495a081454105c969e389c3d98dd0d
Instruction ID: a47dce0cb5e18a39e0f4f5e75441e9088c298c246059fea1bfe5b987ee9f7ec0
Opcode Fuzzy Hash: 3fc36237d5a699e2f99facc73201d44ad9495a081454105c969e389c3d98dd0d
Instruction Fuzzy Hash: E841E912B0B64249FB15AF17A88013AA791EF45BD0F498974DE1D077B1DE3ED4A6D320

Function 00007FF7A4057C10 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32 ref: 00007FF7A4057C7C
WSAGetLastError.WS2_32 ref: 00007FF7A4057C86

Part of subcall function 00007FF7A4042E10: GetLastError.KERNEL32 ref: 00007FF7A4042E32
Part of subcall function 00007FF7A4042E10: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042E3A

getsockname.WS2_32 ref: 00007FF7A4057D06
WSAGetLastError.WS2_32 ref: 00007FF7A4057D10

Strings

getpeername() failed with errno %d: %s, xrefs: 00007FF7A4057CA6
getsockname() failed with errno %d: %s, xrefs: 00007FF7A4057D30
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00007FF7A4057E2C
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00007FF7A4057D96

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast$_errnogetpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 2911674258-670633250
Opcode ID: beb777fae94bd714a0210b54ee0db9f5296f82d4134aa8963846ed8433313220
Instruction ID: 5e6b476be1a612d72443c4274f1dc467769e5be76071554ff644599bd669b3bc
Opcode Fuzzy Hash: beb777fae94bd714a0210b54ee0db9f5296f82d4134aa8963846ed8433313220
Instruction Fuzzy Hash: BE91B432A1ABC186D710DF26D5802EA7360FB8CB88F859235EE4C47636DF39D195D721

Function 00007FF7A4068FE0 Relevance: 19.6, APIs: 13, Instructions: 128
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FF7A4069002
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A406906E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A40690A8
memcpy.VCRUNTIME140(?,?,?,00007FF7A404BB05), ref: 00007FF7A40690C1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A40690CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A406910A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A4069113
freeaddrinfo.WS2_32(?,?,?,00007FF7A404BB05), ref: 00007FF7A4069141
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A4069155
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A406915F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A406916C
WSASetLastError.WS2_32(?,?,?,00007FF7A404BB05), ref: 00007FF7A406918D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc$ErrorLast_strdupfreeaddrinfogetaddrinfomemcpy
String ID:
API String ID: 2364279375-0
Opcode ID: 92f1dd02e77ef6866300f81a3e7edaadc0e4f6ac73d95d5bcc1c9b54f38ed787
Instruction ID: 98bb9c33a429bbc1bdc3fad677d88a29a1cd26336e2434f7408ff71ad9706a48
Opcode Fuzzy Hash: 92f1dd02e77ef6866300f81a3e7edaadc0e4f6ac73d95d5bcc1c9b54f38ed787
Instruction Fuzzy Hash: 2D51A23270A74196EA24AF03A58413AF3A0FB84B90F964475CE8E07B70CF7DE465E721

Function 00007FF7A40668F0 Relevance: 16.7, APIs: 11, Instructions: 241
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32 ref: 00007FF7A406694D
Sleep.KERNEL32 ref: 00007FF7A406695E
WSASetLastError.WS2_32 ref: 00007FF7A4066AC8
Sleep.KERNEL32 ref: 00007FF7A4066AD9
__WSAFDIsSet.WS2_32 ref: 00007FF7A4066B8C
__WSAFDIsSet.WS2_32 ref: 00007FF7A4066BA3
__WSAFDIsSet.WS2_32 ref: 00007FF7A4066BBE
__WSAFDIsSet.WS2_32 ref: 00007FF7A4066BD2
__WSAFDIsSet.WS2_32 ref: 00007FF7A4066BED
__WSAFDIsSet.WS2_32 ref: 00007FF7A4066C01

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 3eaa5cdda63adafe87d7bc7021b97494535538da4074dd7caebf54caf0cff9b4
Instruction ID: 7073fb7a804e5db96bd3680e2ed969a298ccb7c794bbe541ce6829974bb0432f
Opcode Fuzzy Hash: 3eaa5cdda63adafe87d7bc7021b97494535538da4074dd7caebf54caf0cff9b4
Instruction Fuzzy Hash: 44919E31B0E68296E7246E1798C01BBE294FF40354F914974E90F86BF4DF7FD960A611

Function 00007FF7A4055800 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405584F

Strings

Couldn't resolve proxy '%s', xrefs: 00007FF7A4055A2C
Unix socket path too long: '%s', xrefs: 00007FF7A40558A6
Couldn't resolve host '%s', xrefs: 00007FF7A4055981

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: calloc
String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$Unix socket path too long: '%s'
API String ID: 2635317215-3812100122
Opcode ID: f08da87b223e4afb787e14741a77dd1769841e215b917ae838169de794eb3b9c
Instruction ID: 8f5594b9d957296189bab2e405b6b7e54e5fbb03f5d415c11024d6fac67eb769
Opcode Fuzzy Hash: f08da87b223e4afb787e14741a77dd1769841e215b917ae838169de794eb3b9c
Instruction Fuzzy Hash: 5051D832B0EB4186FA15AF26A4C037AA690EB84780F554071DF4D837B5EF3FE460A721

Function 00007FF7A4032850 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121processCOMMON

Download Yara Rule

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40328B7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032927
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032987
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40329D7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032A27
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032A98

Strings

.8, xrefs: 00007FF7A4032A75
h%49, xrefs: 00007FF7A4032A6E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: system
String ID: .8$h%49
API String ID: 3377271179-4206735779
Opcode ID: a7e926d66bff3890010a4de0419013d2960dc4d2cd83e741db80a3a17baeac22
Instruction ID: 67978fdaaca0dc127591302536fbc3793a5561a6d8222e5d9966aeda78d89d37
Opcode Fuzzy Hash: a7e926d66bff3890010a4de0419013d2960dc4d2cd83e741db80a3a17baeac22
Instruction Fuzzy Hash: 2E618D23E197DA8CF301DF79E8851BDB770BB89708F8153B8CE8925D25EBA91148D360

Function 00007FF7A40901EC Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7A4090215
__scrt_release_startup_lock.LIBCMT ref: 00007FF7A4090283
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40902D1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40902D6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40902DE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40902E6
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4090308
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4090362

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: de375b220b439a9c4fbc24da6c3cfafd4a664fed8df3b2246a19f881dec74204
Instruction ID: a97ddde8905ef02750b4990a91b7491538c68b8ea55072e032a73d63d1a50973
Opcode Fuzzy Hash: de375b220b439a9c4fbc24da6c3cfafd4a664fed8df3b2246a19f881dec74204
Instruction Fuzzy Hash: 88312021A0B20241FA04BFA699D13BBE2919F55784FC644B4FA4D572F3DF2EA464A270

Function 00007FF7A404BAB0 Relevance: 12.1, APIs: 8, Instructions: 67networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4068FE0: getaddrinfo.WS2_32 ref: 00007FF7A4069002
Part of subcall function 00007FF7A4068FE0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A406906E
Part of subcall function 00007FF7A4068FE0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A40690A8
Part of subcall function 00007FF7A4068FE0: memcpy.VCRUNTIME140(?,?,?,00007FF7A404BB05), ref: 00007FF7A40690C1
Part of subcall function 00007FF7A4068FE0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A40690CF
Part of subcall function 00007FF7A4068FE0: freeaddrinfo.WS2_32(?,?,?,00007FF7A404BB05), ref: 00007FF7A4069141
Part of subcall function 00007FF7A4068FE0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A4069155
Part of subcall function 00007FF7A4068FE0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A406915F
Part of subcall function 00007FF7A4068FE0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A404BB05), ref: 00007FF7A406916C

WSAGetLastError.WS2_32 ref: 00007FF7A404BB0B
WSAGetLastError.WS2_32 ref: 00007FF7A404BB15
EnterCriticalSection.KERNEL32 ref: 00007FF7A404BB30
LeaveCriticalSection.KERNEL32 ref: 00007FF7A404BB3F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404BB50
send.WS2_32 ref: 00007FF7A404BB73
WSAGetLastError.WS2_32 ref: 00007FF7A404BB7D
LeaveCriticalSection.KERNEL32 ref: 00007FF7A404BB90

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$CriticalErrorLastSection$Leavemalloc$Enter_strdupfreeaddrinfogetaddrinfomemcpysend
String ID:
API String ID: 506363382-0
Opcode ID: a6177786e67ce207a14383e80216342d564401e2ecc507d782a46ab400b51c53
Instruction ID: d9b639008e9223d0e57261980b3320911a59e5f2476150366f99fda2dc9a3b3d
Opcode Fuzzy Hash: a6177786e67ce207a14383e80216342d564401e2ecc507d782a46ab400b51c53
Instruction Fuzzy Hash: AA31F93260960286E740AF36E4D026BB3B0FF84B98F810575E65E832B9DF7DD455D760

Function 00007FF7A4066550 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF7A40665B6
WSASetLastError.WS2_32 ref: 00007FF7A4066776
Sleep.KERNEL32 ref: 00007FF7A4066786
__WSAFDIsSet.WS2_32 ref: 00007FF7A406689A
__WSAFDIsSet.WS2_32 ref: 00007FF7A40668B2
Sleep.KERNEL32 ref: 00007FF7A40668DD

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: cfc8ec446ff317ecc00fd428b9dae46fb424ecc2b66ae7b6bce6886c4fe073b3
Instruction ID: 80e1d0dbc4e4bd56247b95bad732a664d21d0c7fa4e5bc19d3a26059ea785fea
Opcode Fuzzy Hash: cfc8ec446ff317ecc00fd428b9dae46fb424ecc2b66ae7b6bce6886c4fe073b3
Instruction Fuzzy Hash: 7EA17721B1A64296EB696E26D48037AE290FF44B94F810B74ED1F437F4DF7ED8209321

Function 00007FF7A40697C0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40699EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4069A2F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4069A57
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4069A99

Strings

schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 00007FF7A406983E
schannel: ApplyControlToken failure: %s, xrefs: 00007FF7A40698C8
schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 00007FF7A40699B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
API String ID: 1294909896-116363806
Opcode ID: a28eec18c5583ec35379bd811724e90c5d561a07f8764d59c040680412dff800
Instruction ID: ed3845eeaba32049ac294eaa9fd99ea47539de72ab83ece7f48b9559bd472550
Opcode Fuzzy Hash: a28eec18c5583ec35379bd811724e90c5d561a07f8764d59c040680412dff800
Instruction Fuzzy Hash: 5691883270AF8186EB109F26D8806AEB7A4FB84B88F850575CE4D47B74DF39D465DB20

Function 00007FF7A406C5A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406C63E
memcpy.VCRUNTIME140 ref: 00007FF7A406C6D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406C80C

Strings

schannel: timed out sending data (bytes sent: %zd), xrefs: 00007FF7A406C7D4
select/poll on SSL socket, errno: %d, xrefs: 00007FF7A406C7B4

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemallocmemcpy
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 3056473165-3891197721
Opcode ID: 8741bfcd9957ee131493ba49859359483c7bfae543cd2ba8d84637b182fc90c4
Instruction ID: f61c44e92024ed8f5795688069f53c18b873068e56475d62fe0caac3d3345f0d
Opcode Fuzzy Hash: 8741bfcd9957ee131493ba49859359483c7bfae543cd2ba8d84637b182fc90c4
Instruction Fuzzy Hash: CC71B372B0AB01CAE710DF66D4906AEB3A1FB487A8F424635DE2E477E4EE39D015D350

Function 00007FF7A4047610 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404765E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4047675
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40477A2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40477CE

Strings

%s, xrefs: 00007FF7A40478D7
Connection #%ld to host %s left intact, xrefs: 00007FF7A404788B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %s$Connection #%ld to host %s left intact
API String ID: 1294909896-118628944
Opcode ID: 7665a385a49b6a18784097a82b69acf71c283a2eb38e737f672b30be921ec6bb
Instruction ID: 1c7334d8d39fb559806583783c79a14adfea47990656950a0f8332218083af4a
Opcode Fuzzy Hash: 7665a385a49b6a18784097a82b69acf71c283a2eb38e737f672b30be921ec6bb
Instruction Fuzzy Hash: 79919532B0A68182E758BF2695807BBA791FB44B84F854475DE4E07275CF3AE470E360

Function 00007FF7A4051AA0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4051ACB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4051AE1

Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40518FD
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405191A
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405192E
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405194A
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051967
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405198A
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405199E
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40519B2
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40519D8
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40519EC
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A00
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A4F
Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A5C

Part of subcall function 00007FF7A4051880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A85

memset.VCRUNTIME140 ref: 00007FF7A4051B15

Strings

User-Agent: %s, xrefs: 00007FF7A4051BAF
Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF7A4051CF1

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$memset
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 2717317152-3248832348
Opcode ID: 7e6886faf88a525474308bef059ca3135f8386d9b2c87476bf9b61c78194a49c
Instruction ID: a25cb97be09981be478c5d0fccdcef94fc8c34330bed5c62fdf921c53abdaf78
Opcode Fuzzy Hash: 7e6886faf88a525474308bef059ca3135f8386d9b2c87476bf9b61c78194a49c
Instruction Fuzzy Hash: 4571B622D0DAC181E751EF2294803FEA760EB51B84F898171DA5E0B2B5DF3EE461D331

Function 00007FF7A4062020 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40620B8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40620C1
memcpy.VCRUNTIME140 ref: 00007FF7A40620DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406223C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4062245

Strings

1.1, xrefs: 00007FF7A406202F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$memcpy
String ID: 1.1
API String ID: 4107583993-2150719395
Opcode ID: 1c4f9d8f6cc8ea222318239ae0d0b33bff5049adf4c60fe77cde5224e2d48f34
Instruction ID: 596f5d95b168aa2d166c44a334289d5efb35038c0d441ac0b34c96ea5370790c
Opcode Fuzzy Hash: 1c4f9d8f6cc8ea222318239ae0d0b33bff5049adf4c60fe77cde5224e2d48f34
Instruction Fuzzy Hash: 9A518272706A829AE664AF22E4803AAF3A0F744B84F454435CF9E47775CF7DE064D711

Function 00007FF7A40567E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40568A6
recv.WS2_32 ref: 00007FF7A40568D0
send.WS2_32 ref: 00007FF7A40568F3
WSAGetLastError.WS2_32 ref: 00007FF7A4056905

Strings

Send failure: %s, xrefs: 00007FF7A4056935

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLastmallocrecvsend
String ID: Send failure: %s
API String ID: 25851408-857917747
Opcode ID: 9bcde3fcdb3c33973082be95d1aa4d0cd9a3947e20e16d38b606c5293046cf5d
Instruction ID: 2de7ccedbfa42b1845135c8fe2e2552ec7219bad2fbe4b18bab3a8f80b0f9086
Opcode Fuzzy Hash: 9bcde3fcdb3c33973082be95d1aa4d0cd9a3947e20e16d38b606c5293046cf5d
Instruction Fuzzy Hash: 3C41F372B06B4145EB60AF26E88077AA394FB08BE8F858635CE5D473B4DE3ED464D310

Function 00007FF7A4048708 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4048858
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404889F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40488CA

Part of subcall function 00007FF7A4047610: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404765E
Part of subcall function 00007FF7A4047610: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4047675

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40488FF

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF7A4047C46

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Resolving timed out after %I64d milliseconds
API String ID: 1294909896-3343404259
Opcode ID: 7a53e0a7d55959d416b0add4e115dcd4a29e0269d5a804bffd8908325d408303
Instruction ID: 0ab616e4a3901bb744629520613a2e1a61d51418050aabf64a251323f7f85847
Opcode Fuzzy Hash: 7a53e0a7d55959d416b0add4e115dcd4a29e0269d5a804bffd8908325d408303
Instruction Fuzzy Hash: 0FD1DA66A0A64285FB54AF6790843BFA361FF40B88F854871CE1D176B5DF3EE460E360

Function 00007FF7A4033560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40328B7
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032927
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032987
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40329D7
Part of subcall function 00007FF7A4032850: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032A27

MessageBoxA.USER32 ref: 00007FF7A4033737

Part of subcall function 00007FF7A4034320: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034351

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403379A

Strings

keyauth.win, xrefs: 00007FF7A40336C3
null, xrefs: 00007FF7A40335C2

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: system$Message_invalid_parameter_noinfo_noreturnmemcpy
String ID: keyauth.win$null
API String ID: 3545939226-2841560827
Opcode ID: 27d4b1ee77be1cfa0727f2cf05cfd0081e057b809cc8c74ae909376ae3587047
Instruction ID: 2981c2365182dcdcaf52fc39ad430f104ef68ec2c591347dfc154cbd630ede14
Opcode Fuzzy Hash: 27d4b1ee77be1cfa0727f2cf05cfd0081e057b809cc8c74ae909376ae3587047
Instruction Fuzzy Hash: 2E51F322B0974185FB08EF72D5843AE6761AB44B88FC14174DE0D17BBACF3EA1A1A350

Function 00007FF7A4082D90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4058F70: GetModuleHandleA.KERNEL32(?,?,?,00007FF7A4082DCA,?,?,?,?,00007FF7A40592FB), ref: 00007FF7A4058F84

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF7A40592FB), ref: 00007FF7A4082DE0

Strings

InitSecurityInterfaceA, xrefs: 00007FF7A4082DD6
secur32.dll, xrefs: 00007FF7A4082DB3
security.dll, xrefs: 00007FF7A4082DBA

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: AddressCallerHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2084706301-3788156360
Opcode ID: 6d94ad0bd16c8c0f11a2579dc9450e7ebb409a251943410b505cb19f3630012d
Instruction ID: d4099314df30966f391202a4b13d1dc386433a5d2a70d642cb136aec82833179
Opcode Fuzzy Hash: 6d94ad0bd16c8c0f11a2579dc9450e7ebb409a251943410b505cb19f3630012d
Instruction Fuzzy Hash: BAF0FF65E0BB0245EE44BF1799C17B6A790AF64344FC644B8D40C462B1EE6EA5A5A320

Function 00007FF7A404823B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF7A4047C46

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: Resolving timed out after %I64d milliseconds
API String ID: 0-3343404259
Opcode ID: 543579aadb1d74d10013c36e2f77582ef7459981ea7dede42a3c104d98e4bc4e
Instruction ID: 5308dfddbf24951989ec28ace7c5cf9d9e729fd22de20c5c3bbfbd68ce832172
Opcode Fuzzy Hash: 543579aadb1d74d10013c36e2f77582ef7459981ea7dede42a3c104d98e4bc4e
Instruction Fuzzy Hash: 7CB1CA76A0A64285FB64BE27809437FA390EF41B48F865871CA1D472F5DE7EE460E360

Function 00007FF7A4061BE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4061CE0

Part of subcall function 00007FF7A4062270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40622CA

Part of subcall function 00007FF7A4062020: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40620B8
Part of subcall function 00007FF7A4062020: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40620C1

Strings

PROXY %s %s %s %li %li, xrefs: 00007FF7A4061CB4
TCP6, xrefs: 00007FF7A4061C67
TCP4, xrefs: 00007FF7A4061C7A

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$calloc
String ID: PROXY %s %s %s %li %li$TCP4$TCP6
API String ID: 3095843317-1242256665
Opcode ID: a1995d48067b5afd5e5404148f9da5058a0e5bbe3e5f70638319d2815a831231
Instruction ID: dc6868c52aaa1418127774de901fe7126105f8901d038d9e397f9dd1f3a08cb5
Opcode Fuzzy Hash: a1995d48067b5afd5e5404148f9da5058a0e5bbe3e5f70638319d2815a831231
Instruction Fuzzy Hash: 2B410D31B0E68295E760EF22A4803BBF7A1EF51784F854072DA4D4B276DE7ED414D721

Function 00007FF7A40464D0 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00007FF7A4042506,?,?,?,?,00000000,?,00007FF7A403371E), ref: 00007FF7A40464ED
closesocket.WS2_32 ref: 00007FF7A40465F9
closesocket.WS2_32 ref: 00007FF7A4046606

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: closesocket$calloc
String ID:
API String ID: 2958813939-0
Opcode ID: 473b3bbd6640ab261cda7576d9617453ce688e41684549270cb66852f4c26c7d
Instruction ID: 9b77fba19b622a68fd752ec103f52716cad3bb58658a4778b03e6356677dc709
Opcode Fuzzy Hash: 473b3bbd6640ab261cda7576d9617453ce688e41684549270cb66852f4c26c7d
Instruction Fuzzy Hash: 8041C53160964181E780FF32D4902EBA361EF88768FC64A71DE5D462FAEF3ED1159361

Function 00007FF7A40408F0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,0000006E00000006,?,FFFFFFFF,00007FF7A40311F9), ref: 00007FF7A4040928
memcpy.VCRUNTIME140(?,0000006E00000006,?,FFFFFFFF,00007FF7A40311F9), ref: 00007FF7A40409C9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A40409E7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: 66997184731f703451c23791d2a627075896e7fda698d68a4c0cfe32fbc39a11
Instruction ID: f56d0201c334f0caa95eac45d57a90bea6b7327d90ff3cc4a79b4432348da9dd
Opcode Fuzzy Hash: 66997184731f703451c23791d2a627075896e7fda698d68a4c0cfe32fbc39a11
Instruction Fuzzy Hash: 5E31FB62B0774641FA15BF63A58037AA2509F04BE1F950670DF6D17BF2DF3DA8A29310

Function 00007FF7A406A390 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

select/poll on SSL/TLS socket, errno: %d, xrefs: 00007FF7A406A4D3
SSL/TLS connection timeout, xrefs: 00007FF7A406A4EC

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 3e47e14c372b87066afa308a6a35aab90b11a4499cdb2ff6be37f62f67aca775
Instruction ID: 3edb778d63922f2ac047b7803b6830237b93e3b3989a6f75b1963ab0b0c4f2ba
Opcode Fuzzy Hash: 3e47e14c372b87066afa308a6a35aab90b11a4499cdb2ff6be37f62f67aca775
Instruction Fuzzy Hash: 50510821B0A64295EB10FF16958427BE391FB467A4F854271DE1E432F1DEBEE021F721

Function 00007FF7A4048E30 Relevance: 5.3, APIs: 4, Instructions: 287COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40490FA
memcpy.VCRUNTIME140 ref: 00007FF7A404922C
memcpy.VCRUNTIME140 ref: 00007FF7A4049248

Part of subcall function 00007FF7A405E6E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4047003,?,?,00000000,00007FF7A40518D2,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405E71C

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freememcpy
String ID:
API String ID: 3223336191-0
Opcode ID: 54aff36e5212d6146394b1c18812124a5a0137bacb8697812285b3b45e936068
Instruction ID: f215806af8045868512124d39e709d25e889bed6b53bb800cd8db440cb26c227
Opcode Fuzzy Hash: 54aff36e5212d6146394b1c18812124a5a0137bacb8697812285b3b45e936068
Instruction Fuzzy Hash: ACC19F32B05A028AEB149F66C4803AE73A1FB447A8F818675CE2D177F8DF3AD415D350

Function 00007FF7A40466D0 Relevance: 4.8, APIs: 3, Instructions: 309networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7A4046AC6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4046AE7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freerecv
String ID:
API String ID: 2032557106-0
Opcode ID: c290df82bec0a9fbd1bba91402cfb6175d957c5f8f370d1a6f1b991630986998
Instruction ID: bc5ea71e13ba749cb63876dfb06a3a8a02f92005e43eccfa9b8f07bddab0a22b
Opcode Fuzzy Hash: c290df82bec0a9fbd1bba91402cfb6175d957c5f8f370d1a6f1b991630986998
Instruction Fuzzy Hash: 1DC12B3260A68245E765AF2690803BBA390FF447A4F854A75DE5E037F4FF3ED8619710

Function 00007FF7A40527A0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052805

Strings

User-Agent: %s, xrefs: 00007FF7A4052816
Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF7A4052944

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 1294909896-3248832348
Opcode ID: 9352cf03e6d1215826af78489c14582c219a9cd389749df62015d38e4eedf361
Instruction ID: 8770742dc0ee8a1ae90d80822f381f22029aa9bcde763525c0ed0372d6f1c170
Opcode Fuzzy Hash: 9352cf03e6d1215826af78489c14582c219a9cd389749df62015d38e4eedf361
Instruction Fuzzy Hash: 67519422A096C185E741DF26E0803FEA750EB80B98F898175DF8C4B3B9CF79D4A1D721

Function 00007FF7A4041D90 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4041AA0: SleepEx.KERNELBASE ref: 00007FF7A4041C5F

SetConsoleTitleA.KERNEL32 ref: 00007FF7A4041DD8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4041E32

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ConsoleSleepTitle_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4275364305-0
Opcode ID: 0482b1b62b6ae519898025941bbefb5542d9f6902fe729238a29048143dd3a8a
Instruction ID: 88422d262d4fa89f56c3a5e0061878f285f844cb18af8e806a139a752de6219d
Opcode Fuzzy Hash: 0482b1b62b6ae519898025941bbefb5542d9f6902fe729238a29048143dd3a8a
Instruction Fuzzy Hash: 1111A362B0A58281EA10EF22E4D432AB360FF857D4FC10671E59E066F6DE2DE1A0E710

Function 00007FF7A4042380 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A40423A4
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A40423C5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 3d02d3eb83713d43c77fd4721ff7eee78d3dbed60bee5a5b721cc135446cce2f
Instruction ID: 385483b6f1a8638c908b68a4238be0704da77773f651536ed716ffa9c3a28258
Opcode Fuzzy Hash: 3d02d3eb83713d43c77fd4721ff7eee78d3dbed60bee5a5b721cc135446cce2f
Instruction Fuzzy Hash: 6CE03932A09B8182D6009F51F94446AF7A8FB987C4F804539EF8C57A39CF7CC1A5CB40

Function 00007FF7A4056EE0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF7A4056F23

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: c66370dc830ad94e535e2ad815e95569a5c7930ebc6c8522cb5e8aded36d2ec2
Instruction ID: 5d289baad24e0e8619e491cac47727bc9e660865bb8c0d9b51276003099f397b
Opcode Fuzzy Hash: c66370dc830ad94e535e2ad815e95569a5c7930ebc6c8522cb5e8aded36d2ec2
Instruction Fuzzy Hash: F101D612B1754181EF54EF2BE1D83AEA390EF88B88F898470D70D472B6DE3EC4A19351

Function 00007FF7A405EA00 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7A405EA29

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 9aa50d9fc156e246847f462c3a65219810722acfc51c2770c2959e6d5f14f527
Instruction ID: e7247b1b71350412b19a6d0d67294fddf40da293dd939c9d3213643ce1965a8b
Opcode Fuzzy Hash: 9aa50d9fc156e246847f462c3a65219810722acfc51c2770c2959e6d5f14f527
Instruction Fuzzy Hash: 71E0E525E0310182DE48BB32889116A2350AB40720FC187B0C63D023F0CE2EA566AB10

Function 00007FF7A4069660 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A406967B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 6b00736407f2214d91860028af48249fbae4847a37a0940c787b6abd9db0cd9c
Instruction ID: 49dd3d49a0d5ba9306b0728a46b0034d8c557e5ef793d8329cc5658494c0b1aa
Opcode Fuzzy Hash: 6b00736407f2214d91860028af48249fbae4847a37a0940c787b6abd9db0cd9c
Instruction Fuzzy Hash: 03D0C263719A00429B109F72A840029E251B788770B884738AE7D827E0DB38D1514600

Function 00007FF7A40655A0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF7A40655B9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: ad4c069ad0f4160e7c62cb6453504bdc4280a687206230678d7d671c433c8928
Instruction ID: c3f92cc9a41e34a2937b61ceec11165d345386a9a9e672f4100085b18ff66a1d
Opcode Fuzzy Hash: ad4c069ad0f4160e7c62cb6453504bdc4280a687206230678d7d671c433c8928
Instruction Fuzzy Hash: D3C08056F15581C6C3446F6258C5087A771BBC4304FD56439E10742134DD3CD2F5DB40

Function 00007FF7A405E750 Relevance: 1.3, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000001,00007FF7A404901F), ref: 00007FF7A405E7A8

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 2776bca9db8f599c86e0e75b1e27d899bf5cee7a17272ec46874e0d708622458
Instruction ID: d6c2e9430c4f22ae2c29cc23421463559405cf320f43bc8911ae19c0af5b778d
Opcode Fuzzy Hash: 2776bca9db8f599c86e0e75b1e27d899bf5cee7a17272ec46874e0d708622458
Instruction Fuzzy Hash: 2611A532F0574182DBA09F0AB18013AA2A4FF58784F9A9474DE8D47764DF39D8A1D740

Non-executed Functions

Function 00007FF7A40631A0 Relevance: 127.2, APIs: 25, Strings: 47, Instructions: 1229stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4064363

Part of subcall function 00007FF7A4056400: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4056525
Part of subcall function 00007FF7A4056400: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4056540

memchr.VCRUNTIME140 ref: 00007FF7A4064456
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406456E
strchr.VCRUNTIME140 ref: 00007FF7A4064582
strchr.VCRUNTIME140 ref: 00007FF7A40645AA
strchr.VCRUNTIME140 ref: 00007FF7A40645C0

Strings

, xrefs: 00007FF7A406338C
Unsupported HTTP version in response, xrefs: 00007FF7A4064541
Overflow Content-Length: value!, xrefs: 00007FF7A406373B
Retry-After:, xrefs: 00007FF7A4063BE3
WWW-Authenticate:, xrefs: 00007FF7A4063E36
Transfer-Encoding:, xrefs: 00007FF7A4063AEA
Lying server, not serving HTTP/2, xrefs: 00007FF7A40633BC
HTTP 1.0, assume close after body, xrefs: 00007FF7A4063607
The requested URL returned error: %d, xrefs: 00007FF7A4064733
HTTP/%1d.%1d%c%3d, xrefs: 00007FF7A4063339
RTSP/, xrefs: 00007FF7A4063294
Set-Cookie:, xrefs: 00007FF7A4063D33
HTTP error before end of send, keep sending, xrefs: 00007FF7A4064389
Connection closure while negotiating auth (HTTP 1.0?), xrefs: 00007FF7A40641AC, 00007FF7A40641F8
Negotiate: noauthpersist -> %d, header part: %s, xrefs: 00007FF7A4063F2C
The requested URL returned error: %s, xrefs: 00007FF7A40645D7
Mark bundle as not supporting multiuse, xrefs: 00007FF7A40633DF
RTSP/%1d.%1d%c%3d, xrefs: 00007FF7A406352D
Content-Encoding:, xrefs: 00007FF7A4063BA1
Persistent-Auth, xrefs: 00007FF7A4063ED2
HTTP/, xrefs: 00007FF7A40634A9
Last-Modified:, xrefs: 00007FF7A4063DD7
Maximum file size exceeded, xrefs: 00007FF7A40645FF
Keep sending data to get tossed away!, xrefs: 00007FF7A40643FC
, xrefs: 00007FF7A4063542
Proxy-Connection:, xrefs: 00007FF7A40637D3, 00007FF7A40638AC
false, xrefs: 00007FF7A4063F10
HTTP/1.0 proxy connection set to keep alive!, xrefs: 00007FF7A4063B2C
Content-Type:, xrefs: 00007FF7A4063756
Content-Range:, xrefs: 00007FF7A4063C6E
HTTP %3d, xrefs: 00007FF7A4063408
keep-alive, xrefs: 00007FF7A4063866, 00007FF7A40639F6
Got 417 while waiting for a 100, xrefs: 00007FF7A4064343
Invalid Content-Length: value, xrefs: 00007FF7A4064618
HTTP, xrefs: 00007FF7A406455E
HTTP/1.0 connection set to keep alive!, xrefs: 00007FF7A4063B6B
HTTP error before end of send, stop sending, xrefs: 00007FF7A40643AD
Received 101, xrefs: 00007FF7A406463B
Location:, xrefs: 00007FF7A4063F6E
Connection:, xrefs: 00007FF7A406396B, 00007FF7A4063A20
no chunk, no close, no size. Assume close to signal end, xrefs: 00007FF7A4064156
HTTP/%1[23] %d, xrefs: 00007FF7A4063364
Proxy-authenticate:, xrefs: 00007FF7A4063E61
Received HTTP/0.9 when not allowed, xrefs: 00007FF7A40644CB
HTTP/1.1 proxy connection set close!, xrefs: 00007FF7A4063B4D
Content-Length:, xrefs: 00007FF7A40636AF
close, xrefs: 00007FF7A4063933, 00007FF7A4063AB3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$fwrite$_strdupmemchrstrncmp
String ID: $ $ HTTP %3d$ HTTP/%1[23] %d$ HTTP/%1d.%1d%c%3d$ RTSP/%1d.%1d%c%3d$Connection closure while negotiating auth (HTTP 1.0?)$Connection:$Content-Encoding:$Content-Length:$Content-Range:$Content-Type:$Got 417 while waiting for a 100$HTTP$HTTP 1.0, assume close after body$HTTP error before end of send, keep sending$HTTP error before end of send, stop sending$HTTP/$HTTP/1.0 connection set to keep alive!$HTTP/1.0 proxy connection set to keep alive!$HTTP/1.1 proxy connection set close!$Invalid Content-Length: value$Keep sending data to get tossed away!$Last-Modified:$Location:$Lying server, not serving HTTP/2$Mark bundle as not supporting multiuse$Maximum file size exceeded$Negotiate: noauthpersist -> %d, header part: %s$Overflow Content-Length: value!$Persistent-Auth$Proxy-Connection:$Proxy-authenticate:$RTSP/$Received 101$Received HTTP/0.9 when not allowed$Retry-After:$Set-Cookie:$The requested URL returned error: %d$The requested URL returned error: %s$Transfer-Encoding:$Unsupported HTTP version in response$WWW-Authenticate:$close$false$keep-alive$no chunk, no close, no size. Assume close to signal end
API String ID: 3939785054-690044944
Opcode ID: 6a72cbcf9002a9611f75e853c7b872236e3054cd818c7053253f7cd7de46e710
Instruction ID: d7b1cfa0719133588f558bf87ba366d35300718fd81395447741958c0830b194
Opcode Fuzzy Hash: 6a72cbcf9002a9611f75e853c7b872236e3054cd818c7053253f7cd7de46e710
Instruction Fuzzy Hash: 94C2CA31B0A68254FB50AF2294843FAE791EB41B88F964075DE4E072B5DF7ED460E732

Function 00007FF7A40492A0 Relevance: 105.7, APIs: 41, Strings: 19, Instructions: 730stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000000,?,00000000,?,?,00007FF7A404AAF7), ref: 00007FF7A4049310
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404932B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4049364
strchr.VCRUNTIME140 ref: 00007FF7A4049377
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40494F7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4049518
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404953B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4049548
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40495E1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40495EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4049602
strchr.VCRUNTIME140 ref: 00007FF7A40497EF
strchr.VCRUNTIME140 ref: 00007FF7A4049809
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40498FC
strchr.VCRUNTIME140 ref: 00007FF7A4049928
strrchr.VCRUNTIME140 ref: 00007FF7A404993A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404995B
memcpy.VCRUNTIME140 ref: 00007FF7A4049974
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40499E8
strchr.VCRUNTIME140 ref: 00007FF7A4049A0B
strchr.VCRUNTIME140 ref: 00007FF7A4049A20

Strings

FALSE, xrefs: 00007FF7A4049A5E, 00007FF7A4049C5B
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 00007FF7A404987F
__Secure-, xrefs: 00007FF7A40494F0
%4095[^;=] =%4095[^;], xrefs: 00007FF7A40493B6
path, xrefs: 00007FF7A40495CD
skipped cookie with bad tailmatch domain: %s, xrefs: 00007FF7A404970E
TRUE, xrefs: 00007FF7A4049A57
httponly, xrefs: 00007FF7A40495A6
max-age, xrefs: 00007FF7A4049758
__Host-, xrefs: 00007FF7A4049511
version, xrefs: 00007FF7A404972B
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF7A4049F27
Replaced, xrefs: 00007FF7A4049F11
domain, xrefs: 00007FF7A4049621
secure, xrefs: 00007FF7A404956E
expires, xrefs: 00007FF7A4049785
#HttpOnly_, xrefs: 00007FF7A40499DE
Added, xrefs: 00007FF7A4049F1D
localhost, xrefs: 00007FF7A404964F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$_strdup$freestrncmp$_time64callocmallocmemcpystrrchr
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 2059720140-3844637060
Opcode ID: 875491f4005b451058fe927c7443391be4a7a5e85f4c1cbb66cb3d2a8e153f6d
Instruction ID: 55b43c06c5630e91ff988f47547eee5b2acc75e9623405962e4ceb2088ca8d04
Opcode Fuzzy Hash: 875491f4005b451058fe927c7443391be4a7a5e85f4c1cbb66cb3d2a8e153f6d
Instruction Fuzzy Hash: 9872B561A0E74645FB60AF37D48037BA7A0EF45744F8681B5DA8D026F5DF2EE460E320

Function 00007FF7A403956D Relevance: 78.0, APIs: 39, Strings: 5, Instructions: 975COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF7A4039F6D
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF7A4039F74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A054
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A082
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A090
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A0CB

Strings

number overflow parsing ', xrefs: 00007FF7A4039F90
object key, xrefs: 00007FF7A4039DFF, 00007FF7A403A639
array, xrefs: 00007FF7A403A18A
object separator, xrefs: 00007FF7A4039C73, 00007FF7A403A4AA
object, xrefs: 00007FF7A403A319

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: Xbad_function_call@std@@__std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: array$number overflow parsing '$object$object key$object separator
API String ID: 1664669839-85532522
Opcode ID: ff3d0cbacaad0d0a51ccb3e8a1d91a7be11594ec6d960498e764185c0d18bc74
Instruction ID: 341dd87f26cf86528f6163061273c9db497dcb8780aa8d62c42f5c488be0ac7d
Opcode Fuzzy Hash: ff3d0cbacaad0d0a51ccb3e8a1d91a7be11594ec6d960498e764185c0d18bc74
Instruction Fuzzy Hash: B0A20762A19B8585EB04EF79D5803AEB721FB417A4F810231DA5D03AF9DF7DE090E310

Function 00007FF7A4079E30 Relevance: 77.4, APIs: 26, Strings: 18, Instructions: 435networkfilepipeCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4079E7F
WSAStartup.WS2_32 ref: 00007FF7A4079F20
FreeLibrary.KERNEL32 ref: 00007FF7A407A10D
GetStdHandle.KERNEL32 ref: 00007FF7A407A11C
GetFileType.KERNEL32 ref: 00007FF7A407A13D
WaitForMultipleObjects.KERNEL32 ref: 00007FF7A407A187
PeekNamedPipe.KERNEL32 ref: 00007FF7A407A20C
ReadFile.KERNEL32 ref: 00007FF7A407A233
ReadFile.KERNEL32 ref: 00007FF7A407A2ED
WSAGetLastError.WS2_32 ref: 00007FF7A407A34E
WSAGetLastError.WS2_32 ref: 00007FF7A407A54A
FreeLibrary.KERNEL32 ref: 00007FF7A407A56A
GetLastError.KERNEL32 ref: 00007FF7A407A574

Part of subcall function 00007FF7A407ADA0: send.WS2_32 ref: 00007FF7A407ADDD
Part of subcall function 00007FF7A407ADA0: WSAGetLastError.WS2_32 ref: 00007FF7A407ADE7

Strings

failed to find WSACloseEvent function (%u), xrefs: 00007FF7A4079FFC
WSAStartup failed (%d), xrefs: 00007FF7A4079F2D
WSAEnumNetworkEvents, xrefs: 00007FF7A407A050
failed to find WSACreateEvent function (%u), xrefs: 00007FF7A4079FD3
, xrefs: 00007FF7A407A512
failed to find WSAEnumNetworkEvents function (%u), xrefs: 00007FF7A407A070
WSACloseEvent failed (%d), xrefs: 00007FF7A407A550
WSAEventSelect, xrefs: 00007FF7A407A021
failed to load WS2_32.DLL (%u), xrefs: 00007FF7A4079F9B
failed to find WSAEventSelect function (%u), xrefs: 00007FF7A407A047
FreeLibrary(wsock2) failed (%u), xrefs: 00007FF7A407A57A
insufficient winsock version to support telnet, xrefs: 00007FF7A407A5AF
WSACloseEvent, xrefs: 00007FF7A4079FDC
WS2_32.DLL, xrefs: 00007FF7A4079F6E
WSAEnumNetworkEvents failed (%d), xrefs: 00007FF7A407A362
WSACreateEvent failed (%d), xrefs: 00007FF7A407A08E
Time-out, xrefs: 00007FF7A407A527
WSACreateEvent, xrefs: 00007FF7A4079FB5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast$File$FreeLibraryRead$HandleMultipleNamedObjectsPeekPipeStartupTypeWaitcallocsend
String ID: $FreeLibrary(wsock2) failed (%u)$Time-out$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$WSAStartup failed (%d)$failed to find WSACloseEvent function (%u)$failed to find WSACreateEvent function (%u)$failed to find WSAEnumNetworkEvents function (%u)$failed to find WSAEventSelect function (%u)$failed to load WS2_32.DLL (%u)$insufficient winsock version to support telnet
API String ID: 1025660337-777782649
Opcode ID: 8a55c1367f9f1b37493b38b20e08c8f00cb3cc7d56f824a22a116fa89aaa5d26
Instruction ID: d5cd2c7d2af2ff2275a86ff145d0e8f5d33f3fa6af044ccd05ba8bd659bcedcd
Opcode Fuzzy Hash: 8a55c1367f9f1b37493b38b20e08c8f00cb3cc7d56f824a22a116fa89aaa5d26
Instruction Fuzzy Hash: 7112F931A0EA8285E764AF1694843BBB390FB44B84F864175DA4D037B5DF7EE450EF21

Function 00007FF7A40863E0 Relevance: 72.3, APIs: 17, Strings: 24, Instructions: 549encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF7A408654F
GetLastError.KERNEL32 ref: 00007FF7A4086562
CertCreateCertificateChainEngine.CRYPT32 ref: 00007FF7A4086614
GetLastError.KERNEL32 ref: 00007FF7A408661E
CertGetCertificateChain.CRYPT32 ref: 00007FF7A40866AB
GetLastError.KERNEL32 ref: 00007FF7A40866B5
CertGetNameStringA.CRYPT32 ref: 00007FF7A4086823
CertFreeCertificateChainEngine.CRYPT32 ref: 00007FF7A4086C9B
CertCloseStore.CRYPT32 ref: 00007FF7A4086CB0
CertFreeCertificateChain.CRYPT32 ref: 00007FF7A4086CC0
CertFreeCertificateContext.CRYPT32 ref: 00007FF7A4086CD0

Strings

2.5.29.17, xrefs: 00007FF7A4086883, 00007FF7A40868B4, 00007FF7A4086A1F, 00007FF7A4086A5B
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7A4086C4D
schannel: failed to create certificate store: %s, xrefs: 00007FF7A408657C
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00007FF7A40868EE, 00007FF7A4086A95
schannel: Not enough memory to list all host names., xrefs: 00007FF7A4086B4C
schannel: Null certificate info., xrefs: 00007FF7A4086873, 00007FF7A4086A04
schannel: CertFindExtension() returned no extension., xrefs: 00007FF7A408689B, 00007FF7A4086A37
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 00007FF7A408674C
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 00007FF7A4086762
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 00007FF7A4086779
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 00007FF7A408671D
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 00007FF7A4086735
schannel: CertGetCertificateChain failed: %s, xrefs: 00007FF7A40866CF
schannel: Null certificate context., xrefs: 00007FF7A4086838, 00007FF7A40869E7
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 00007FF7A4086BC9
schannel: Empty DNS name., xrefs: 00007FF7A408692A, 00007FF7A4086AD8
schannel: CertGetNameString() returned no certificate name information, xrefs: 00007FF7A408696D
schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 00007FF7A408678A
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 00007FF7A4086C26
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7A4086521
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 00007FF7A4086B63
schannel: server certificate name verification failed, xrefs: 00007FF7A4086C0E
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 00007FF7A4086BD9
schannel: failed to create certificate chain engine: %s, xrefs: 00007FF7A4086638

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: Cert$Certificate$Chain$ErrorFreeLast$EngineStore$CloseContextCreateNameOpenString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Failed to read remote certificate context: %s$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: failed to create certificate chain engine: %s$schannel: failed to create certificate store: %s$schannel: server certificate name verification failed$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 561913010-2037819326
Opcode ID: b935490779b87931a9e513bbba229981ddc6e9c0cf9a56c44816dddb722aa26a
Instruction ID: a53c2a022e2edd64e93c1e3ef2e69b7d574a55fd7ead577ec0f943e68795ea01
Opcode Fuzzy Hash: b935490779b87931a9e513bbba229981ddc6e9c0cf9a56c44816dddb722aa26a
Instruction Fuzzy Hash: 7642E631A0AB4281E750AF12E9802BBB3A0FB44B94F824975DD4D077B5DF3EE464E750

Function 00007FF7A4075300 Relevance: 67.0, APIs: 25, Strings: 13, Instructions: 515networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40753E1
getsockname.WS2_32 ref: 00007FF7A40755DA
WSAGetLastError.WS2_32 ref: 00007FF7A40755E4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4075B1B

Strings

socket failure: %s, xrefs: 00007FF7A40756DF, 00007FF7A40758E6
bind(port=%hu) on non-local address failed: %s, xrefs: 00007FF7A4075774
,%d,%d, xrefs: 00007FF7A40759F9
%s |%d|%s|%hu|, xrefs: 00007FF7A4075AA9
bind(port=%hu) failed: %s, xrefs: 00007FF7A4075845
%s %s, xrefs: 00007FF7A4075A29
failed to resolve the address provided to PORT: %s, xrefs: 00007FF7A4075B09
EPRT, xrefs: 00007FF7A4075A92
PORT, xrefs: 00007FF7A4075A22
bind() failed, we ran out of ports!, xrefs: 00007FF7A40757D6
Failure sending PORT command: %s, xrefs: 00007FF7A4075A4C
getsockname() failed: %s, xrefs: 00007FF7A40755FE, 00007FF7A407580E
Failure sending EPRT command: %s, xrefs: 00007FF7A4075ACF

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLastcallocfreegetsockname
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 2454324209-2383553807
Opcode ID: 12ef779d79857dd5239e196e155c9adeaede13bad430a52f2bc5226f40d2d6dc
Instruction ID: 57c834f987bd8c5ee220f3d41e56a94d24fc20cce52a6a57c1b6636cd0a5a77e
Opcode Fuzzy Hash: 12ef779d79857dd5239e196e155c9adeaede13bad430a52f2bc5226f40d2d6dc
Instruction Fuzzy Hash: 0722E821B0AB8282EB50BF23D4902FBA361FB45784FC14471E94D87AB5DE3ED524E721

Function 00007FF7A4081EC0 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 425COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4081F76
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082031
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408203F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082051

Strings

WDigest, xrefs: 00007FF7A4081F01, 00007FF7A4082335
digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 00007FF7A408226B
realm, xrefs: 00007FF7A40821D7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$realm
API String ID: 2190258309-2223379150
Opcode ID: 0b6cf52c47150631772bc81d3bfdb2e581589b248867cb97e625afe64155396c
Instruction ID: 6bfd605da03142235d7e24012454a0efaa2ad2c300c763b8013b33b18b383ba6
Opcode Fuzzy Hash: 0b6cf52c47150631772bc81d3bfdb2e581589b248867cb97e625afe64155396c
Instruction Fuzzy Hash: 2612B232A0AB4189EB10EF22D5906BEB7A4FB54B85F920579DE4D03BB4DF39D424D720

Function 00007FF7A4057F40 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 317stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7A4058012
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405802D
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405806C

Strings

getsockname() failed with errno %d: %s, xrefs: 00007FF7A40583BC
Couldn't bind to interface '%s', xrefs: 00007FF7A40581B0
Couldn't bind to '%s', xrefs: 00007FF7A4058102
Local port: %hu, xrefs: 00007FF7A4058415
Bind to local port %hu failed, trying next, xrefs: 00007FF7A4058320
bind failed with errno %d: %s, xrefs: 00007FF7A40583F8
Local Interface %s is ip %s using address family %i, xrefs: 00007FF7A4058127
Name '%s' family %i resolved to '%s' family %i, xrefs: 00007FF7A4058238

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strncmp$memset
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
API String ID: 3268688168-2769131373
Opcode ID: ba6021dfe63c0eb7322e0f086e7d4a830a6e595fcc698d5c1d088dfa337a663a
Instruction ID: ce4a53f203a9189d5169644215ddd2131e7802f02f6aadfd6dcab310d7bd9117
Opcode Fuzzy Hash: ba6021dfe63c0eb7322e0f086e7d4a830a6e595fcc698d5c1d088dfa337a663a
Instruction Fuzzy Hash: 55E12A22E0A78285E750EF22E8802BBA760FB85784F829575EE4E03775DF3ED060D711

Function 00007FF7A406A90C Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A406A9A8
strchr.VCRUNTIME140 ref: 00007FF7A406A9D4
strchr.VCRUNTIME140 ref: 00007FF7A406AA0E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406AA32
strchr.VCRUNTIME140 ref: 00007FF7A406AB42
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406AB5A
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A406AC85
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A406ACB1

Strings

CurrentUser, xrefs: 00007FF7A406AA22
, xrefs: 00007FF7A406A90C
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF7A406ADE9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: $CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-4282655970
Opcode ID: 40a713b8b59d1049f2dd071324f05e575ca4a88e1dc44f461c2b7a7c0fa936f8
Instruction ID: e46173858ad046ee48d096469ecce70760fe81a066dda5da4f77cfb9c8929a75
Opcode Fuzzy Hash: 40a713b8b59d1049f2dd071324f05e575ca4a88e1dc44f461c2b7a7c0fa936f8
Instruction Fuzzy Hash: 8281D221B0A64295FB55BF23989037BE290BF46794F864474CA1E023B1DFBEE460F721

Function 00007FF7A403974B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 509COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF7A4039F74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A054
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A082
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A090
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A0CB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A10A

Strings

number overflow parsing ', xrefs: 00007FF7A4039F90
array, xrefs: 00007FF7A403A18A
object, xrefs: 00007FF7A403A319

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$Xbad_function_call@std@@
String ID: array$number overflow parsing '$object
API String ID: 958247072-579821726
Opcode ID: 7d08be5014e241e1996b359722984978a2474af68dff6998a59ef9cca349c1e5
Instruction ID: c2abac8e4ee29a50c1394096b6ccb1d4969c1faccc45ff77bbcf05264954d113
Opcode Fuzzy Hash: 7d08be5014e241e1996b359722984978a2474af68dff6998a59ef9cca349c1e5
Instruction Fuzzy Hash: 9E32F362A09A8685EB14EF7AD5803EEB721FB44794F814231DA5D07AF9DF7DE090E310

Function 00007FF7A406A915 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A406A9A8
strchr.VCRUNTIME140 ref: 00007FF7A406A9D4
strchr.VCRUNTIME140 ref: 00007FF7A406AA0E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406AA32
strchr.VCRUNTIME140 ref: 00007FF7A406AB42
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406AB5A
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A406AC85
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A406ACB1

Strings

CurrentUser, xrefs: 00007FF7A406AA22
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF7A406ADE9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-1887299029
Opcode ID: 046ae9396b9c5381c5eb35e0e58779f46924a88e9e3f65756152692471b5be5a
Instruction ID: f12816b3e63e9da7131aaa9b1a72405b61cab3adfe1f1b8d035a58646104358a
Opcode Fuzzy Hash: 046ae9396b9c5381c5eb35e0e58779f46924a88e9e3f65756152692471b5be5a
Instruction Fuzzy Hash: D881D221B0A64295EB55BF23989037BE290BF46794F864574CA1E023B1DFBEE460E721

Function 00007FF7A4080E90 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000468,00000470,00000000,?), ref: 00007FF7A4080F23
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4080F4D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4081012
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408101E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4081082
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408108E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4081191
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408119F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A40811AA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40811FF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408121E

Strings

login, xrefs: 00007FF7A40810AE
machine, xrefs: 00007FF7A40810E1, 00007FF7A4081122
, xrefs: 00007FF7A4080F61, 00007FF7A4081162
default, xrefs: 00007FF7A408113D
password, xrefs: 00007FF7A40810C9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup$fclosefgetsfopen
String ID: $default$login$machine$password
API String ID: 431015889-155862542
Opcode ID: 0ed022ba8a74bbf71af03541a72ae3937eab05d30cd0acd12a11acf22a19280f
Instruction ID: 2495d9be760ac8e288f235025450c8a0525da1f923be548a0674979b849afd4d
Opcode Fuzzy Hash: 0ed022ba8a74bbf71af03541a72ae3937eab05d30cd0acd12a11acf22a19280f
Instruction Fuzzy Hash: B1A1E922A0F68245FA606F139A90377F6A0EF94745F8640B1DE4D067B6DE3EE460A770

Function 00007FF7A4042620 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7A4042648
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042650

Strings

%s - %s, xrefs: 00007FF7A4042BA9
Unknown error, xrefs: 00007FF7A4042B40
CRYPT_E_REVOKED, xrefs: 00007FF7A4042A82
No error, xrefs: 00007FF7A4042AA0
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00007FF7A4042B59
%s (0x%08X), xrefs: 00007FF7A40426A5
SEC_I_CONTINUE_NEEDED, xrefs: 00007FF7A4042AAC

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_CONTINUE_NEEDED$Unknown error
API String ID: 3939687465-1752685260
Opcode ID: 25adad5ac7b8ccfe19bb9cb406b551687a5dcdd2bcf657889b2ccb51d25d1618
Instruction ID: 3ca44456c326562852ea9c31773e149082370f576624c6fdcd6425db175509fb
Opcode Fuzzy Hash: 25adad5ac7b8ccfe19bb9cb406b551687a5dcdd2bcf657889b2ccb51d25d1618
Instruction Fuzzy Hash: 8651CB25A0E68289F760AF22A8D03BBB750FF44784FC144B9D94D026B6CF3DE524E760

Function 00007FF7A40685D0 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A406884E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4068856
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A406886C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4068875
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A406887D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4068887

Strings

GMT, xrefs: 00007FF7A4068747
%02d:%02d%n, xrefs: 00007FF7A406882D
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00007FF7A406868E
%02d:%02d:%02d%n, xrefs: 00007FF7A40687F9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: a27ae542bc9c7f338d1e45ad8eab28fe8a94b20ee21e0465aef1e32ec5bb0263
Instruction ID: 5b3a97dd7d807e6c6e120818a1600b5f23a1baf4e16d4494aec7b71bc9c242c5
Opcode Fuzzy Hash: a27ae542bc9c7f338d1e45ad8eab28fe8a94b20ee21e0465aef1e32ec5bb0263
Instruction Fuzzy Hash: 28F13373F1A5029AEB24AF2688801BFB3A1AB44358F910275DE1E537F4DFBDE4219351

Function 00007FF7A4050F10 Relevance: 14.3, Strings: 11, Instructions: 540COMMON

Download Yara Rule

Strings

serially, xrefs: 00007FF7A405101E
Server doesn't support multiplex yet, wait, xrefs: 00007FF7A405105B
Could multiplex, but not asked to!, xrefs: 00007FF7A40510AC
Found bundle for host %s: %p [%s], xrefs: 00007FF7A4051029
Multiplexed connection found!, xrefs: 00007FF7A4051781
can multiplex, xrefs: 00007FF7A4051012
Connection #%ld is still name resolving, can't reuse, xrefs: 00007FF7A4051151
Can not multiplex, even if we wanted to!, xrefs: 00007FF7A40510CA
Found pending candidate for reuse and CURLOPT_PIPEWAIT is set, xrefs: 00007FF7A40517DA
Connection #%ld isn't open enough, can't reuse, xrefs: 00007FF7A4051176
Server doesn't support multiplex (yet), xrefs: 00007FF7A405107F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: Can not multiplex, even if we wanted to!$Connection #%ld is still name resolving, can't reuse$Connection #%ld isn't open enough, can't reuse$Could multiplex, but not asked to!$Found bundle for host %s: %p [%s]$Found pending candidate for reuse and CURLOPT_PIPEWAIT is set$Multiplexed connection found!$Server doesn't support multiplex (yet)$Server doesn't support multiplex yet, wait$can multiplex$serially
API String ID: 0-2774518510
Opcode ID: 4278448de5e25e7ecdc0f5521d108953abca0f41ef069b5eaf54d66151aaa72b
Instruction ID: 8459d5f043860e0f585131a3a90e3ab6f6ee67c5b5ec857f238c0a6149970f83
Opcode Fuzzy Hash: 4278448de5e25e7ecdc0f5521d108953abca0f41ef069b5eaf54d66151aaa72b
Instruction Fuzzy Hash: DF422E25E0E7C245EB55AE2780803BBB7A1EB51744F8680B5CB5E4B1B1DF3E9470E722

Function 00007FF7A408F840 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7A408F886
CryptCreateHash.ADVAPI32 ref: 00007FF7A408F8AA
CryptHashData.ADVAPI32 ref: 00007FF7A408F8C6
CryptGetHashParam.ADVAPI32 ref: 00007FF7A408F8E5
CryptGetHashParam.ADVAPI32 ref: 00007FF7A408F908
CryptDestroyHash.ADVAPI32 ref: 00007FF7A408F918
CryptReleaseContext.ADVAPI32 ref: 00007FF7A408F92A

Strings

@, xrefs: 00007FF7A408F85D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID: @
API String ID: 3606780921-2766056989
Opcode ID: 6136e2d2f60899814bedc5065155a8e394b868ebbd0571b5477ee51700c2f6b1
Instruction ID: fc330d60f1109662b99fde5f4766bf51e200a13f5b00d345d98570b6049fdea9
Opcode Fuzzy Hash: 6136e2d2f60899814bedc5065155a8e394b868ebbd0571b5477ee51700c2f6b1
Instruction Fuzzy Hash: 5821953261A68196E760DF22E89166BB360FBC5B84F815135FB8E03A39CF3DD455DB10

Function 00007FF7A409067C Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7A4090698
memset.VCRUNTIME140 ref: 00007FF7A40906BC
RtlCaptureContext.KERNEL32 ref: 00007FF7A40906C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7A40906DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7A4090720
memset.VCRUNTIME140 ref: 00007FF7A4090753
IsDebuggerPresent.KERNEL32 ref: 00007FF7A4090774
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7A4090791
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7A409079C

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 44a6ae0cd8af2b98538bf3d6ef033a35be83f1fd2ab8966232449bb115425376
Instruction ID: 8e5fab139f04fbe010cef842a49588b6317d6f032625f0769fdf21e343b3edf7
Opcode Fuzzy Hash: 44a6ae0cd8af2b98538bf3d6ef033a35be83f1fd2ab8966232449bb115425376
Instruction Fuzzy Hash: 48318972606B8189EB609FA1E8807EEB360FB94744F41443AEB4D47775DF39D158C720

Function 00007FF7A408D750 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7A408D797
CryptImportKey.ADVAPI32 ref: 00007FF7A408D869
CryptReleaseContext.ADVAPI32 ref: 00007FF7A408D881
CryptEncrypt.ADVAPI32 ref: 00007FF7A408D8B2
CryptDestroyKey.ADVAPI32 ref: 00007FF7A408D8BC
CryptReleaseContext.ADVAPI32 ref: 00007FF7A408D8C8

Strings

@, xrefs: 00007FF7A408D77D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID: @
API String ID: 3016261861-2766056989
Opcode ID: c3d7f55d531103b682a9b71d8043198a9a0fc1ead9b00ee7f1eeacd26531a0d2
Instruction ID: 213c8a74724ddefd825963c11391ba7216ab9ba27df9564c3fc51899a239d641
Opcode Fuzzy Hash: c3d7f55d531103b682a9b71d8043198a9a0fc1ead9b00ee7f1eeacd26531a0d2
Instruction Fuzzy Hash: 4441B022B056908EF7109F76D8913EE7BB1FB46348F444465DE8813A6ACB3DC12AE750

Function 00007FF7A406CEE0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF7A406CED8,?,?,?,?,?,?,00007FF7A408411E), ref: 00007FF7A406CF56
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF7A406CED8,?,?,?,?,?,?,00007FF7A408411E), ref: 00007FF7A406D0BD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406D21C

Strings

%c%c==, xrefs: 00007FF7A406D083
%c%c%c%c, xrefs: 00007FF7A406D013
%c%c%c=, xrefs: 00007FF7A406D051

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: %c%c%c%c$%c%c%c=$%c%c==
API String ID: 3985033223-3943651191
Opcode ID: 48636ec374e8a814b59a9f980e5bf74f894227fdcbfd8e1e5b2cfb21ca3e5cc0
Instruction ID: b3ace4d8719328f79b13d1550e322486fa4111d35663ad68aef86865e3ad76f2
Opcode Fuzzy Hash: 48636ec374e8a814b59a9f980e5bf74f894227fdcbfd8e1e5b2cfb21ca3e5cc0
Instruction Fuzzy Hash: 079137326096C185E720AF26A4403BBFBA0EB85790F894271DAAE477F6CF7ED011D711

Function 00007FF7A407BE00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407BE7E
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407BEDB
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407BF03
bind.WS2_32 ref: 00007FF7A407BF82
WSAGetLastError.WS2_32 ref: 00007FF7A407BF8C

Strings

bind() failed; %s, xrefs: 00007FF7A407BFA7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: calloc$ErrorLastbind
String ID: bind() failed; %s
API String ID: 2604820300-1141498939
Opcode ID: 5b999fcd4ad9b612eaa9be729eecbec0961fea4b134fd6518c06109505d39a49
Instruction ID: 23d00dee3826a62783504a0262e934b2a8233058049a54ae8ae427b66767da35
Opcode Fuzzy Hash: 5b999fcd4ad9b612eaa9be729eecbec0961fea4b134fd6518c06109505d39a49
Instruction Fuzzy Hash: D2510662B09B818AFB14AF22D4903FA67A0FB04B44F454475CF4C473A1DF3EE4619B51

Function 00007FF7A405A150 Relevance: 8.2, Strings: 6, Instructions: 693COMMON

Download Yara Rule

Strings

(nil), xrefs: 00007FF7A405A9B6
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00007FF7A405A66B, 00007FF7A405A6D6
%ld, xrefs: 00007FF7A405A460
.%ld, xrefs: 00007FF7A405A4B9
(nil), xrefs: 00007FF7A405A934
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FF7A405A193, 00007FF7A405A664, 00007FF7A405A6CB

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: %ld$(nil)$(nil)$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-1379995092
Opcode ID: 6fe4d5b75646ab6122b07eb1061459e9abcdc209cb5e48310bfdb0b9ebada0bf
Instruction ID: f87f16777954a30d8aa5e841c6b6c7af71015c749264ea03ac46246a3cdf5c44
Opcode Fuzzy Hash: 6fe4d5b75646ab6122b07eb1061459e9abcdc209cb5e48310bfdb0b9ebada0bf
Instruction Fuzzy Hash: 34426A3290A98345E7246E1A958037BE790FF40794FC28270DE9E476F4DF7ED861AB21

Function 00007FF7A4090894 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7A40908C0
GetCurrentThreadId.KERNEL32 ref: 00007FF7A40908CE
GetCurrentProcessId.KERNEL32 ref: 00007FF7A40908DA
QueryPerformanceCounter.KERNEL32 ref: 00007FF7A40908EA

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 041d678dc743e0e5f436598f64fc9b09e1e8aef45ebef0de337f34359adb3a07
Instruction ID: b041266e0775dd18635cae403ccebb1f28d855c71bf7d980a664200767d5f9c0
Opcode Fuzzy Hash: 041d678dc743e0e5f436598f64fc9b09e1e8aef45ebef0de337f34359adb3a07
Instruction Fuzzy Hash: D2114C22B16B0189EB00DF61EC842A973B4F758758F850E35EA6D827B5DF38D1649350

Function 00007FF7A4079410 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF7A407944B
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A407947F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _getpidhtons
String ID:
API String ID: 3416910171-0
Opcode ID: 14fbe48617075f3174793a590dd64f28711d7743a1a480ca69b05c8c2bed0042
Instruction ID: a02ad41b9e1c8d393d1eea36a22ce1737bf5ca9ce2f41fb585d3caeddc077ec2
Opcode Fuzzy Hash: 14fbe48617075f3174793a590dd64f28711d7743a1a480ca69b05c8c2bed0042
Instruction Fuzzy Hash: 37113026A247D0CAD304CF35E5401AD7770FB5CB84B44962AFB9987B29EB78D690C744

Function 00007FF7A403DEA0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF7A403DFA4

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: 4d63e86f281f0f8040124130d05909f5cac1b0fcea5ece721468537f7454344d
Instruction ID: 2d60ffad8201aa108154043a3e6d8264d456d24fe99c59063ac714496f505ad8
Opcode Fuzzy Hash: 4d63e86f281f0f8040124130d05909f5cac1b0fcea5ece721468537f7454344d
Instruction Fuzzy Hash: D581DD22B0AB9988EB04DF6AD4C03AD7B70EB15B88F954062DF4D077A5DF3AE090D350

Function 00007FF7A403D310 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23195db887e80f4d2cea8d575e2b125909b75d07273f377a0876d07e28769e32
Instruction ID: e6c3990c77fb2b4c1defcb1eacfd2f2f66773c8ef366d9a5daff3c1c9f0a0d94
Opcode Fuzzy Hash: 23195db887e80f4d2cea8d575e2b125909b75d07273f377a0876d07e28769e32
Instruction Fuzzy Hash: C6611462A0AB8442DB14DF2AE58027AA661FB597D4F528231DE5D47BA8EF3EF4509300

Function 00007FF7A4041750 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ce16abf6dabfd6c05904dcfc4add426f37854a28f683b97e97ab74344d31e2
Instruction ID: ffa2c7bec823cd2073079c2b8440b7982804365f52e1bbce5bd6bd55328bdb1f
Opcode Fuzzy Hash: c7ce16abf6dabfd6c05904dcfc4add426f37854a28f683b97e97ab74344d31e2
Instruction Fuzzy Hash: 7E41B63371154487E78CCE3AC865AAE73A2F3D8304F85C23DDA0AC7395DA369905CB40

Function 00007FF7A408F7D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction ID: aad8330729fcc673a4934e9f33aafd8724422ee92569e41d0fa28db8fca3fc34
Opcode Fuzzy Hash: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction Fuzzy Hash: 9DF08C25325767BEFE00893B4624FBD6E419BC0B41FA368B58C80020CB869F54A3D714

Function 00007FF7A4090824 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8085569c1db706f8df0c680955a88674b0be6f25267714de8c820d55b9c9291
Instruction ID: 04c5ed6155a2b366dafe29c36da2bc49da4c265284498db0318d8dba951c8ad1
Opcode Fuzzy Hash: d8085569c1db706f8df0c680955a88674b0be6f25267714de8c820d55b9c9291
Instruction Fuzzy Hash: B0A00121A1B80294EA04AF82AD90026A2A1ABA0700B8614B5E54D450769F3EA520E260

Function 00007FF7A4069D40 Relevance: 145.9, APIs: 50, Strings: 47, Instructions: 399stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7A4069D73
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069DC3
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069DE4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069DFA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069E18
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069E36
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069E54
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069E6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4069E84

Strings

CALG_MAC, xrefs: 00007FF7A4069E7D
CALG_PCT1_MASTER, xrefs: 00007FF7A406A14D
CALG_SHA_256, xrefs: 00007FF7A406A297
CALG_MD2, xrefs: 00007FF7A4069DF3
CALG_DH_EPHEM, xrefs: 00007FF7A406A003
CALG_SHA_512, xrefs: 00007FF7A406A2D3
CALG_ECDH_EPHEM, xrefs: 00007FF7A406A33F
CALG_SSL3_SHAMD5, xrefs: 00007FF7A406A0B7
CALG_SHA_384, xrefs: 00007FF7A406A2B5
CALG_SCHANNEL_MAC_KEY, xrefs: 00007FF7A406A111
CALG_3DES_112, xrefs: 00007FF7A4069F31
CALG_SEAL, xrefs: 00007FF7A4069FC7
CALG_ECDSA, xrefs: 00007FF7A406A324
CALG_SSL3_MASTER, xrefs: 00007FF7A406A0D5
CALG_TLS1_MASTER, xrefs: 00007FF7A406A189
CALG_AES, xrefs: 00007FF7A406A279
CALG_RC5, xrefs: 00007FF7A406A1A7
CALG_SHA1, xrefs: 00007FF7A4069E65
CALG_HUGHES_MD5, xrefs: 00007FF7A406A03F
CALG_ECDH, xrefs: 00007FF7A406A2EE
CALG_MD4, xrefs: 00007FF7A4069E11
CALG_HMAC, xrefs: 00007FF7A406A1C5
CALG_DES, xrefs: 00007FF7A4069F13
CALG_SKIPJACK, xrefs: 00007FF7A406A05D
CALG_DSS_SIGN, xrefs: 00007FF7A4069EB9
CALG_AGREEDKEY_ANY, xrefs: 00007FF7A406A021
CALG_HASH_REPLACE_OWF, xrefs: 00007FF7A406A201
CALG_NO_SIGN, xrefs: 00007FF7A4069ED7
CALG_AES_128, xrefs: 00007FF7A406A21F
CALG_SCHANNEL_ENC_KEY, xrefs: 00007FF7A406A12F
CALG_RC4, xrefs: 00007FF7A4069FA9
CALG_AES_256, xrefs: 00007FF7A406A25B
CALG_RSA_SIGN, xrefs: 00007FF7A4069E9B
CALG_3DES, xrefs: 00007FF7A4069F4F
CALG_MD5, xrefs: 00007FF7A4069E2F
CALG_SSL2_MASTER, xrefs: 00007FF7A406A16B
CALG_RC2, xrefs: 00007FF7A4069F8B
CALG_DESX, xrefs: 00007FF7A4069F6D
CALG_TEK, xrefs: 00007FF7A406A07B
CALG_ECMQV, xrefs: 00007FF7A406A309
CALG_SHA, xrefs: 00007FF7A4069E4D
CALG_SCHANNEL_MASTER_HASH, xrefs: 00007FF7A406A0F3
CALG_RSA_KEYX, xrefs: 00007FF7A4069EF5
CALG_DH_SF, xrefs: 00007FF7A4069FE5
CALG_CYLINK_MEK, xrefs: 00007FF7A406A099
CALG_TLS1PRF, xrefs: 00007FF7A406A1E3
CALG_AES_192, xrefs: 00007FF7A406A23D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strcmp$strncpy$strchr
String ID: CALG_3DES$CALG_3DES_112$CALG_AES$CALG_AES_128$CALG_AES_192$CALG_AES_256$CALG_AGREEDKEY_ANY$CALG_CYLINK_MEK$CALG_DES$CALG_DESX$CALG_DH_EPHEM$CALG_DH_SF$CALG_DSS_SIGN$CALG_ECDH$CALG_ECDH_EPHEM$CALG_ECDSA$CALG_ECMQV$CALG_HASH_REPLACE_OWF$CALG_HMAC$CALG_HUGHES_MD5$CALG_MAC$CALG_MD2$CALG_MD4$CALG_MD5$CALG_NO_SIGN$CALG_PCT1_MASTER$CALG_RC2$CALG_RC4$CALG_RC5$CALG_RSA_KEYX$CALG_RSA_SIGN$CALG_SCHANNEL_ENC_KEY$CALG_SCHANNEL_MAC_KEY$CALG_SCHANNEL_MASTER_HASH$CALG_SEAL$CALG_SHA$CALG_SHA1$CALG_SHA_256$CALG_SHA_384$CALG_SHA_512$CALG_SKIPJACK$CALG_SSL2_MASTER$CALG_SSL3_MASTER$CALG_SSL3_SHAMD5$CALG_TEK$CALG_TLS1PRF$CALG_TLS1_MASTER
API String ID: 1395212091-3550120021
Opcode ID: 6446a3e7d0d39adb556c5438fee0a6bd7db61fdde8ef19c9152e9fb084ef710b
Instruction ID: 503dd385f86df625df18f2d8629f08058040294f0a72c803ca16596b9cba2b9d
Opcode Fuzzy Hash: 6446a3e7d0d39adb556c5438fee0a6bd7db61fdde8ef19c9152e9fb084ef710b
Instruction Fuzzy Hash: 57023B10B1A517A1FA10BF56DCC11BBD264AF11348FC250B2F80E865BAEF9FE525B721

Function 00007FF7A4055360 Relevance: 52.7, APIs: 34, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A405E0C0: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF7A404613F), ref: 00007FF7A405E0D7

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40554ED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055501
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055515
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055529
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405553D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055551
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055565
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055579
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405558D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40555A1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40555B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40555C9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40555DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40555F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055605
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055619

Part of subcall function 00007FF7A405F7F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405F82E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405562D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055641
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055655
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055669
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405567D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055691
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40556A5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40556B9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40556CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40556E1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40556F5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055709
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405571D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055731

Part of subcall function 00007FF7A40531B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053138), ref: 00007FF7A40531CB
Part of subcall function 00007FF7A40531B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053138), ref: 00007FF7A40531F9

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405575B

Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F971
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F981
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F98F
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F99D
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9AB
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9B9
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9C7
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9D5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055787
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405579B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40557AB

Strings

Closing connection %ld, xrefs: 00007FF7A4055459

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$CounterPerformanceQuery
String ID: Closing connection %ld
API String ID: 3490100708-2599090834
Opcode ID: 080af9e2ca16cfd9b857ae429070580705c104ca6000b78338abac87a5f3054c
Instruction ID: 615bb35b10727e4132706477645c2c07544f394287ddd0272013bc1d2195f983
Opcode Fuzzy Hash: 080af9e2ca16cfd9b857ae429070580705c104ca6000b78338abac87a5f3054c
Instruction Fuzzy Hash: 50C18076609B8182E740AF22E4802AE7334FB84F98F494671DE9D07779CF3A9165D331

Function 00007FF7A40777A0 Relevance: 49.9, APIs: 6, Strings: 27, Instructions: 385COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407789D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407799E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4077A11
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4077A8B

Strings

Transport: %s, xrefs: 00007FF7A40778AA
Session ID cannot be set as a custom header., xrefs: 00007FF7A4077AFD
Accept-Encoding, xrefs: 00007FF7A4077914
%s%s%s%s%s%s%s%s, xrefs: 00007FF7A4077BF6
Accept-Encoding: %s, xrefs: 00007FF7A4077949
%s %s RTSP/1.0CSeq: %ld, xrefs: 00007FF7A4077B37
Content-Type: application/sdp, xrefs: 00007FF7A4077D6D
CSeq, xrefs: 00007FF7A4077ABC
Accept, xrefs: 00007FF7A40778F8
Content-Type, xrefs: 00007FF7A4077D23, 00007FF7A4077D59
Content-Length: %I64d, xrefs: 00007FF7A4077CF7
Accept: application/sdp, xrefs: 00007FF7A407790A
Refusing to issue an RTSP SETUP without a Transport: header., xrefs: 00007FF7A40778D5
Referer: %s, xrefs: 00007FF7A4077A42
Referer, xrefs: 00007FF7A4077A27
Failed sending RTSP request, xrefs: 00007FF7A4077E01
Transport, xrefs: 00007FF7A407784E
Content-Type: text/parameters, xrefs: 00007FF7A4077D37
Session: %s, xrefs: 00007FF7A4077B6D
Range: %s, xrefs: 00007FF7A4077A93
Content-Length, xrefs: 00007FF7A4077CDC
Refusing to issue an RTSP request [%s] without a session ID., xrefs: 00007FF7A4077823
Range, xrefs: 00007FF7A4077A67
Session, xrefs: 00007FF7A4077AE9
OPTIONS, xrefs: 00007FF7A40777A0
User-Agent, xrefs: 00007FF7A407797E, 00007FF7A40779AD
CSeq cannot be set as a custom header., xrefs: 00007FF7A4077AD0

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %s %s RTSP/1.0CSeq: %ld$%s%s%s%s%s%s%s%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: application/sdp$CSeq$CSeq cannot be set as a custom header.$Content-Length$Content-Length: %I64d$Content-Type$Content-Type: application/sdp$Content-Type: text/parameters$Failed sending RTSP request$OPTIONS$Range$Range: %s$Referer$Referer: %s$Refusing to issue an RTSP SETUP without a Transport: header.$Refusing to issue an RTSP request [%s] without a session ID.$Session$Session ID cannot be set as a custom header.$Session: %s$Transport$Transport: %s$User-Agent
API String ID: 1294909896-2200874227
Opcode ID: a4c82bcc725e61103f523d7bac1625522059787e4daccbbb1ad99cbdf31118d3
Instruction ID: 018ce5de61d9cc996af9eb7be3d0958cc6bd836c45844c631137e7e5ce855ed8
Opcode Fuzzy Hash: a4c82bcc725e61103f523d7bac1625522059787e4daccbbb1ad99cbdf31118d3
Instruction Fuzzy Hash: 41028421A0EB4282EA50AF12A8803BBE790FB447C4F864075DE4D47275DF3DF565E761

Function 00007FF7A4071240 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 297stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407129E
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40712D2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4071351
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407136B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407137A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40713C7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40713D8

Strings

AUTH=, xrefs: 00007FF7A4071635
<%s>, xrefs: 00007FF7A4071359, 00007FF7A407149D
MAIL FROM:%s%s%s%s%s%s, xrefs: 00007FF7A407166C
<%s@%s>, xrefs: 00007FF7A4071336, 00007FF7A407147A
SIZE=, xrefs: 00007FF7A4071641
Mime-Version: 1.0, xrefs: 00007FF7A4071534
Mime-Version, xrefs: 00007FF7A4071519
SMTPUTF8, xrefs: 00007FF7A407162A
%I64d, xrefs: 00007FF7A407158E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree$strpbrk
String ID: AUTH=$ SIZE=$ SMTPUTF8$%I64d$<%s>$<%s@%s>$MAIL FROM:%s%s%s%s%s%s$Mime-Version$Mime-Version: 1.0
API String ID: 2737852498-2994854565
Opcode ID: 49e5a8093cbab499398c211c2167271c9e8bd267777574003e8ceb441dc91b87
Instruction ID: 4fa89bedf91e835c3fe95a1eccf516113c0dbe2c2a6b58055318955b603740a6
Opcode Fuzzy Hash: 49e5a8093cbab499398c211c2167271c9e8bd267777574003e8ceb441dc91b87
Instruction Fuzzy Hash: 13D1DA11B0AB5285EA10FF2394806BAA3A0BF55B84FC645B1DD4D0B7B1EF3DE425E721

Function 00007FF7A408E720 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E806
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E8AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E902
htonl.WS2_32 ref: 00007FF7A408E92F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E941
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E970
htonl.WS2_32 ref: 00007FF7A408E985
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E9B2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EA39
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EA42
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EA4B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EA71
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EA82
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EA8B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EA94
memcpy.VCRUNTIME140 ref: 00007FF7A408EAAF
memcpy.VCRUNTIME140 ref: 00007FF7A408EAC3
memcpy.VCRUNTIME140 ref: 00007FF7A408EAD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EB00
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EB09
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EB12
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408EB1B

Strings

GSSAPI handshake failure (empty security message), xrefs: 00007FF7A408E887, 00007FF7A408EB28
GSSAPI handshake failure (invalid security data), xrefs: 00007FF7A408E897
GSSAPI handshake failure (invalid security layer), xrefs: 00007FF7A408E916

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc$memcpy$htonl
String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
API String ID: 82385936-242323837
Opcode ID: 70d35f79a67b94333284927e9e998538639b5e22fc3dda229c8068922391dd39
Instruction ID: 0ee4b08a77685efc61cc57980992134ee591f05b966bab045a904ee4e5f8a500
Opcode Fuzzy Hash: 70d35f79a67b94333284927e9e998538639b5e22fc3dda229c8068922391dd39
Instruction Fuzzy Hash: 18C16D32B09A428AE750AF66E8806AEB7B0FB44B84F914475DE4D47B74CF3DE414E760

Function 00007FF7A4052EC0 Relevance: 42.6, APIs: 34, Instructions: 121COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052EDD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052EF3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F07
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F1B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F2F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F57
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F7F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052F93
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052FA7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052FBB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052FCF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052FE3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052FF7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405300B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405301F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4053033
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4053047
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405305B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405306F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4053083
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4053097
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40530AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40530BF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40530D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40530E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40530FB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405310F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4053123

Part of subcall function 00007FF7A40531B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053138), ref: 00007FF7A40531CB
Part of subcall function 00007FF7A40531B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053138), ref: 00007FF7A40531F9

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405314D

Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F971
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F981
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F98F
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F99D
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9AB
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9B9
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9C7
Part of subcall function 00007FF7A404F960: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4053166), ref: 00007FF7A404F9D5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4053179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405318D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405319D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ff93a7ff90db5c03afc919c651086042200295bbab4818e17e53cf2dce08d76c
Instruction ID: 7b1f1ba8c0b3d74dfceaf332d98d3f916f749bc6838b5b9873c92282722db6c3
Opcode Fuzzy Hash: ff93a7ff90db5c03afc919c651086042200295bbab4818e17e53cf2dce08d76c
Instruction Fuzzy Hash: 44710976649B8185D740AF22E4D07BD73B8FB84F89F590971CE9D4A238CF399065E231

Function 00007FF7A403AE1F Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 459COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7A403AE27
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403B8E3
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403B911
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403B91F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403B95A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403B999

Strings

number overflow parsing ', xrefs: 00007FF7A403B81F
array, xrefs: 00007FF7A403BA19
object, xrefs: 00007FF7A403BBA8

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$_dclass
String ID: array$number overflow parsing '$object
API String ID: 1391767211-579821726
Opcode ID: 53764ca374fa5be4f36d8b293ee585c78b8cceb808cd4e95475ab6e87e17874e
Instruction ID: 8cc288d32ac4068bac13c32a20881c13882e183ca72b66d23330447d7a23da5d
Opcode Fuzzy Hash: 53764ca374fa5be4f36d8b293ee585c78b8cceb808cd4e95475ab6e87e17874e
Instruction Fuzzy Hash: 19221722A19B8585EB14DF7AD9803AE7721FB457A4F810271DA9D07AF6DF3DE090E310

Function 00007FF7A40834C0 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7A40835A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40835F0
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4083846
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408385D
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4083878
htons.WS2_32 ref: 00007FF7A40838D7

Strings

DOH AAAA: , xrefs: 00007FF7A40836F2
DOH A: %u.%u.%u.%u, xrefs: 00007FF7A40836BE
bad error code, xrefs: 00007FF7A4083608
DOH Host name: %s, xrefs: 00007FF7A4083671
DOH: %s type %s for %s, xrefs: 00007FF7A4083624
AAAA, xrefs: 00007FF7A4083616
Could not DOH-resolve: %s, xrefs: 00007FF7A4083516
%s%02x%02x, xrefs: 00007FF7A408373E
CNAME: %s, xrefs: 00007FF7A40837D3
%s, xrefs: 00007FF7A4083793
TTL: %u seconds, xrefs: 00007FF7A4083685

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: calloc$_strdupfreehtonsmemset
String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
API String ID: 130798683-4053692942
Opcode ID: 4da9d9f1cbb209fe43fb6dcd8b467026ebfaf9e3e059f8631a373749ab627460
Instruction ID: a902e6092b855f421f2d28200a12089531ea167511c56580a389ecfcd810a213
Opcode Fuzzy Hash: 4da9d9f1cbb209fe43fb6dcd8b467026ebfaf9e3e059f8631a373749ab627460
Instruction Fuzzy Hash: 27E1D632A0A68286E760AF12D5803BFB760FB84B84F864171DA8D07775DF3EE564D720

Function 00007FF7A40398F8 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 423COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A054
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A082
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A090
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A0CB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A10A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403AAFE

Strings

number overflow parsing ', xrefs: 00007FF7A4039F90
array, xrefs: 00007FF7A403A18A
object, xrefs: 00007FF7A403A319

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: array$number overflow parsing '$object
API String ID: 1346393832-579821726
Opcode ID: 0dadecece245a67f675a5d2e96cc5f0bc4a0f7ec8ea6dd8922b7aa2d9f5add5a
Instruction ID: 7908f8aa8eccbbfa4094366435022a14dba6578c4c4249d6add3607d2abe7973
Opcode Fuzzy Hash: 0dadecece245a67f675a5d2e96cc5f0bc4a0f7ec8ea6dd8922b7aa2d9f5add5a
Instruction Fuzzy Hash: 2C120662A19B8585EB04EF7AD5843AEB721EB417A4F810771DA5C03AF9DF7DE090E310

Function 00007FF7A407E420 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 257stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E4A6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E4CC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E4DD
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E54B
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E57C
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E59C
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E5AE
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E610
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E681
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E698
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E753
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E7C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF7A407DBDF), ref: 00007FF7A407E7D0

Strings

onetree, xrefs: 00007FF7A407E6C6
one, xrefs: 00007FF7A407E6B3
LDAP, xrefs: 00007FF7A407E466
sub, xrefs: 00007FF7A407E704
base, xrefs: 00007FF7A407E6D9
subtree, xrefs: 00007FF7A407E717

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$free$_strdupcalloc
String ID: LDAP$base$one$onetree$sub$subtree
API String ID: 112326314-884163498
Opcode ID: 5b60497df80a076f26ec4b03495979baa124a4041d4c6624708c24347fefd159
Instruction ID: 0dba61d3b29f44589b9f64f3a72265dbd1332f428d03834fbe57b315d332814e
Opcode Fuzzy Hash: 5b60497df80a076f26ec4b03495979baa124a4041d4c6624708c24347fefd159
Instruction Fuzzy Hash: DDB1E922A0BB8282FA91AF16949067BA390FF44784FC64471DE4D077B1EF3DE421DB61

Function 00007FF7A407C5F0 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 175stringCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF7A407C651
memchr.VCRUNTIME140 ref: 00007FF7A407C687
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A407C70B
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A407C79B

Strings

Malformed ACK packet, rejecting, xrefs: 00007FF7A407C88A
tsize, xrefs: 00007FF7A407C77F
blksize is larger than max supported, xrefs: 00007FF7A407C841
%s (%ld), xrefs: 00007FF7A407C7AB
%s (%ld), xrefs: 00007FF7A407C802
tsize parsed from OACK, xrefs: 00007FF7A407C7A4
%s (%d) %s (%d), xrefs: 00007FF7A407C75D
invalid blocksize value in OACK packet, xrefs: 00007FF7A407C85E
blksize, xrefs: 00007FF7A407C6EF
server requested blksize larger than allocated, xrefs: 00007FF7A407C7F8
requested, xrefs: 00007FF7A407C74A
got option=(%s) value=(%s), xrefs: 00007FF7A407C6CC
blksize is smaller than min supported, xrefs: 00007FF7A407C81E
invalid tsize -:%s:- value in OACK packet, xrefs: 00007FF7A407C877
%s (%d), xrefs: 00007FF7A407C825, 00007FF7A407C848
blksize parsed from OACK, xrefs: 00007FF7A407C743

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memchrstrtol
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 1626215102-895336422
Opcode ID: d5aa77bd481b7722d0f735f1f26a1f6737cc15dd079a17b9800053efdba2dedf
Instruction ID: 791937cc7dad7847b985330dee0127ff7e52334e803f79d4c4f0ca9d07e9e854
Opcode Fuzzy Hash: d5aa77bd481b7722d0f735f1f26a1f6737cc15dd079a17b9800053efdba2dedf
Instruction Fuzzy Hash: 9361C260A0EA4291FA14AF13A8842BBA750BF40790FC38671DD1E476F1DF3ED126E721

Function 00007FF7A404C710 Relevance: 34.9, APIs: 6, Strings: 17, Instructions: 352COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4046040: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4050640,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A4042471), ref: 00007FF7A4046067
Part of subcall function 00007FF7A4046040: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4050640,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A4042471), ref: 00007FF7A4046073

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C9A4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C9AC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C9D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C9DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404CA60
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404CA69

Strings

attachment, xrefs: 00007FF7A404C95B, 00007FF7A404C962
; boundary=, xrefs: 00007FF7A404CA83
Content-Transfer-Encoding: %s, xrefs: 00007FF7A404CBF1
Content-Disposition: %s%s%s%s%s%s%s, xrefs: 00007FF7A404CA29
Content-Disposition, xrefs: 00007FF7A404C8D1
Content-Transfer-Encoding, xrefs: 00007FF7A404CAD1
text/plain, xrefs: 00007FF7A404C87C
Content-Type: %s%s%s, xrefs: 00007FF7A404CA8D
Content-Type, xrefs: 00007FF7A404C798
multipart/mixed, xrefs: 00007FF7A404C805
form-data, xrefs: 00007FF7A404CC16
multipart/, xrefs: 00007FF7A404C947
; name=", xrefs: 00007FF7A404C9FF
multipart/form-data, xrefs: 00007FF7A404CB67
8bit, xrefs: 00007FF7A404CBEA
; filename=", xrefs: 00007FF7A404C9F1
application/octet-stream, xrefs: 00007FF7A404C836

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
API String ID: 1294909896-1595554923
Opcode ID: b9bc93528b88626dfd995c68e28a706383ab7ecc8f2ad09ecd60a740e55feb49
Instruction ID: f7f797d1421b33ecfcd6ea5e93b90207930a11f7c32017f8ae5dd50d139aeea1
Opcode Fuzzy Hash: b9bc93528b88626dfd995c68e28a706383ab7ecc8f2ad09ecd60a740e55feb49
Instruction Fuzzy Hash: F5E18522B0E642D1FA65AF139580276A790BB00B84FCB44B5DE4D47671DF3EE974A360

Function 00007FF7A4064D90 Relevance: 33.2, APIs: 6, Strings: 16, Instructions: 206COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4064F07

Strings

Proxy-, xrefs: 00007FF7A4065016
Proxy-authorization, xrefs: 00007FF7A4064E73
%s:%s, xrefs: 00007FF7A4064F99
Proxy, xrefs: 00007FF7A40650B4
Bearer, xrefs: 00007FF7A4064F00
Negotiate, xrefs: 00007FF7A4064DCA
Basic, xrefs: 00007FF7A4065067
%sAuthorization: Basic %s, xrefs: 00007FF7A4065020
Digest, xrefs: 00007FF7A4064E0E
Authorization: Bearer %s, xrefs: 00007FF7A4064F10
%s auth using %s with user '%s', xrefs: 00007FF7A40650A6
Authorization, xrefs: 00007FF7A4064F4A
CONNECT, xrefs: 00007FF7A4064D9E
NTLM, xrefs: 00007FF7A4064DEC
Authorization:, xrefs: 00007FF7A4064EE1
Server, xrefs: 00007FF7A406509C

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$Authorization$Authorization:$Authorization: Bearer %s$Basic$Bearer$CONNECT$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
API String ID: 1294909896-115817326
Opcode ID: bf748c0bfe573282f24827a6f623e2d7589755981eeb7209e45fd191d81c4a99
Instruction ID: 8f5bfc4181e9b25034656c9f23c2fa406fd93f4043087024f8e8907f7cfc2e8e
Opcode Fuzzy Hash: bf748c0bfe573282f24827a6f623e2d7589755981eeb7209e45fd191d81c4a99
Instruction Fuzzy Hash: 5991A721B0E65391FA10AF12A58037BE7A4EF04784FA641B1DA5D473B1EF6EE421E361

Function 00007FF7A4036320 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4034320: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034351

memcpy.VCRUNTIME140 ref: 00007FF7A4036496
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7A4036528
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7A4036569
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40366B3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40366F2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4036740
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4036781
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40367DE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4036898

Part of subcall function 00007FF7A408FB18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF7A40343FE,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A408FB32

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40368D9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40369A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40369E7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A4036A0A

Strings

rsing , xrefs: 00007FF7A4036478
; expected , xrefs: 00007FF7A4036930
; last read: ', xrefs: 00007FF7A40365EC
syntax error , xrefs: 00007FF7A403636D
unexpected , xrefs: 00007FF7A4036823

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$Concurrency::cancel_current_taskmalloc
String ID: ; expected $; last read: '$rsing $syntax error $unexpected
API String ID: 264867259-3075834232
Opcode ID: 5e328f9cc9d509dbc5f0c620a2ea8f70044036c914e68ed5f3d7a5609f240f6d
Instruction ID: 32a22cbfba5b5f8cdec72a57be95325714e73365eecccb4369186068f17c0b1b
Opcode Fuzzy Hash: 5e328f9cc9d509dbc5f0c620a2ea8f70044036c914e68ed5f3d7a5609f240f6d
Instruction Fuzzy Hash: A4121862F09A4245EB24EF26E58036EA761EB447E4F814770DA6D03AF9DF7DE094E310

Function 00007FF7A404A330 Relevance: 31.8, APIs: 21, Instructions: 269stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A404B280: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,?,00007FF7A404ACFE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A40519C9), ref: 00007FF7A404B2A3
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B2F9
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B303
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B30D
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B317
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B321
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B32B
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B335
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B33F
Part of subcall function 00007FF7A404B280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B348

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A427
strchr.VCRUNTIME140 ref: 00007FF7A404A441
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A46B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A478
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A4A2
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A4B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A4C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A4DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A4EA
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A4F8
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A513
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A52F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A54B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A567
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A583
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A59F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A5BB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A5D3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A66B
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7A404A6A2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A6E3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup$_time64callocmallocqsortstrchrstrncmp
String ID:
API String ID: 1087521380-0
Opcode ID: c54aa30acb8f7759c872955e7afee6932479ba7e1a429da66d45e5394a038d2b
Instruction ID: dd00ed7fb537a4dffb3f36495f83bf047231e8fe6fcc69fbfe6005ceab071db8
Opcode Fuzzy Hash: c54aa30acb8f7759c872955e7afee6932479ba7e1a429da66d45e5394a038d2b
Instruction Fuzzy Hash: 7BB1B612A0B74245EE55AF27559437AA7A0AF44B94F8905B4CE4D037F0DF6DE4A0EB30

Function 00007FF7A405EEE0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 312stringCOMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405EFD5
strchr.VCRUNTIME140 ref: 00007FF7A405F075
memcpy.VCRUNTIME140 ref: 00007FF7A405F0A5
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A405F0D1
strchr.VCRUNTIME140 ref: 00007FF7A405F11C
memcpy.VCRUNTIME140 ref: 00007FF7A405F17B

Part of subcall function 00007FF7A404B430: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A404B474

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405F294

Strings

Resolve address '%s' found illegal!, xrefs: 00007FF7A405F1FB
RESOLVE %s:%d is - old addresses discarded!, xrefs: 00007FF7A405F31B
Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 00007FF7A405F20A
%255[^:]:%d, xrefs: 00007FF7A405EF61
RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 00007FF7A405F3BE
Added %s:%d:%s to DNS cache, xrefs: 00007FF7A405F38D
Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 00007FF7A405EF77
], xrefs: 00007FF7A405F155
@, xrefs: 00007FF7A405F166
:%u, xrefs: 00007FF7A405EFE9, 00007FF7A405F2A8

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpystrchrtolower$__stdio_common_vsscanfstrtoul
String ID: %255[^:]:%d$:%u$@$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$RESOLVE %s:%d is - old addresses discarded!$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal!$]
API String ID: 1094891576-1753329177
Opcode ID: cdf8c0cb6e217632b26f767d22fc60d678b1afa39e111239682b6c2d268fb68e
Instruction ID: aa6ccb067aaece2406003d23fc51ffc463dd5e4dab2000a1b7a4ed46c8855d64
Opcode Fuzzy Hash: cdf8c0cb6e217632b26f767d22fc60d678b1afa39e111239682b6c2d268fb68e
Instruction Fuzzy Hash: 02D1E232A0A68684EB20AF32D4843FBA760FB40798F868571DA5D076F5DF3EE411D361

Function 00007FF7A40742C0 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 284stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407430D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40743FF
strchr.VCRUNTIME140 ref: 00007FF7A4074341

Part of subcall function 00007FF7A404B430: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A404B474

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4074567
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4074731
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4074753

Part of subcall function 00007FF7A405F7F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405F82E

Strings

%u.%u.%u.%u, xrefs: 00007FF7A4074573
Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 00007FF7A407453B
%u,%u,%u,%u,%u,%u, xrefs: 00007FF7A407448B
Connecting to %s (%s) port %d, xrefs: 00007FF7A407470A
Can't resolve new host %s:%hu, xrefs: 00007FF7A407467E
Can't resolve proxy host %s:%hu, xrefs: 00007FF7A4074613
Weirdly formatted EPSV reply, xrefs: 00007FF7A407441F
Illegal port number in EPSV reply, xrefs: 00007FF7A40743BF
Bad PASV/EPSV response: %03d, xrefs: 00007FF7A407477E
%c%c%c%u%c, xrefs: 00007FF7A407437B
Couldn't interpret the 227-response, xrefs: 00007FF7A40744AE

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree$__stdio_common_vsscanfstrchr
String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
API String ID: 3103143820-2414412286
Opcode ID: a36134f17173d3b68bf390f24a32a1e2c938ac05ee6e864fa08eba1b0f79a6e0
Instruction ID: b7afc1588bd6eea3b7e8b6e8d644af62501774154773f4ee8fc4370f9eb3f2bb
Opcode Fuzzy Hash: a36134f17173d3b68bf390f24a32a1e2c938ac05ee6e864fa08eba1b0f79a6e0
Instruction Fuzzy Hash: 36D1BA22B09A8252EA54EF22E4C06BBE3A0FB45794F954071DB4D03675DF3DE570EB12

Function 00007FF7A4073770 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 208stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A406C990: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF7A4053D1F), ref: 00007FF7A406C9BE

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4073846
strchr.VCRUNTIME140 ref: 00007FF7A4073864
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4073894
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40738AF
strchr.VCRUNTIME140 ref: 00007FF7A40738D9
strrchr.VCRUNTIME140 ref: 00007FF7A40738F5
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407391F
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407393A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407395E
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4073976
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40739B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40739F0
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4073A8C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4073AB1

Strings

Uploading to a URL without a file name!, xrefs: 00007FF7A40739DC
Request has same path as previous transfer, xrefs: 00007FF7A4073A96

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: calloc$free$strchrstrncpy$_strdupmallocstrncmpstrrchr
String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
API String ID: 2243338858-131330169
Opcode ID: a534b1e47e6b89b57045d23a567eff78843472f2b3767f7a7f203d093dd9f04f
Instruction ID: 9fa00fdaf2c712003e82a912ffdcfb13f30bc1202705aa451d10ced85dfc8c46
Opcode Fuzzy Hash: a534b1e47e6b89b57045d23a567eff78843472f2b3767f7a7f203d093dd9f04f
Instruction Fuzzy Hash: 8191E622B0EB8292FA54AF26948437BB3A0FB45780F854075DA4D137B5DF3ED464DB22

Function 00007FF7A4066D50 Relevance: 27.3, APIs: 1, Strings: 17, Instructions: 341COMMON

Download Yara Rule

Strings

SOCKS4%s: connecting to HTTP proxy %s port %d, xrefs: 00007FF7A4066E16
Failed to send SOCKS4 connect request., xrefs: 00007FF7A40670FD
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 00007FF7A4067256
SOCKS4 non-blocking resolve of %s, xrefs: 00007FF7A4066EBB
SOCKS4: Failed receiving connect request ack: %s, xrefs: 00007FF7A40671AA
SOCKS4 communication to %s:%d, xrefs: 00007FF7A4066E2F
[, xrefs: 00007FF7A40672E4
SOCKS4: too long host name, xrefs: 00007FF7A4067116
Too long SOCKS proxy name, can't use!, xrefs: 00007FF7A4066F17
SOCKS4%s request granted., xrefs: 00007FF7A4067316
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 00007FF7A4067283
Failed to resolve "%s" for SOCKS4 connect., xrefs: 00007FF7A406703B
SOCKS4 reply has wrong version, version should be 0., xrefs: 00007FF7A40671F1
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 00007FF7A40672F4
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 00007FF7A40672BD
SOCKS4 connect to IPv4 %s (locally resolved), xrefs: 00007FF7A4066FBA
SOCKS4 connection to %s not supported, xrefs: 00007FF7A406701C

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$SOCKS4 communication to %s:%d$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: Failed receiving connect request ack: %s$SOCKS4: too long host name$Too long SOCKS proxy name, can't use!$[
API String ID: 0-3760664348
Opcode ID: ba7ac1c59c272a734a09856cab2d48d876e589ad64bd29fff285cd490e7639ef
Instruction ID: 3ab20a6f580e8be1455391fdf4c6c7b5e1465cf929bc39c07d5850249174546b
Opcode Fuzzy Hash: ba7ac1c59c272a734a09856cab2d48d876e589ad64bd29fff285cd490e7639ef
Instruction Fuzzy Hash: 88E11262A0E28199E754AF26D48037BFB91EB45784F858076DA4E073B5CF7EE060D721

Function 00007FF7A4035480 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 364COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40355DE
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403560C
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403561A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4035654
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40356A5
memset.VCRUNTIME140 ref: 00007FF7A40354D3

Part of subcall function 00007FF7A4034320: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034351

Part of subcall function 00007FF7A4036320: memcpy.VCRUNTIME140 ref: 00007FF7A4036496

Part of subcall function 00007FF7A4031FC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032131

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4035812
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403583E
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403584C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4035887
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40358DA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40359C1
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7A40359D9
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7A40359E6

Strings

value, xrefs: 00007FF7A4035546, 00007FF7A403577E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy$?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@memset
String ID: value
API String ID: 2102519606-494360628
Opcode ID: 85c86dc14542eb07a4e2cce666541bb6ed81f2a7a3d6649cdfb2e986ccf9b187
Instruction ID: d96038022e48fd8f8a098d77ad91abd6c3ce1b33bf9bb1c58537469fc004be8f
Opcode Fuzzy Hash: 85c86dc14542eb07a4e2cce666541bb6ed81f2a7a3d6649cdfb2e986ccf9b187
Instruction Fuzzy Hash: 23F12B22A0978185EB14DF35D5C43AEAB60FB457A4F414671EAAD03AF9CF3DE095D310

Function 00007FF7A4062310 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 218stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7A40623C8
strchr.VCRUNTIME140 ref: 00007FF7A40623DF
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406242B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40625F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4062646
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406264F

Strings

Connection:, xrefs: 00007FF7A4062541
1.1, xrefs: 00007FF7A406232B
Content-Type:, xrefs: 00007FF7A40624CF, 00007FF7A40624F5
%s, xrefs: 00007FF7A40625DC
Host:, xrefs: 00007FF7A40624A9
Transfer-Encoding:, xrefs: 00007FF7A4062568
Cookie:, xrefs: 00007FF7A406259B
Content-Length:, xrefs: 00007FF7A406251B
Authorization:, xrefs: 00007FF7A4062581

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$strchr$_strdup
String ID: %s$1.1$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
API String ID: 1922034842-2519073162
Opcode ID: f678b0adb032897e825a3959cded84015825f3098b179514a4a53f8d0ccb62c7
Instruction ID: 439e31faf036b423c398fc3fef5f8ac0993a0c861014cc45ebc7baa1ee20db51
Opcode Fuzzy Hash: f678b0adb032897e825a3959cded84015825f3098b179514a4a53f8d0ccb62c7
Instruction Fuzzy Hash: 6A91C821B0A64259FB61BE139490377E690AF007C4FC640B5DE4E476B5EEAEE521E322

Function 00007FF7A408D910 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7A408063F), ref: 00007FF7A408D93D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0000000100000000,?,00007FF7A408063F), ref: 00007FF7A408D95F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7A408063F), ref: 00007FF7A408D970
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF7A408063F), ref: 00007FF7A408D99E

Strings

/.., xrefs: 00007FF7A408DAA2
/../, xrefs: 00007FF7A408DA6B
/./, xrefs: 00007FF7A408DA2C
../, xrefs: 00007FF7A408DA09

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: ../$/..$/../$/./
API String ID: 111713529-456519384
Opcode ID: 857da92cb3a3f1754f39fc764212752e7e357566b0f0400f53a9762f759e9239
Instruction ID: f137f9c2c97b16ba54e0f8cdc0e286f10f62a25370b6520b9c76d748494ccd9f
Opcode Fuzzy Hash: 857da92cb3a3f1754f39fc764212752e7e357566b0f0400f53a9762f759e9239
Instruction Fuzzy Hash: 1071FF21E0E58285FB616F12969027BFBE0EF517A1F8542B1CA9D036B1DE2DE471E330

Function 00007FF7A40521C0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4042471,?,?,?,?,00007FF7A40335A1), ref: 00007FF7A40521D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052221

Strings

<, xrefs: 00007FF7A4052468
v, xrefs: 00007FF7A40524CF
<, xrefs: 00007FF7A4052337
<, xrefs: 00007FF7A405245E
`, xrefs: 00007FF7A40524BA

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: callocfree
String ID: <$<$<$`$v
API String ID: 306872129-2056843887
Opcode ID: fd20e6cdcbd1a73617437685a3d3e5ab8989bec76236420843f0ff4b3c7dbce2
Instruction ID: b7a4af26af4046b49d05858d6714562558c352a424d87dedd6299ee1f083ef43
Opcode Fuzzy Hash: fd20e6cdcbd1a73617437685a3d3e5ab8989bec76236420843f0ff4b3c7dbce2
Instruction Fuzzy Hash: E3917B32909BC186E3009F35D4443E977A0FB95B5CF495238DF981B3AADF7AA095D720

Function 00007FF7A404FDE0 Relevance: 25.7, APIs: 17, Instructions: 236COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404FE44
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404FE78
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404FE89
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404FF5F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404FF6C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404FFA7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404FFB1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405002F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4050050
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4050071
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4050092
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050129
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050132

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup
String ID:
API String ID: 2653869212-0
Opcode ID: 306aad4d0ea3c6bfe9c064be411fbf8ea1d668f028eb4b2160ad37fce30746d2
Instruction ID: f8e9f6843f8aefbe0d90e5971d23e3ed3a8db779cfa9a825ac3bf45d0434500e
Opcode Fuzzy Hash: 306aad4d0ea3c6bfe9c064be411fbf8ea1d668f028eb4b2160ad37fce30746d2
Instruction Fuzzy Hash: 08B17E32A0AB458AEA55AF26E58437EB3A0FB44B44F854575CB8E43770DF39E070E321

Function 00007FF7A4088511 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4088542
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088BBA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088BF8

Strings

FALSE, xrefs: 00007FF7A408852D
Signature, xrefs: 00007FF7A40889DF
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7A4088A9C
TRUE, xrefs: 00007FF7A4088534
-----END CERTIFICATE-----, xrefs: 00007FF7A4088B47
Cert, xrefs: 00007FF7A4088BCE
%s, xrefs: 00007FF7A4088BE6
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Signature: %s$%s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$FALSE$Signature$TRUE
API String ID: 111713529-3006446216
Opcode ID: 200754a7ecd74751d0d0f218d2af814f9b8d9ce5487ad7d3185f1178ac2759fe
Instruction ID: 4d1d06880184fbb465c65e8e8901d7ab972d63820361750a961dd66d75596cf5
Opcode Fuzzy Hash: 200754a7ecd74751d0d0f218d2af814f9b8d9ce5487ad7d3185f1178ac2759fe
Instruction Fuzzy Hash: A671CA93A0E7C145F711AF2694842BBFBA1EF85749F9A44B2CA4D033B2DE2ED055D321

Function 00007FF7A4082580 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082642
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408267A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408268D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40826C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40826CC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082782
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408278B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082796
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082881
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408288A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082895
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408290B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082914
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408291F

Part of subcall function 00007FF7A4082D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4084BFA,?,?,00000000,00007FF7A4081635), ref: 00007FF7A4082D20
Part of subcall function 00007FF7A4082D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4084BFA,?,?,00000000,00007FF7A4081635), ref: 00007FF7A4082D31
Part of subcall function 00007FF7A4082D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4084BFA,?,?,00000000,00007FF7A4081635), ref: 00007FF7A4082D43

Strings

WDigest, xrefs: 00007FF7A408262C, 00007FF7A4082744
DIGEST-MD5 handshake failure (empty challenge message), xrefs: 00007FF7A408292C

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: DIGEST-MD5 handshake failure (empty challenge message)$WDigest
API String ID: 2190258309-1086287758
Opcode ID: 1779b8da94a52f304d77eab76b8d7191a6ca75d21197fcb052c39a47429940b3
Instruction ID: 65d8e6a1367b22189751cd7e5b93c70a8bff59a07a457f01c788bb7564d3d475
Opcode Fuzzy Hash: 1779b8da94a52f304d77eab76b8d7191a6ca75d21197fcb052c39a47429940b3
Instruction Fuzzy Hash: 5CB18332B0AB468AEB10AF22E5802AEB7A0FB44B94F910575DE4D43B74DF3DD564D720

Function 00007FF7A40892D0 Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 179COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40893E3

Strings

dhpublicnumber, xrefs: 00007FF7A4089506
rsa(e), xrefs: 00007FF7A408941B
dh(pub_key), xrefs: 00007FF7A4089586
dh(g), xrefs: 00007FF7A4089570
dsa(q), xrefs: 00007FF7A40894AC
RSA Public Key (%lu bits), xrefs: 00007FF7A408939E
dsa(pub_key), xrefs: 00007FF7A40894F2
dsa, xrefs: 00007FF7A4089445
dh(p), xrefs: 00007FF7A408953F
RSA Public Key, xrefs: 00007FF7A40893CF
rsa(n), xrefs: 00007FF7A40893F0
%lu, xrefs: 00007FF7A40893B8
dsa(p), xrefs: 00007FF7A408947D
rsaEncryption, xrefs: 00007FF7A4089315
dsa(g), xrefs: 00007FF7A40894DC

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: RSA Public Key (%lu bits)$%lu$RSA Public Key$dh(g)$dh(p)$dh(pub_key)$dhpublicnumber$dsa$dsa(g)$dsa(p)$dsa(pub_key)$dsa(q)$rsa(e)$rsa(n)$rsaEncryption
API String ID: 1294909896-1220118048
Opcode ID: 1d1110436c56714bc0a77362081bcd18c01486656a23b9c45d484ea6f6e93efa
Instruction ID: 627efacb42feca5b07febc28d57fb14113db83aa9d4bfdfef1e2874a7a25889a
Opcode Fuzzy Hash: 1d1110436c56714bc0a77362081bcd18c01486656a23b9c45d484ea6f6e93efa
Instruction Fuzzy Hash: 03716461A0A74651EA14BF6396801FBA350FB89780FC540B2EE4D037BAEF3ED521D760

Function 00007FF7A407F6AC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F918
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F970
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F97D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA71
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA7F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FACE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FAE6

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdupmalloctolower
String ID: %%%02x
API String ID: 1244608590-4020994737
Opcode ID: b8f44fdf09287624069804cbfaa0b43cc3d274ce18ca51c3b5f051757dda9693
Instruction ID: 914e9edb64d8149e657ca131ab65573becd0b910b65120157dcae28d098f2abc
Opcode Fuzzy Hash: b8f44fdf09287624069804cbfaa0b43cc3d274ce18ca51c3b5f051757dda9693
Instruction Fuzzy Hash: F4A1DB52A0EA8245EB616F33559037BBBD0BF05784F8A44B1DD8D062F2DE2EE414E732

Function 00007FF7A40691C0 Relevance: 22.7, APIs: 15, Instructions: 160COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,00007FF7A4069476), ref: 00007FF7A40691DB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40691FB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406921C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4069225

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdupmalloc
String ID:
API String ID: 111713529-0
Opcode ID: ae1d98bfd8e04e6bfd092f3e447af08f8539a1ef12be664cab5b6475120f3e2f
Instruction ID: c858d806e1b18d6444daae53d6571a2e94a78e6c4c3e6e63a86ca3e1d06a6e07
Opcode Fuzzy Hash: ae1d98bfd8e04e6bfd092f3e447af08f8539a1ef12be664cab5b6475120f3e2f
Instruction Fuzzy Hash: 30619176B06B4182E725DF16A48466AB3A0FB48B80B864575CF4E43B70EF7DE464D320

Function 00007FF7A40722E0 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 279COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4072400

Strings

Failure sending ABOR command: %s, xrefs: 00007FF7A4072521
Remembering we are in dir "%s", xrefs: 00007FF7A4072498
partial download completed, closing connection, xrefs: 00007FF7A4072633
No data was received!, xrefs: 00007FF7A407273C
ABOR, xrefs: 00007FF7A40724FB
server did not report OK, got %d, xrefs: 00007FF7A407266E
Received only partial file: %I64d bytes, xrefs: 00007FF7A407270E
Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 00007FF7A40726D6
control connection looks dead, xrefs: 00007FF7A40725F2

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$No data was received!$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
API String ID: 1294909896-2312071747
Opcode ID: 21c751e9b2b13f4c4e8684717d5abce3fd5f37e63914cf2bb64e56457c2a437a
Instruction ID: c96d042ff7e9b5fba9cbd3b5ae3e3698142687daaafec22eb91bc729d8bc1ce9
Opcode Fuzzy Hash: 21c751e9b2b13f4c4e8684717d5abce3fd5f37e63914cf2bb64e56457c2a437a
Instruction Fuzzy Hash: D0D1EC21A0EB8249EA64BF2395803BBE250FB40754FC14675DA6D036F1DF3EA475E722

Function 00007FF7A403A7B2 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4034320: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034351

Part of subcall function 00007FF7A4036320: memcpy.VCRUNTIME140 ref: 00007FF7A4036496

Part of subcall function 00007FF7A4031FC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032131

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A861
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A88F
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403A89D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A8D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A934
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A9ED
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403AA1B
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403AA29
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403AA63
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403AAB4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403AAFE

Strings

value, xrefs: 00007FF7A403A7D0, 00007FF7A403A959

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy
String ID: value
API String ID: 3212548336-494360628
Opcode ID: 3a6df990b5da4fd9237ac89baa1238f9e86b9bdc232acfe0d6c5be0c13518a52
Instruction ID: b93e725ebe175991d36f2e16b360b499b6e663fc812fd8d9d01827e7975705f7
Opcode Fuzzy Hash: 3a6df990b5da4fd9237ac89baa1238f9e86b9bdc232acfe0d6c5be0c13518a52
Instruction Fuzzy Hash: 61A1F722A19A8185FB04DF75E5843AE7721FB413A4F810731EA6C02AF9CF7DE091E710

Function 00007FF7A4042E10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7A4042E32
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042E3A
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042E59
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042E65
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042E74
strrchr.VCRUNTIME140 ref: 00007FF7A4042EC5
strrchr.VCRUNTIME140 ref: 00007FF7A4042EE6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042EFF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042F0A
GetLastError.KERNEL32 ref: 00007FF7A4042F13
SetLastError.KERNEL32 ref: 00007FF7A4042F1F

Strings

Unknown error %d (%#x), xrefs: 00007FF7A4042EA7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_nerrstrerrorstrncpy
String ID: Unknown error %d (%#x)
API String ID: 4262108436-2414550090
Opcode ID: 70ac6fc894958f091a176e274659f3c0b84131676b378976f3925d20ef354e43
Instruction ID: 82c2ba1ad3df2ead337838d0563f92f9e2b63930007019be194c712a15280980
Opcode Fuzzy Hash: 70ac6fc894958f091a176e274659f3c0b84131676b378976f3925d20ef354e43
Instruction Fuzzy Hash: B331B52570A34289EA157F23685027AE751AF84BC0FC604B9DA4E077B6DF3EE421A320

Function 00007FF7A4085240 Relevance: 19.8, APIs: 8, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40852B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40852D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40852F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40852FF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4085386
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40853D5
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4085436
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40855BC

Strings

SPNEGO handshake failure (empty challenge message), xrefs: 00007FF7A4085486
InitializeSecurityContext failed: %s, xrefs: 00007FF7A40855DA
HTTP, xrefs: 00007FF7A4085240
CompleteAuthToken failed: %s, xrefs: 00007FF7A4085617
Negotiate, xrefs: 00007FF7A4085244, 00007FF7A408534C, 00007FF7A40853F3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$calloc$malloc
String ID: CompleteAuthToken failed: %s$HTTP$InitializeSecurityContext failed: %s$Negotiate$SPNEGO handshake failure (empty challenge message)
API String ID: 3103867982-1477229593
Opcode ID: 9abc1dd8dd0e32e615b50650f2bfac574f46aaa96820c5a7c7ab5d149deeb8e1
Instruction ID: 6578a2723d03d67f71b9e17a22024f38005b138230b1d294edf564295bdd4e90
Opcode Fuzzy Hash: 9abc1dd8dd0e32e615b50650f2bfac574f46aaa96820c5a7c7ab5d149deeb8e1
Instruction Fuzzy Hash: FBC18E72A06B41C6EB10EF26E4902AEB7A5FB44B88F810076DE4D87778DF39D464D760

Function 00007FF7A4087120 Relevance: 19.7, APIs: 5, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40871D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087239
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408725C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40872BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408732C

Strings

%2d Subject: %s, xrefs: 00007FF7A4087224
Version, xrefs: 00007FF7A4087317
Issuer, xrefs: 00007FF7A4087290
%lx, xrefs: 00007FF7A40872FC
TRUE, xrefs: 00007FF7A4087391
Subject, xrefs: 00007FF7A408720A
Version: %lu (0x%lx), xrefs: 00007FF7A408733E
Issuer: %s, xrefs: 00007FF7A40872AA

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: Issuer: %s$ Version: %lu (0x%lx)$%2d Subject: %s$%lx$Issuer$Subject$TRUE$Version
API String ID: 2190258309-1457932261
Opcode ID: d5c1120f4bc75899f32dbe632d47590707ac1fe0258b511d562e32d4e462238a
Instruction ID: 5ac96b3100d21701bcf637f8eea286619f9154c34b0717631e6f475839939567
Opcode Fuzzy Hash: d5c1120f4bc75899f32dbe632d47590707ac1fe0258b511d562e32d4e462238a
Instruction Fuzzy Hash: A061DF22A0A78284EB11AF2299843FBB790FB44794F8545B1DD4D073B9EF3EE164D320

Function 00007FF7A407A630 Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 151stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7A407A69B
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407A7C5

Part of subcall function 00007FF7A4046040: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4050640,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A4042471), ref: 00007FF7A4046067
Part of subcall function 00007FF7A4046040: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4050640,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A4042471), ref: 00007FF7A4046073

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407A77F

Part of subcall function 00007FF7A4045FA0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4045FB0

Strings

TTYPE, xrefs: 00007FF7A407A755
Unknown telnet option %s, xrefs: 00007FF7A407A8BD
%127[^= ]%*[ =]%255s, xrefs: 00007FF7A407A740
%hu%*[xX]%hu, xrefs: 00007FF7A407A849
Syntax error in telnet option: %s, xrefs: 00007FF7A407A8D6
BINARY, xrefs: 00007FF7A407A86E
XDISPLOC, xrefs: 00007FF7A407A79B
NEW_ENV, xrefs: 00007FF7A407A7E1
USER,%s, xrefs: 00007FF7A407A6C0

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freestrncpy$_strdupmemset
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 3826632026-748038847
Opcode ID: d2f07001c2f69f4ee10fc8dac9839346342ada0b1b8db9734aab457d2f6b462d
Instruction ID: 859fcc4dcb479eba80be375bacf56175cd5667ae6416d1850c91b0f5fdad91b4
Opcode Fuzzy Hash: d2f07001c2f69f4ee10fc8dac9839346342ada0b1b8db9734aab457d2f6b462d
Instruction Fuzzy Hash: 37718D31A0EAC280FB20AF16D4816FAA360FB84784FC64072DA4C47275EF7ED165DB61

Function 00007FF7A407CEB3 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 290COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407CFB3

Strings

TFTP buffer too small for options, xrefs: 00007FF7A407D0AF, 00007FF7A407D1F8
tsize, xrefs: 00007FF7A407D0C2
timeout, xrefs: 00007FF7A407D275
blksize, xrefs: 00007FF7A407D188
%s%c%s%c, xrefs: 00007FF7A407CFCA
TFTP file name too long, xrefs: 00007FF7A407CF9F
%I64d, xrefs: 00007FF7A407D046

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$timeout$tsize
API String ID: 1294909896-3837278924
Opcode ID: 65c2ac1c1737b22f8914ba6aff2be67b8ef5a4c7b7b142e748a2b3bbf6257687
Instruction ID: f41ec88603efc0290277e439b1f4a566e240232773c47ae7567b241eec3ab155
Opcode Fuzzy Hash: 65c2ac1c1737b22f8914ba6aff2be67b8ef5a4c7b7b142e748a2b3bbf6257687
Instruction Fuzzy Hash: 25D1C062609A8281EB10DF25D0803BABB61FB85B88FC68172DA4D073B5DF3ED116D721

Function 00007FF7A407D730 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 222networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF7A407D8A3
sendto.WS2_32 ref: 00007FF7A407D95C
WSAGetLastError.WS2_32 ref: 00007FF7A407D96A

Strings

Received ACK for block %d, expecting %d, xrefs: 00007FF7A407D8F5
tftp_tx: giving up waiting for block %d ack, xrefs: 00007FF7A407D914
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF7A407D79D
tftp_tx: internal error, event: %i, xrefs: 00007FF7A407D788

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: sendto$ErrorLast
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 4042023021-4197595102
Opcode ID: c6839c84e6b9a63ec9843bc45f807c9d82cf459fa3db2870afdf0a6d5b62c1db
Instruction ID: 6b9772efa4b90da2015ba2bdb0027b4794da849c6f252fbd49e5ef28682029ef
Opcode Fuzzy Hash: c6839c84e6b9a63ec9843bc45f807c9d82cf459fa3db2870afdf0a6d5b62c1db
Instruction Fuzzy Hash: 86B1C172609A82C6E7519F26D4803BA77A0FB88F88F854076DE4D4B778DF3AD411DB21

Function 00007FF7A407B160 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 180networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF7A407B35C
WSAGetLastError.WS2_32 ref: 00007FF7A407B36E
send.WS2_32 ref: 00007FF7A407B466
WSAGetLastError.WS2_32 ref: 00007FF7A407B470

Strings

%c%c, xrefs: 00007FF7A407B338
%127[^,],%127s, xrefs: 00007FF7A407B2C8
Sending data failed (%d), xrefs: 00007FF7A407B374, 00007FF7A407B476
#, xrefs: 00007FF7A407B3DE
%c%c%c%c, xrefs: 00007FF7A407B23D
%c%c%c%c%s%c%c, xrefs: 00007FF7A407B43F
%c%s%c%s, xrefs: 00007FF7A407B300

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLastsend
String ID: #$%127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$Sending data failed (%d)
API String ID: 1802528911-931584821
Opcode ID: d56252f6b80ea051241c5109bd59262046ebf78b474f7167e0eae9e28f2b2d3a
Instruction ID: 7a5dc60dc11fa141f89eff4aaeba57958280391c3f0d1afca0d17166cb166a80
Opcode Fuzzy Hash: d56252f6b80ea051241c5109bd59262046ebf78b474f7167e0eae9e28f2b2d3a
Instruction Fuzzy Hash: 5691C032A09AC185F721AF15E8847EAA3B0FB44768F850231EE8C07BA5DF3ED155D750

Function 00007FF7A4054700 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405473D
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40547BF
strchr.VCRUNTIME140 ref: 00007FF7A405483E
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A405486C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405488D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405489F

Strings

Invalid IPv6 address format, xrefs: 00007FF7A4054827
Please URL encode %% as %%25, see RFC 6874., xrefs: 00007FF7A40547C9
No valid port number in connect to host string (%s), xrefs: 00007FF7A40548CB
%25, xrefs: 00007FF7A40547B5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdup$freestrchrstrncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 2070079882-2404041592
Opcode ID: 0d3683d8005d69ee5ffb3116067f3daafc3a7abd7e6190d03c1856025e8e0299
Instruction ID: bcc93e21bc2b80620b8dc675a24c7d14cf48cb135ce588bbe2c5bb12e93a9530
Opcode Fuzzy Hash: 0d3683d8005d69ee5ffb3116067f3daafc3a7abd7e6190d03c1856025e8e0299
Instruction Fuzzy Hash: CE513A11E4A6C645FB11AF1798903BBA7D0DF01784FDA80B1DE4D062F1DE2ED465E721

Function 00007FF7A404A710 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A74E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404A76E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A404A7A0
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A404A7BD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A7DB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A7EC
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A404A80C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A4044960), ref: 00007FF7A404A8BF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A4044960), ref: 00007FF7A404A8D5

Strings

Set-Cookie:, xrefs: 00007FF7A404A846
none, xrefs: 00007FF7A404A763

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$none
API String ID: 4109794434-3629594122
Opcode ID: 913f7715d8d12d44a7185297608bd26f8fbfa3b0ccd1ff80d61ee16f17f028ee
Instruction ID: 003e57ca6c2efe41661142ba681af39d8533338b46d370043fcb9aa8d9f73c46
Opcode Fuzzy Hash: 913f7715d8d12d44a7185297608bd26f8fbfa3b0ccd1ff80d61ee16f17f028ee
Instruction Fuzzy Hash: 8B51F921A0F78241FA54BF23589027BE690FF45790F9544B8DD8E067B1DF6EE4A2A720

Function 00007FF7A405C2E0 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7A405C676

Strings

read function returned funny value, xrefs: 00007FF7A405C51B
operation aborted by trailing headers callback, xrefs: 00007FF7A405C46D
%zx%s, xrefs: 00007FF7A405C597
operation aborted by callback, xrefs: 00007FF7A405C44D
Unable to allocate trailing headers buffer !, xrefs: 00007FF7A405C353
Moving trailers state machine from initialized to sending., xrefs: 00007FF7A405C321
Signaling end of chunked upload after trailers., xrefs: 00007FF7A405C6C0
Signaling end of chunked upload via terminating chunk., xrefs: 00007FF7A405C60A
Successfully compiled trailers., xrefs: 00007FF7A405C3BA
Read callback asked for PAUSE when not supported!, xrefs: 00007FF7A405C4D9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy
String ID: %zx%s$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$Unable to allocate trailing headers buffer !$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 3510742995-1652449680
Opcode ID: 4771c451f9aa9f06f84511dd60e3dffbe4946d72cc0a08215ffcad3856c162cd
Instruction ID: 3764c069a4affffb2d9cabfa1b33a0ebae9765bd70a6219700a96b83cac5f900
Opcode Fuzzy Hash: 4771c451f9aa9f06f84511dd60e3dffbe4946d72cc0a08215ffcad3856c162cd
Instruction Fuzzy Hash: 9AA1B631A0EA82C1E750EF22D8943BBA350EB44B94F865471DE1D4B2B5EF3ED561E321

Function 00007FF7A406E2F0 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 207COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406E420
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406E436
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406E499

Strings

Cannot APPEND without a mailbox., xrefs: 00007FF7A406E4C4
Mime-Version: 1.0, xrefs: 00007FF7A406E541
Mime-Version, xrefs: 00007FF7A406E526
Cannot APPEND with unknown input file size, xrefs: 00007FF7A406E597
Cannot SELECT without a mailbox., xrefs: 00007FF7A406E44F
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_, xrefs: 00007FF7A406E308
APPEND %s (\Seen) {%I64d}, xrefs: 00007FF7A406E5CD
SELECT %s, xrefs: 00007FF7A406E485

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_$APPEND %s (\Seen) {%I64d}$Cannot APPEND with unknown input file size$Cannot APPEND without a mailbox.$Cannot SELECT without a mailbox.$Mime-Version$Mime-Version: 1.0$SELECT %s
API String ID: 1294909896-3146291949
Opcode ID: 8eba24e530ea5caf0d5228b31d68a2a44e2efc3ce809489f896ec9afce8c4c99
Instruction ID: cd35f65dae3a394b702ca5064f453a994514ed224ddf5b8bf95e472b1240f869
Opcode Fuzzy Hash: 8eba24e530ea5caf0d5228b31d68a2a44e2efc3ce809489f896ec9afce8c4c99
Instruction Fuzzy Hash: 7491CD21B0E75251FA94BF2794C437BE290EF44784F864071EE4E072B1DFADE460A3A2

Function 00007FF7A4054EA0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055E94
Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EAA
Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EBE
Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055ED2
Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EE6
Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EFA
Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055F0E
Part of subcall function 00007FF7A4055E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055F22

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4054F22

Part of subcall function 00007FF7A407EE50: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EE65
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EE7F
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EE9A
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EEB6
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EED2
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EEEA
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF02
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF1A
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF32
Part of subcall function 00007FF7A407EE50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF4A
Part of subcall function 00007FF7A407EE50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF64

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4055126
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4055169
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A40552AE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405532B

Strings

%s://%s, xrefs: 00007FF7A4054F2F
Protocol "%s" not supported or disabled in libcurl, xrefs: 00007FF7A405506F
file, xrefs: 00007FF7A4055213, 00007FF7A405528C

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdup$free$callocstrtoul
String ID: %s://%s$Protocol "%s" not supported or disabled in libcurl$file
API String ID: 954404409-4150109901
Opcode ID: 6758a42c2f5dc663757ed3170074909e8fe14141e5650ad0774a33f90f12d84c
Instruction ID: 4fd075b891a29ab1670f1740686dccc8e21ee17c06f523e56115353141b02158
Opcode Fuzzy Hash: 6758a42c2f5dc663757ed3170074909e8fe14141e5650ad0774a33f90f12d84c
Instruction Fuzzy Hash: E3C1B931B0AA8255E768AE26C9803FAA790FB44344F854571DB0D876B9DF3EF530E361

Function 00007FF7A405C6E0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405C75A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405C775
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405C7F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405C87C

Strings

GET, xrefs: 00007FF7A405C8EE
HEAD, xrefs: 00007FF7A405C8E7
Switch to %s, xrefs: 00007FF7A405C907
Issue another request to this URL: '%s', xrefs: 00007FF7A405C887
Maximum (%ld) redirects followed, xrefs: 00007FF7A405C847
Switch from POST to GET, xrefs: 00007FF7A405C946

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree
String ID: GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
API String ID: 1865132094-1312055526
Opcode ID: 0c5a8c626145ccd31312ed3adb36d6ec9ea656c920a47348e4de85ad5a28c5a4
Instruction ID: 7080eb6a4eb6d28911a9e965b848cc68fda7c99e2d738dd069c247bf55e22fb6
Opcode Fuzzy Hash: 0c5a8c626145ccd31312ed3adb36d6ec9ea656c920a47348e4de85ad5a28c5a4
Instruction Fuzzy Hash: 7971EE21A0E783C0E760AF2694843BFA790EB45B84F9A4471DE4D47675CF3ED451A372

Function 00007FF7A4051880 Relevance: 17.6, APIs: 14, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40518FD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405191A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405192E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405194A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051967
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405198A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A405199E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40519B2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40519D8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A40519EC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A00
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A4F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A5C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4051A85

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 95def14f1c7f15620b6fe9dc28262b73bc3905a93dfb7c3e10dc90a189a3b1e2
Instruction ID: cc4177d961e8430e834bbc7c8564157bd1d30dad1a074952ece2a130338a90b6
Opcode Fuzzy Hash: 95def14f1c7f15620b6fe9dc28262b73bc3905a93dfb7c3e10dc90a189a3b1e2
Instruction Fuzzy Hash: 2F511032A4A68185EB14BF22D4D02FE63A0FF84F84F894571DE4E4B275CF3A9061A371

Function 00007FF7A408BF90 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 279COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408C45B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408C4B3

Strings

OAUTHBEARER, xrefs: 00007FF7A408C2A2
CRAM-MD5, xrefs: 00007FF7A408C1E2
PLAIN, xrefs: 00007FF7A408C36A
GSSAPI, xrefs: 00007FF7A408C126
DIGEST-MD5, xrefs: 00007FF7A408C1C3
EXTERNAL, xrefs: 00007FF7A408C0AB
LOGIN, xrefs: 00007FF7A408C3D3
XOAUTH2, xrefs: 00007FF7A408C315
NTLM, xrefs: 00007FF7A408C219

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: CRAM-MD5$DIGEST-MD5$EXTERNAL$GSSAPI$LOGIN$NTLM$OAUTHBEARER$PLAIN$XOAUTH2
API String ID: 1294909896-1896214517
Opcode ID: f970d2abf6ebd31af7a74623f51555fddbd863e7c20e7615ecd7745c04e63c2a
Instruction ID: 760e29025eb33fa6459e67c3754f8c6a8f81e7b35a5aad3395a239281cb469d4
Opcode Fuzzy Hash: f970d2abf6ebd31af7a74623f51555fddbd863e7c20e7615ecd7745c04e63c2a
Instruction Fuzzy Hash: 5FD18C7350E68285EB609F12A9803AAB3B0FB84755F460176DE8C077B8CF3DD495D724

Function 00007FF7A404D240 Relevance: 16.6, APIs: 11, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7A404D287
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7A404D297
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404D2AE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404D32A
strrchr.VCRUNTIME140 ref: 00007FF7A404D347
strrchr.VCRUNTIME140 ref: 00007FF7A404D357
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404D387
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404D393
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404D3A2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404D3B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404D3C9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdup$free$strrchr$_access_stat64
String ID:
API String ID: 2557200964-0
Opcode ID: 84dbd7d387848211ce90fc92c2da0d7d496f12dbdcdf86f95287380649613b1b
Instruction ID: 465dba4a8d83a2cb4ad2af14d7388dc4d4143d37fc49b18acf9c9c0760bc2c88
Opcode Fuzzy Hash: 84dbd7d387848211ce90fc92c2da0d7d496f12dbdcdf86f95287380649613b1b
Instruction Fuzzy Hash: F341732170AB0689FA10BF13A4D427AA2A0FF48B91F854574DE4D07BB0EF3DE425E320

Function 00007FF7A407EE50 Relevance: 16.6, APIs: 11, Instructions: 89COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EE65
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EE7F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EE9A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EEB6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EED2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EEEA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF02
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF1A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF32
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF4A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4054EC5,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A407EF64

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdup$callocfree
String ID:
API String ID: 1183638330-0
Opcode ID: 6c5616982f5c6c375460ad02fc021eb938bf1702e2b18ac9b8deb50ac20e7ea7
Instruction ID: be2c9af4efbdcab29b8f8f6a553610ebea928be9a21c4db46b50b313cd878910
Opcode Fuzzy Hash: 6c5616982f5c6c375460ad02fc021eb938bf1702e2b18ac9b8deb50ac20e7ea7
Instruction Fuzzy Hash: 8D310325B07F0286EE99EF57A09463962E0FF48B41B890975DA1D02B70EF3DE470E671

Function 00007FF7A4052570 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7A40525A8
strchr.VCRUNTIME140 ref: 00007FF7A40525CF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052684
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40526AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40526CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40526DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40526E5
memcpy.VCRUNTIME140 ref: 00007FF7A4052703
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052717
memcpy.VCRUNTIME140 ref: 00007FF7A4052734
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052749
memcpy.VCRUNTIME140 ref: 00007FF7A4052761
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4052776

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpy$strchr
String ID:
API String ID: 1615377186-0
Opcode ID: bd7767ed242e23caaf6037ae44a9cf72ff2c28187d5f66eb61473461553de434
Instruction ID: 019a7b3885870ce92866c8e595690c3b3c25165934149d7823e9f97dd3254dfe
Opcode Fuzzy Hash: bd7767ed242e23caaf6037ae44a9cf72ff2c28187d5f66eb61473461553de434
Instruction Fuzzy Hash: 7251E42270B78149EA24AF26A59027BE290FF44BC4F898474DE8D07774DF3EE425D721

Function 00007FF7A4054490 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40544D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40544E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405450C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4054519
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4054542
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405454F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4054580
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405458D

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF7A4054619

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: ec7257cd3be6c82d29b538beb3472177542acba6a0cd96cc2d8ebd84b6f6d315
Instruction ID: 7af9b18040b1fa709ad534169a15e49101117c4bc0011783ae3236463aecb6aa
Opcode Fuzzy Hash: ec7257cd3be6c82d29b538beb3472177542acba6a0cd96cc2d8ebd84b6f6d315
Instruction Fuzzy Hash: E471D626A0AB8286E725AF36D4943ABA6A0FB44744F564071CB5D07370DF3EE434E722

Function 00007FF7A405444D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40544D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40544E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405450C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4054519
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4054542
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405454F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4054580
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405458D

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF7A4054619

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: 3b630d0dd12ce498ebf1f535dbbab8bc5a09ce093ad7ef4cbfe157d581e54d98
Instruction ID: f563f92e124c9bdb6d25712ebde1a859639793a822d18eb1585dc48639f7e3af
Opcode Fuzzy Hash: 3b630d0dd12ce498ebf1f535dbbab8bc5a09ce093ad7ef4cbfe157d581e54d98
Instruction Fuzzy Hash: 3451D762A0AB8286E715AF22D4943AFA7A0FB44784F964071CB5D47370DF3EE460D722

Function 00007FF7A4074EA0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 00007FF7A4074FC5
Got a %03d response code instead of the assumed 200, xrefs: 00007FF7A4074EE0
Couldn't set desired mode, xrefs: 00007FF7A4074EBE
LIST, xrefs: 00007FF7A4074FA2
NLST, xrefs: 00007FF7A4074F9B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
API String ID: 0-1262176364
Opcode ID: 7bae63f19e37e3fb9f309421ccc8831b6ecd1a4f345f0f5779c77e36524648ef
Instruction ID: e778af810d62958e38c9996875066d6ae4dfe2e71896881432e71bc441cb472d
Opcode Fuzzy Hash: 7bae63f19e37e3fb9f309421ccc8831b6ecd1a4f345f0f5779c77e36524648ef
Instruction Fuzzy Hash: F9410B21B0AA4285EA10BF17D4C01BBE360FF40B90FD240B5DA4D07671DF7EE464AB61

Function 00007FF7A4058DB0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF7A4064E1A), ref: 00007FF7A4058E2F
strchr.VCRUNTIME140(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF7A4064E1A), ref: 00007FF7A4058E81
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF7A4064E1A), ref: 00007FF7A4058EA5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF7A4064E1A), ref: 00007FF7A4058EF5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF7A4064E1A), ref: 00007FF7A4058F38

Strings

Digest, xrefs: 00007FF7A4058DBB
%sAuthorization: Digest %s, xrefs: 00007FF7A4058F15
Proxy-, xrefs: 00007FF7A4058F0B
%.*s, xrefs: 00007FF7A4058E8E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdupstrchr
String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
API String ID: 153040452-3976116069
Opcode ID: 024d4d83ac230c9c6f52cf5451fd3a19ad3b9e01ef546a6ac0a0c9dd9433d233
Instruction ID: 9a2395032d422d2e9c6f2ffef5ed4c1bfbd371df504d58368d01c17fe579b142
Opcode Fuzzy Hash: 024d4d83ac230c9c6f52cf5451fd3a19ad3b9e01ef546a6ac0a0c9dd9433d233
Instruction Fuzzy Hash: 3541C522709B8581E610AF12E8843ABB7A0FB44B84F954475EE8D47770DF3DD476E311

Function 00007FF7A4087EDE Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4087F12
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088409
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40884D2

Strings

Expire Date, xrefs: 00007FF7A40883DD
FALSE, xrefs: 00007FF7A4087F07
Public Key Algorithm, xrefs: 00007FF7A4088488
Public Key Algorithm: %s, xrefs: 00007FF7A40884A2
TRUE, xrefs: 00007FF7A4087F00
Expire Date: %s, xrefs: 00007FF7A40883F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$FALSE$Public Key Algorithm$TRUE
API String ID: 2653869212-571364039
Opcode ID: 4880fc878ee8a328644335253566701241f7638a4e2592a4d53fc1479a97712c
Instruction ID: 907b0649e62ea235157eb51bad96de48c317911902bc80c3b091f4514b3734db
Opcode Fuzzy Hash: 4880fc878ee8a328644335253566701241f7638a4e2592a4d53fc1479a97712c
Instruction Fuzzy Hash: 8741B562A0A78248EB10AF2299841FBB761FF05789F8504B1CE4D1777AEF3DE164D320

Function 00007FF7A4042F50 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7A4042F6C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042F74
FormatMessageA.KERNEL32 ref: 00007FF7A4042FAE
strchr.VCRUNTIME140 ref: 00007FF7A4042FC3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A404300C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4043016
GetLastError.KERNEL32 ref: 00007FF7A404301E
SetLastError.KERNEL32 ref: 00007FF7A404302A

Strings

Unknown error %u (0x%08X), xrefs: 00007FF7A4042FFA

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchr
String ID: Unknown error %u (0x%08X)
API String ID: 1897771742-1058733786
Opcode ID: a207ab5efef610c7d340f30c8d5af441e25e81c8d5035ffeb4f3945ff7161809
Instruction ID: b2343495b7175b268d86cf1431ad0d0bcce890caeca6f0060b937000ec203c37
Opcode Fuzzy Hash: a207ab5efef610c7d340f30c8d5af441e25e81c8d5035ffeb4f3945ff7161809
Instruction Fuzzy Hash: 94215422B0A74186E7116F23A84422BEA90AB94BD0FC64579DE4A03775CF3ED461A771

Function 00007FF7A4042752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

SEC_E_BAD_BINDINGS, xrefs: 00007FF7A4042752
%s - %s, xrefs: 00007FF7A4042BA9
%s (0x%08X), xrefs: 00007FF7A40426A5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
API String ID: 600764987-2710416593
Opcode ID: ad520cff00791436f665a9c7ebc751bfe0d4d410ed940af3941ef55134a63b2e
Instruction ID: f0e37c777f0f8bb5b422e59740d0f33b4b8dafc2139730db97c3fb6bf17cc4ca
Opcode Fuzzy Hash: ad520cff00791436f665a9c7ebc751bfe0d4d410ed940af3941ef55134a63b2e
Instruction Fuzzy Hash: 0931892660E7C189E761AF61E4903ABB794FB84740FC10479DA8D02AB6CF3DD554E760

Function 00007FF7A404276A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

%s - %s, xrefs: 00007FF7A4042BA9
%s (0x%08X), xrefs: 00007FF7A40426A5
SEC_E_BUFFER_TOO_SMALL, xrefs: 00007FF7A404276A

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 600764987-1965992168
Opcode ID: adb4d3cc1ad15402be98744665676a234ebf3bef7a905d6a1a81ce6623857e9d
Instruction ID: ad304b33f4e5f4ffa7f9bd33e78eb8d2dec65a22da25908822f5028d576b3fc9
Opcode Fuzzy Hash: adb4d3cc1ad15402be98744665676a234ebf3bef7a905d6a1a81ce6623857e9d
Instruction Fuzzy Hash: 1C31892660E7C189E661AF61E4903AFB794FB84740FC10479DA8D02AB6CF3DD554E760

Function 00007FF7A4042776 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

%s - %s, xrefs: 00007FF7A4042BA9
SEC_E_CANNOT_INSTALL, xrefs: 00007FF7A4042776
%s (0x%08X), xrefs: 00007FF7A40426A5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
API String ID: 600764987-2628789574
Opcode ID: 089ccadd014c3ee78b622b01899f77aba2584c1a400cd428feca2a335efb15ad
Instruction ID: 057220812077d1f41079a76717e06751d623c025984f8ca0b4554d94ae5172d7
Opcode Fuzzy Hash: 089ccadd014c3ee78b622b01899f77aba2584c1a400cd428feca2a335efb15ad
Instruction Fuzzy Hash: 9431892660E7C189E661AF61E4903ABB794FBC4740FC10479DA8D02A76CF3DD554D760

Function 00007FF7A404275E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

%s - %s, xrefs: 00007FF7A4042BA9
SEC_E_BAD_PKGID, xrefs: 00007FF7A404275E
%s (0x%08X), xrefs: 00007FF7A40426A5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
API String ID: 600764987-1052566392
Opcode ID: 2f4f5cac2e3c43b7562cef83c936687109589ef06298fa9f03c17c2dbd503f5a
Instruction ID: ac5ec0f145082ef6c73cec58317bae27b486e450bc600669f46436a1eae7797c
Opcode Fuzzy Hash: 2f4f5cac2e3c43b7562cef83c936687109589ef06298fa9f03c17c2dbd503f5a
Instruction Fuzzy Hash: 5C31892660E7C189E661AF61E4903AFB794FB84740FC10479DA8D02AB6CF3DD554E760

Function 00007FF7A404278E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

%s - %s, xrefs: 00007FF7A4042BA9
SEC_E_CERT_EXPIRED, xrefs: 00007FF7A404278E
%s (0x%08X), xrefs: 00007FF7A40426A5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
API String ID: 600764987-3862749013
Opcode ID: 56e2ddeb5580827647768440bcc176f8b6946ce4dee5d87353e15cb9a0a16672
Instruction ID: 134eb37c435b42edb9d2af6386a3e23d9700f44c0d8f572da8512cab87f0a21c
Opcode Fuzzy Hash: 56e2ddeb5580827647768440bcc176f8b6946ce4dee5d87353e15cb9a0a16672
Instruction Fuzzy Hash: 5D31892660E7C189E661AF61E4903ABB794FBC4740FC10479DA8D02A76CF3DD554D760

Function 00007FF7A4042782 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

%s - %s, xrefs: 00007FF7A4042BA9
%s (0x%08X), xrefs: 00007FF7A40426A5
SEC_E_CANNOT_PACK, xrefs: 00007FF7A4042782

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
API String ID: 600764987-1502336670
Opcode ID: 1995ff10ed04dce21260e3a967019fbcd735387925a1af334264184213179178
Instruction ID: e7ca0044914c42253cdcaa6ec5192300cd58fdfb1eff0587633fca7a2b3d57a9
Opcode Fuzzy Hash: 1995ff10ed04dce21260e3a967019fbcd735387925a1af334264184213179178
Instruction Fuzzy Hash: 0F31A92260E7C189E661AF21E4903ABB790FBC4740FC10479DA8D02AB6CF3DD564D760

Function 00007FF7A404279A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

%s - %s, xrefs: 00007FF7A4042BA9
SEC_E_CERT_UNKNOWN, xrefs: 00007FF7A404279A
%s (0x%08X), xrefs: 00007FF7A40426A5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
API String ID: 600764987-1381340633
Opcode ID: 942faa6bf7be1711fa1d0b7566088d42f301b9f5789a6e1556235a281404a159
Instruction ID: 62bf31ba51d77fb5487cb24d22ad167cbc2108df54f51348159e693cefc65a08
Opcode Fuzzy Hash: 942faa6bf7be1711fa1d0b7566088d42f301b9f5789a6e1556235a281404a159
Instruction Fuzzy Hash: 6531A92260E7C189E661AF21E4903AFB790FBC4740FC10479DA8D02AB6CF3DD564D760

Function 00007FF7A404269E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A40426F9
strchr.VCRUNTIME140 ref: 00007FF7A4042720
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4042BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BCA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042BD5
GetLastError.KERNEL32 ref: 00007FF7A4042BDE
SetLastError.KERNEL32 ref: 00007FF7A4042BEA

Strings

%s - %s, xrefs: 00007FF7A4042BA9
SEC_E_ALGORITHM_MISMATCH, xrefs: 00007FF7A404269E
%s (0x%08X), xrefs: 00007FF7A40426A5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 600764987-618797061
Opcode ID: f5330ccc4088d604f1c4fdc059b1ac81f642d8961113e143d29ca4ea7cab1393
Instruction ID: 1044382be339ad730b8ccbc84c96d1983e8cd3328f2c036f2c953a5a510942b9
Opcode Fuzzy Hash: f5330ccc4088d604f1c4fdc059b1ac81f642d8961113e143d29ca4ea7cab1393
Instruction Fuzzy Hash: DE31982260E7C189E721AF61E8903ABB790FBC4740FC1057ADA8D02AB6CF3DD554D760

Function 00007FF7A404B280 Relevance: 15.1, APIs: 10, Instructions: 67COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,?,00007FF7A404ACFE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A40519C9), ref: 00007FF7A404B2A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B2F9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B303
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B30D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B317
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B321
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B32B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B335
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B33F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404B348

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_time64
String ID:
API String ID: 3087401894-0
Opcode ID: 794ec81e754e4059ed5435738d62d671d13dfc205665a64c9ad2aac622e1363a
Instruction ID: fa3297b7d3741ee034f5a8e41e64f5536c2af2325239e6fab18ffab29094d8ea
Opcode Fuzzy Hash: 794ec81e754e4059ed5435738d62d671d13dfc205665a64c9ad2aac622e1363a
Instruction Fuzzy Hash: A0213036A0AA4185DB20AF23E98452AA370FB48FC1F560971DE9D03734CE3ED451E360

Function 00007FF7A4037409 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

invalid number; expected '+', '-', or digit after exponent, xrefs: 00007FF7A4037957
invalid number; expected digit after '.', xrefs: 00007FF7A40377A7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '.'
API String ID: 0-808606891
Opcode ID: dc9dd6f78c51c9d00d5e7a5a116f0ea754b32ee68f05b370b316dc6568bbd5a6
Instruction ID: d22b059233e395bd02f48545077e2da69ac58fcba88fcf03231818068d00d4fb
Opcode Fuzzy Hash: dc9dd6f78c51c9d00d5e7a5a116f0ea754b32ee68f05b370b316dc6568bbd5a6
Instruction Fuzzy Hash: C3B1A02250AA4185E728AF2AD58023DBF71E715B58FE185B6C64D032F4CF3AF8A1D360

Function 00007FF7A4062DC0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4062E8C

Strings

Digest, xrefs: 00007FF7A4062F24
Ignoring duplicate digest auth header., xrefs: 00007FF7A4062F3D
Authentication problem. Ignoring this., xrefs: 00007FF7A4062FCD
Bearer, xrefs: 00007FF7A4062FA8
NTLM, xrefs: 00007FF7A4062EBC
Negotiate, xrefs: 00007FF7A4062E36
Basic, xrefs: 00007FF7A4062F81

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdup
String ID: Authentication problem. Ignoring this.$Basic$Bearer$Digest$Ignoring duplicate digest auth header.$NTLM$Negotiate
API String ID: 1169197092-907567932
Opcode ID: a0251eed2c70bbd49aa1dbbc1ce3cfa3298b332a8a1cd3e14d86184fd550fdd0
Instruction ID: 94e5b379dbd46f66cb31d05cf642aee2d0c68becedc9c5e3c84bcfc1c740ce39
Opcode Fuzzy Hash: a0251eed2c70bbd49aa1dbbc1ce3cfa3298b332a8a1cd3e14d86184fd550fdd0
Instruction Fuzzy Hash: 4B71E921A0928265F7147F1385942B7FAC1AF01784F8680B8DA8B475B1DF7EE434B332

Function 00007FF7A4054900 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40549DC
strchr.VCRUNTIME140 ref: 00007FF7A4054A10
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A4054A30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4054AB4

Strings

%s%s%s, xrefs: 00007FF7A405499F
anonymous, xrefs: 00007FF7A4054910
Connecting to port: %d, xrefs: 00007FF7A4054AD0
Connecting to hostname: %s, xrefs: 00007FF7A4054A8B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$strchrstrtol
String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d$anonymous
API String ID: 137861075-1224060940
Opcode ID: e19e7a17892ef0fd4547017b0856966097517799dc59ca407be5fc436240d304
Instruction ID: 96d4d88c597d63d41de4555b5db33bdafcbc115da3938b92ef672ea261653e12
Opcode Fuzzy Hash: e19e7a17892ef0fd4547017b0856966097517799dc59ca407be5fc436240d304
Instruction Fuzzy Hash: 1E510622A0AAC244EB71AF13A8803EBA790FB41B94F958575DE8C077B5CF3ED121D711

Function 00007FF7A40873AC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40873D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
FALSE, xrefs: 00007FF7A40873C8
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup
String ID: Serial Number: %s$ Signature Algorithm: %s$FALSE$Serial Number$Signature Algorithm
API String ID: 2653869212-3672398475
Opcode ID: b407aa12ab9d603bb7481d1789e94b5a93f7aa65e4bcc9714295407214bc55c9
Instruction ID: 6722908c0d6fe6d3f580f8d1714f0ca51585fcba7ecfbc3b1c550b5ec831560c
Opcode Fuzzy Hash: b407aa12ab9d603bb7481d1789e94b5a93f7aa65e4bcc9714295407214bc55c9
Instruction Fuzzy Hash: EE419862A0A78284EB11AF2299841FBB760FF05789F8944B1CE4D177B9DF3DE160D321

Function 00007FF7A407FE00 Relevance: 13.8, APIs: 11, Instructions: 29COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE0C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE16
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE20
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE2A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE34
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE3E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE48
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE52
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE5C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A407EE32,?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407FE70

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6b448fd4be533d4b3f4b30fa29817f0af00be32d1e32d0b028ea1c3c8ba10bd8
Instruction ID: bd53119e09d1172ea9f6fb7fbc2d88d2dff6dd1f00440cfc81acb0ab30e88619
Opcode Fuzzy Hash: 6b448fd4be533d4b3f4b30fa29817f0af00be32d1e32d0b028ea1c3c8ba10bd8
Instruction Fuzzy Hash: 1201F567B55901C6D724AF27E8945396330FF88F89B611971CE6E42234CE2AD865E370

Function 00007FF7A407F1F0 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F345
memcpy.VCRUNTIME140 ref: 00007FF7A407F362

Strings

%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF7A407F532
%%25%s], xrefs: 00007FF7A407F372
https, xrefs: 00007FF7A407F280
%ld, xrefs: 00007FF7A407F2AE
file://%s%s%s, xrefs: 00007FF7A407F23E
file, xrefs: 00007FF7A407F20B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: mallocmemcpy
String ID: %%25%s]$%ld$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 4276657696-1832275178
Opcode ID: fd768c2aa5eae75a5a2e6dc2aa22c2356e80d146e042891e7013a1ccd583ede0
Instruction ID: ce4be8d2a0d1b42197d0142ae810387ff22cd3a3be08903f3c81b67b8a8a281f
Opcode Fuzzy Hash: fd768c2aa5eae75a5a2e6dc2aa22c2356e80d146e042891e7013a1ccd583ede0
Instruction Fuzzy Hash: 36A16F62A0AF8685EA65AF22A5803BAB3A0FF44B84F854171DE4C03775DF3DD461D711

Function 00007FF7A408AE10 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 211COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7A408AEB8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408AEC9
memcpy.VCRUNTIME140 ref: 00007FF7A408B009
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408B064
memcpy.VCRUNTIME140 ref: 00007FF7A408B081

Strings

8, xrefs: 00007FF7A408B0B3
cached response data too big to handle, xrefs: 00007FF7A408B101
response reading failed, xrefs: 00007FF7A408B0A1
Excessive server response line length received, %zd bytes. Stripping, xrefs: 00007FF7A408AFE1

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$freemalloc
String ID: 8$Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed
API String ID: 3313557100-1003742340
Opcode ID: 4cb88a9bb682ff8cf7b43de263370166180d9ca97bd046b12c59ddd90dd32cdf
Instruction ID: 5fada35e37e2077146d2498b143160d7735873bacd1b5ece2bbcb070fac6174c
Opcode Fuzzy Hash: 4cb88a9bb682ff8cf7b43de263370166180d9ca97bd046b12c59ddd90dd32cdf
Instruction Fuzzy Hash: 2B81BF2260AB8181DA50EF26D5803ABB360FB44786F864471EF9D47B65DF3ED4A0D750

Function 00007FF7A408825C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 174COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408829F
memcpy.VCRUNTIME140 ref: 00007FF7A40882C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088398
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088409
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40884D2

Strings

Expire Date, xrefs: 00007FF7A40883DD
Public Key Algorithm, xrefs: 00007FF7A4088488
Public Key Algorithm: %s, xrefs: 00007FF7A40884A2
Expire Date: %s, xrefs: 00007FF7A40883F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3401966785-2901970132
Opcode ID: d77bbf88a504c9176559139c5e71d2011c5d623afa97ab2ba937b66deb4465e9
Instruction ID: ed559017b81bbe91191236f031910c6583f9e67f6b78619e617945d96b57c470
Opcode Fuzzy Hash: d77bbf88a504c9176559139c5e71d2011c5d623afa97ab2ba937b66deb4465e9
Instruction Fuzzy Hash: 34614962A0A78145EB18AF2386941BBB751FF05795F8545B5CA0E077F5EE3DE024A320

Function 00007FF7A40876E6 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 169COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408771F
memcpy.VCRUNTIME140 ref: 00007FF7A408774A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: 5b4011869b0755b7bd384421eda15a8f17f7ed763e6d0546f24f4cd3c10d53e7
Instruction ID: 1991b42fcf36c8e9f443d0058013c55dfd0386f714b9b5f43a7c8b3840f349f0
Opcode Fuzzy Hash: 5b4011869b0755b7bd384421eda15a8f17f7ed763e6d0546f24f4cd3c10d53e7
Instruction Fuzzy Hash: 2D614C51A0A38244FB18AF234A941BBBB51EF15785F8945B5CE4E077F9EE3DE025E320

Function 00007FF7A4081790 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF7A4064DF8), ref: 00007FF7A4081920
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF7A4064DF8), ref: 00007FF7A4081957
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF7A4064DF8), ref: 00007FF7A408197E

Strings

Proxy-, xrefs: 00007FF7A408192E, 00007FF7A40819DA
HTTP, xrefs: 00007FF7A40817A6
%sAuthorization: NTLM %s, xrefs: 00007FF7A4081938, 00007FF7A40819E4
NTLM, xrefs: 00007FF7A4081796

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1294909896-3948863929
Opcode ID: e9e475ad4b3651e4003d17a8e6ef36f07f97d20f7521292248c766d0bd55578f
Instruction ID: bd2ca20293cf985fae4e088187c9e4ea916d76e89bd79748a33934e983e766fa
Opcode Fuzzy Hash: e9e475ad4b3651e4003d17a8e6ef36f07f97d20f7521292248c766d0bd55578f
Instruction Fuzzy Hash: 2B61B032A0AB8181E7609F16E4847ABB7A4FB44B84F814136DA8D4B7B4DF3ED451D720

Function 00007FF7A4078420 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A404B430: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A404B474

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407853D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4078595
memcpy.VCRUNTIME140 ref: 00007FF7A40785BA

Strings

Session:, xrefs: 00007FF7A40784AE
Got a blank Session ID, xrefs: 00007FF7A40784E7
: %ld, xrefs: 00007FF7A4078461
Unable to read the CSeq header: [%s], xrefs: 00007FF7A4078492
Got RTSP Session ID Line [%s], but wanted ID [%s], xrefs: 00007FF7A407854E
CSeq:, xrefs: 00007FF7A407843D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: __stdio_common_vsscanfmallocmemcpystrncmp
String ID: : %ld$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Unable to read the CSeq header: [%s]
API String ID: 1392894463-1168109407
Opcode ID: 9ee667e3ef2b8362d973f2be99724709101bc31ecf6e59961fe177d2da80cc60
Instruction ID: b1dc0021239283cf352959adc41754facbb80138f758821214b8dbf92bc1d78a
Opcode Fuzzy Hash: 9ee667e3ef2b8362d973f2be99724709101bc31ecf6e59961fe177d2da80cc60
Instruction Fuzzy Hash: 8D41DD22A0EA8241EA50BF1794802BBA750FF417C4FCA4175DA5D472B5DF2EE411E731

Function 00007FF7A4076E8E Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 268COMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7A4076F27

Part of subcall function 00007FF7A40774D0: strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A4077506
Part of subcall function 00007FF7A40774D0: _open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A407755B

Strings

Accept-ranges: bytes, xrefs: 00007FF7A4076FBE
Content-Length: %I64d, xrefs: 00007FF7A4076F83
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s, xrefs: 00007FF7A407708B
Can't get the size of file., xrefs: 00007FF7A4077109
failed to resume file:// transfer, xrefs: 00007FF7A4077286

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _fstat64_openstrchr
String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s$failed to resume file:// transfer
API String ID: 3410096895-1509146019
Opcode ID: 7a1e08496ae78c723fe99c1666c883e19df85d3e60aab7009e4ff462fa17d17e
Instruction ID: c7d8107cab8cc92c941b6c3a5c0d63a046d407177cd6b16422db06fbc6485a5b
Opcode Fuzzy Hash: 7a1e08496ae78c723fe99c1666c883e19df85d3e60aab7009e4ff462fa17d17e
Instruction Fuzzy Hash: EEB1D831A0AA8346E720AF2795803BBE791FB847C4F864071DE4D47775EE3EE4219B61

Function 00007FF7A408C530 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 252stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408C5C8
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408C624
strchr.VCRUNTIME140 ref: 00007FF7A408C80C
strchr.VCRUNTIME140 ref: 00007FF7A408C87A

Strings

APM0123456789:, xrefs: 00007FF7A408C805
0123456789-, xrefs: 00007FF7A408C873
<DIR>, xrefs: 00007FF7A408C750

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$mallocrealloc
String ID: 0123456789-$<DIR>$APM0123456789:
API String ID: 359134164-4291660576
Opcode ID: f6c3b07ae69c7a76d4dcae46c8e10b4f490ffa99a37a4308854842f81971856a
Instruction ID: b4778f64cc3dd974409891a81b40c867015a8f715f6c9a89e1fcb2fb292326aa
Opcode Fuzzy Hash: f6c3b07ae69c7a76d4dcae46c8e10b4f490ffa99a37a4308854842f81971856a
Instruction Fuzzy Hash: C2B1823290A705C6EB24AF26E19433AB7E0FB44B49F564175CA4E077B4CF3AE461D760

Function 00007FF7A407E800 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407E847
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407E8AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407E9DF

Part of subcall function 00007FF7A406C990: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF7A4053D1F), ref: 00007FF7A406C9BE

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407E8DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407EA1D

Strings

%s?%s, xrefs: 00007FF7A407E839
Failed sending Gopher request, xrefs: 00007FF7A407E9E5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: %s?%s$Failed sending Gopher request
API String ID: 111713529-132698833
Opcode ID: 03f6d069cb451dec0e6154f66f1d59009e5cea7867a2aa75751e37c4f7ea109f
Instruction ID: af40008026f2a8e73ec9897cdd46dbc4b952ece768e41c967d2de8dd94cddd37
Opcode Fuzzy Hash: 03f6d069cb451dec0e6154f66f1d59009e5cea7867a2aa75751e37c4f7ea109f
Instruction Fuzzy Hash: 1F51F822B0BA8281F690AF27A8801BBA390FB447E4F854671DE6D437F5DE3DD0119B51

Function 00007FF7A40394E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403A9ED
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403AA1B
__std_exception_destroy.VCRUNTIME140 ref: 00007FF7A403AA29
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403AA63
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403AAB4

Strings

value, xrefs: 00007FF7A403A959

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: value
API String ID: 1346393832-494360628
Opcode ID: 8a8ff242f02a9236229a831a3fccc6dff901718e43974036dda4f5f8c8ed984b
Instruction ID: 184c2a0d9a29c9cc5ff8cd2e57e2359309fb5a0d03f42692e2ba998952a8ff4c
Opcode Fuzzy Hash: 8a8ff242f02a9236229a831a3fccc6dff901718e43974036dda4f5f8c8ed984b
Instruction Fuzzy Hash: EC61F432A19A8185EB14DF75E9843EE7720EB453A4F414731EA6C02AF9CF7DE091D710

Function 00007FF7A40774D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A4077506
_open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A407755B
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A40775CC
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A40775D9
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7A40776EB

Strings

Can't get the size of %s, xrefs: 00007FF7A40775E2
Can't open %s for writing, xrefs: 00007FF7A407756B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _close$_fstat64_openstrchr
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 423814720-3544860555
Opcode ID: e5c8fb1ec35a5549d700875c8203deee49073a84587174603ce729f0572fed4b
Instruction ID: cc48ef9b654306086944d539acf100fdcca3912098728016c57671effd1a48de
Opcode Fuzzy Hash: e5c8fb1ec35a5549d700875c8203deee49073a84587174603ce729f0572fed4b
Instruction Fuzzy Hash: E251F42170AE8282EA14BF27A4802BBE791FB84BD0F864475DA4E473B5DE7DF4119721

Function 00007FF7A407F740 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7A407F750
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdupstrtol
String ID: %%%02x
API String ID: 2999891020-4020994737
Opcode ID: 6a801598b4c74b21c1fa39b5fd3dd7a905dae2e9e63405a51e711a2ace6544f3
Instruction ID: e67f05d617beedd3e6d2d019651b5be499c4e276d0d4f212aa70f04487506ade
Opcode Fuzzy Hash: 6a801598b4c74b21c1fa39b5fd3dd7a905dae2e9e63405a51e711a2ace6544f3
Instruction Fuzzy Hash: 0A51DC11A0FA8255FA61AF32509437AAB90BF41794F8A01B1DD9D077F1DE2EE414E732

Function 00007FF7A407F716 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F723
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc$_strdup
String ID: %%%02x
API String ID: 1496848336-4020994737
Opcode ID: 47e6af600c9d1d346c1937aab269d8273d8af942b88f53c16fc3d7d3e07b8469
Instruction ID: a9a399f9ef4b4c1614670cf7a3b25682362b5806ab9ba96bd6636858a938078e
Opcode Fuzzy Hash: 47e6af600c9d1d346c1937aab269d8273d8af942b88f53c16fc3d7d3e07b8469
Instruction Fuzzy Hash: 8D41FD12A0EA8245EA61AF33509437AABD0BF45794F8A05F1DD9D073F1DE2EE414E732

Function 00007FF7A408747E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4087481
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Part of subcall function 00007FF7A4050B50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050BA2

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 111713529-517259162
Opcode ID: 4ad8c825ccfcb54f95674c0dcb7cdfa92c224264c5baeb7d6188afb13df6f0f6
Instruction ID: c53f9edcd67f9cd623bab2c7c1e24784672722271d94372db0713674f527b6a7
Opcode Fuzzy Hash: 4ad8c825ccfcb54f95674c0dcb7cdfa92c224264c5baeb7d6188afb13df6f0f6
Instruction Fuzzy Hash: 2F31AA51A0A74244FA14AF6399841FBB750EF05789F8944B5CE4D073BAEF3DE120E321

Function 00007FF7A408756D Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
GMT, xrefs: 00007FF7A408761E
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7A4087691
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Serial Number$Signature Algorithm
API String ID: 1294909896-599393795
Opcode ID: 9abdc7800897664ab45268b87967cada86f487af973ba71b71faca93e2bc1046
Instruction ID: 4f25f2a0464d6351a0e8f144abecc6b8134bb3fdaef49848a749e194e222b79a
Opcode Fuzzy Hash: 9abdc7800897664ab45268b87967cada86f487af973ba71b71faca93e2bc1046
Instruction Fuzzy Hash: DE61EA61A0A78244EB10AF269E841BBFB90EF05785FC644B5DA4D07779DF3EE161E320

Function 00007FF7A4088865 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40888A8
memcpy.VCRUNTIME140 ref: 00007FF7A40888CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40889A2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Strings

Signature, xrefs: 00007FF7A40889DF
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc$memcpy
String ID: Signature: %s$Signature
API String ID: 901724546-1663925961
Opcode ID: 47d8be27700f296a11b72f90afc98f6705cfe901cbe2814c0c12018f30ada7c7
Instruction ID: 8a541fac7a52d65311ecda529b2093557bd594ec62f2b6f3ff5d777bc84b3aa8
Opcode Fuzzy Hash: 47d8be27700f296a11b72f90afc98f6705cfe901cbe2814c0c12018f30ada7c7
Instruction Fuzzy Hash: A8517813B0A68245FA18AF1795843BBB350EF41BD0F890171CA9F077F1EE2ED025A321

Function 00007FF7A404F7B0 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404F7F6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404F822
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A404F84E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdup
String ID:
API String ID: 1169197092-0
Opcode ID: 6357a9bd726c514b9537bb7ab30b8792c16bcd5251ca2c88349b3d87cfd3c4aa
Instruction ID: 8e08c69df6f4bf82a8ce1979c28b5c80f352cf37c1cf18b2ef8e568eb24d14ee
Opcode Fuzzy Hash: 6357a9bd726c514b9537bb7ab30b8792c16bcd5251ca2c88349b3d87cfd3c4aa
Instruction Fuzzy Hash: F651A022B1BB8186EB55CF66F080129B3A0FB48B84B491575EF8D07B68EF39D4B1D710

Function 00007FF7A40874A7 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7A4087559
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
GMT, xrefs: 00007FF7A4087506
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Serial Number$Signature Algorithm
API String ID: 1294909896-3876350232
Opcode ID: d49d0fec6018ad6c37eadfc80c8b36a17024eb9138f7c190acf9ab5c99e4fe88
Instruction ID: d425e64403d9e9e6bf856dddafd8021c4d887f0c4f137af515a0e72259dc7bd4
Opcode Fuzzy Hash: d49d0fec6018ad6c37eadfc80c8b36a17024eb9138f7c190acf9ab5c99e4fe88
Instruction Fuzzy Hash: D251A821A0A78284FB10AF2299801BBBB51FB05785FCA54B1DA4D172BADF3DE564D320

Function 00007FF7A4088264 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408829F
memcpy.VCRUNTIME140 ref: 00007FF7A40882C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088409
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40884D2

Strings

Expire Date, xrefs: 00007FF7A40883DD
Public Key Algorithm, xrefs: 00007FF7A4088488
Public Key Algorithm: %s, xrefs: 00007FF7A40884A2
Expire Date: %s, xrefs: 00007FF7A40883F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3401966785-2901970132
Opcode ID: dfcbbc16d3bd6a6aff9960da1f9d9e569395f30e8f586d22ed38cdd3c36d727d
Instruction ID: 007eda3b893bd8141e0200fb89c162a4fc656ed44eaa0fa130e49390b4156bea
Opcode Fuzzy Hash: dfcbbc16d3bd6a6aff9960da1f9d9e569395f30e8f586d22ed38cdd3c36d727d
Instruction Fuzzy Hash: 4D41F762A0A78244EA10AF238A841FBB761FF15785F854571CE0D077B5EF7DE1249320

Function 00007FF7A406D240 Relevance: 11.3, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D30C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D31A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D328
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D336
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D344
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D352
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D360
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D36E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406D37C

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: cdd882aa0eb0c59bba6af1d881fe4002e072876f2fb64ac32148e530adc62b87
Instruction ID: 33afd9cd352ff2aeea39b36a5acbcfcc8e5e6195826a1ae3871907120dd3f7b5
Opcode Fuzzy Hash: cdd882aa0eb0c59bba6af1d881fe4002e072876f2fb64ac32148e530adc62b87
Instruction Fuzzy Hash: AA416432A09B4386E721AF22D48023AB3A4FF94F84F954575DA8E53734CF79D860E361

Function 00007FF7A404A180 Relevance: 11.3, APIs: 9, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A204
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A20E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A218
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A222
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A22C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A236
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A240
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A249

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ba3c6830358e7528ed72be0c954360400be3cdaf49af343b8df36180f5656063
Instruction ID: 56ab9da18c1a43ceb04cf7c97ff1f473dc379c098e8498413888034045c51e3d
Opcode Fuzzy Hash: ba3c6830358e7528ed72be0c954360400be3cdaf49af343b8df36180f5656063
Instruction Fuzzy Hash: FC311C3670AA5185D720AF12E98422AA374FB84FC4F550571DE9D07B78CE7ED461E720

Function 00007FF7A404A2A0 Relevance: 11.3, APIs: 9, Instructions: 32COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2B9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2D7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2E1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2F5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A2FF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404A308

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 89febe505de102955aa40a6d6fbd39999fc8921961043ca983f536c30d848905
Instruction ID: 356c16259ae322f444e91e99b747d2d48a304df9eae85b8bb81db5e6280ef362
Opcode Fuzzy Hash: 89febe505de102955aa40a6d6fbd39999fc8921961043ca983f536c30d848905
Instruction Fuzzy Hash: 7701E966756A0186DB14AF22E894529A330FF88FC5B551971CD9E43334CE2DD864E330

Function 00007FF7A4084830 Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A404C510: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C546
Part of subcall function 00007FF7A404C510: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C556
Part of subcall function 00007FF7A404C510: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C564
Part of subcall function 00007FF7A404C510: memset.VCRUNTIME140 ref: 00007FF7A404C59F

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40848F9
memcpy.VCRUNTIME140 ref: 00007FF7A4084914
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408492E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpymemset
String ID:
API String ID: 1579693990-0
Opcode ID: 8fb3d6d3ee099111430005b96dd445b6f329aa6f6764831057bf426af99e6c2f
Instruction ID: eb0e2f06bdb6e358b38a61ab21eac4a94739c7d0cf1c1632afbfb362d0443b68
Opcode Fuzzy Hash: 8fb3d6d3ee099111430005b96dd445b6f329aa6f6764831057bf426af99e6c2f
Instruction Fuzzy Hash: 7191A521B0A74242FA64BF2755D037BA290EF84BC5F964074DE4D477B6EF2EE421A324

Function 00007FF7A40598F0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 217stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7A40598B8), ref: 00007FF7A4059A05
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF7A40598B8), ref: 00007FF7A4059A1F

Strings

I64, xrefs: 00007FF7A4059A15, 00007FF7A4059A7F
I32, xrefs: 00007FF7A40599F5, 00007FF7A4059A55
Internal error removing splay node = %d, xrefs: 00007FF7A4059902

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strncmp
String ID: I32$I64$Internal error removing splay node = %d
API String ID: 1114863663-13178787
Opcode ID: 2c182daf1c2e6d25c5e7bf0efd11d6bda6f881fcecf2cdaad549c930c6f98041
Instruction ID: 6dba43590377d3489fc1806486f6fe49537a7034e9a1d28337bfab46eb8f1465
Opcode Fuzzy Hash: 2c182daf1c2e6d25c5e7bf0efd11d6bda6f881fcecf2cdaad549c930c6f98041
Instruction Fuzzy Hash: 9FA10533A0A64186DB209F16E48477EBBA4FB48B48F878175DA8D43275DF3DD218D760

Function 00007FF7A4068210 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7A404B23A,?,?,?,?,?,?,?,00007FF7A404B007), ref: 00007FF7A4068221
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF7A40683C3
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF7A40683E0

Strings

0123456789ABCDEF, xrefs: 00007FF7A40683D2, 00007FF7A40683D9
TRUE, xrefs: 00007FF7A406834C
0123456789abcdef, xrefs: 00007FF7A40683B2, 00007FF7A40683BC

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$_errno
String ID: 0123456789ABCDEF$0123456789abcdef$TRUE
API String ID: 2644425738-1191287149
Opcode ID: 720e810a07ba9ee7a915715f5eb5251aab670f7d7701d63ee000b7329d776947
Instruction ID: 8dd16ac5d53eabd84d781def02319ae91fc05ce5398ed26979bb80fcbef99e9f
Opcode Fuzzy Hash: 720e810a07ba9ee7a915715f5eb5251aab670f7d7701d63ee000b7329d776947
Instruction Fuzzy Hash: 66513623B0F68651EE21AF26948017FE2A1AB45788FC64070DE4F06775DF7EE461E322

Function 00007FF7A4089F3A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A243
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A257
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A2BE

Strings

GMT, xrefs: 00007FF7A4089FEE
TRUE, xrefs: 00007FF7A408A21D
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7A408A061

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: isupper$free
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
API String ID: 573759493-910067264
Opcode ID: 0274bb0e400fd016776ae599146ae9ddd6b264a5e5dc0fb4a6732b712856ce7f
Instruction ID: 6d01b0d9331b44e690f15c0e9e75bbe7dcab9c991e983264263266948b84fb8e
Opcode Fuzzy Hash: 0274bb0e400fd016776ae599146ae9ddd6b264a5e5dc0fb4a6732b712856ce7f
Instruction Fuzzy Hash: B4613621E0E59244FB15AF26968427BFB91EB01781FC640B1D68D42AB6CF7FD521E720

Function 00007FF7A4035DE0 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF7A4031DCA), ref: 00007FF7A4035E71
memcpy.VCRUNTIME140(?,?,?,00007FF7A4031DCA), ref: 00007FF7A4035EB5
memcpy.VCRUNTIME140(?,?,?,00007FF7A4031DCA), ref: 00007FF7A4035ECD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7A4031DCA), ref: 00007FF7A4035F52

Part of subcall function 00007FF7A408FB18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF7A40343FE,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A408FB32

memcpy.VCRUNTIME140(?,?,?,00007FF7A4031DCA), ref: 00007FF7A4035F84
memcpy.VCRUNTIME140(?,?,?,00007FF7A4031DCA), ref: 00007FF7A4035F9F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A4035FBC

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: c83a54589fa87dc50eab96c109bff6bbfd11847a837944325d67e2738dc9878a
Instruction ID: 83a19c23640e833112c09463b807d0411d2e733fed182c75fed6b6b050460f8f
Opcode Fuzzy Hash: c83a54589fa87dc50eab96c109bff6bbfd11847a837944325d67e2738dc9878a
Instruction Fuzzy Hash: 1E51E932A05B8181EB08EF26D64826AA761FB14BD4F954A31DE2D473F5CF39F1A1E350

Function 00007FF7A40886DB Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Strings

Signature, xrefs: 00007FF7A40889DF
GMT, xrefs: 00007FF7A408878E
Signature: %s, xrefs: 00007FF7A40889F7
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7A40887FF

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Signature
API String ID: 2190258309-3231818857
Opcode ID: 8ead59d0cc5f3b0d3cd798f73adf085f83e2e1a8f83e072cb6227eff2c3bee4e
Instruction ID: 3ef65cdb41088d3dabe65b1c8a8f955c7e107f9ff21ec6efc1c2c358ceabbbd6
Opcode Fuzzy Hash: 8ead59d0cc5f3b0d3cd798f73adf085f83e2e1a8f83e072cb6227eff2c3bee4e
Instruction Fuzzy Hash: 8051E363A0E6C285EA10DF27A9846BBF7A4EB45781F850071DA8D03775DF3EE125E310

Function 00007FF7A4058D30 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082A54
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082A7A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4082A88

Strings

true, xrefs: 00007FF7A40829F4
Digest, xrefs: 00007FF7A4058D58
stale, xrefs: 00007FF7A40829DF

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Digest$stale$true
API String ID: 1294909896-2487968700
Opcode ID: fa91a0250978750f9259b25ace6eee135c3ef38397716072aef58d0f62bb0c78
Instruction ID: 8d61a106773af64919dbbea796438b5901d8e348d346f74abde08d4ac24899f3
Opcode Fuzzy Hash: fa91a0250978750f9259b25ace6eee135c3ef38397716072aef58d0f62bb0c78
Instruction Fuzzy Hash: FF51D622A0AA4246EB20AF22E59037BB3A0FF54785F8541B5DA8D472F1DF2DD531E730

Function 00007FF7A407C8C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

recvfrom.WS2_32 ref: 00007FF7A407C920
memcpy.VCRUNTIME140 ref: 00007FF7A407C946
memchr.VCRUNTIME140 ref: 00007FF7A407CA43

Strings

Internal error: Unexpected packet, xrefs: 00007FF7A407C9E8
Received too short packet, xrefs: 00007FF7A407C972
TFTP error: %s, xrefs: 00007FF7A407CA60

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memchrmemcpyrecvfrom
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 3107918033-477593554
Opcode ID: 0c93f5223128682b2c0041b548f434a10e6fe3b52573237400c3c347fc413c6c
Instruction ID: 5025a2b82e710c45043e3a7c16bee30a6a5c73d3bc638a20cf5020fd08c39de3
Opcode Fuzzy Hash: 0c93f5223128682b2c0041b548f434a10e6fe3b52573237400c3c347fc413c6c
Instruction Fuzzy Hash: 2A514871A0D98285EB64EF2294903BBB390FB40B49F864072DA4D477B5DE3ED421DB21

Function 00007FF7A4032380 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4036DE0: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF7A40323DB), ref: 00007FF7A4036E5E
Part of subcall function 00007FF7A4036DE0: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF7A40323DB), ref: 00007FF7A4036E6C
Part of subcall function 00007FF7A4036DE0: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF7A40323DB), ref: 00007FF7A4036E82

Part of subcall function 00007FF7A4033BC0: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7A4031D9B), ref: 00007FF7A4033C06

Part of subcall function 00007FF7A4035DE0: memcpy.VCRUNTIME140(?,?,?,00007FF7A4031DCA), ref: 00007FF7A4035E71

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032479
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40324B8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032506
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032554

Strings

, column , xrefs: 00007FF7A4032409
at line , xrefs: 00007FF7A40323CC

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: at line $, column
API String ID: 2665656946-191570568
Opcode ID: e3e18ae7d8bdb10a3831579929a218dcf241e4e20c85fb7eaf6288b65ea3a085
Instruction ID: f7a7bd831a01cd1158ba5bcca806569e887975e1b17c547d9c4e9b833f10cbe7
Opcode Fuzzy Hash: e3e18ae7d8bdb10a3831579929a218dcf241e4e20c85fb7eaf6288b65ea3a085
Instruction Fuzzy Hash: 4B510562B05B8189FB04EF75D5843AD7721EB447A8F414274DA6C13BFADE39E0A5E310

Function 00007FF7A4081440 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF7A4064DD6), ref: 00007FF7A408159D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF7A4064DD6), ref: 00007FF7A40815B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40815C5

Strings

Proxy-, xrefs: 00007FF7A408156D
%sAuthorization: Negotiate %s, xrefs: 00007FF7A408157E
Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 00007FF7A40814F1
Negotiate, xrefs: 00007FF7A4081446, 00007FF7A4081522

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 1294909896-1255959952
Opcode ID: 6763051c228c31c864c50f42b3268d148b359703256ab87795060e244ba2952e
Instruction ID: 2a076bc490be95420b8c647a1104655eecfb0461475bb1527bf6e6515569b65d
Opcode Fuzzy Hash: 6763051c228c31c864c50f42b3268d148b359703256ab87795060e244ba2952e
Instruction Fuzzy Hash: 7551F622A0A64296FB11EF62D5C02BAB790FF50795F864071DA4D872B1DF3EE471D3A0

Function 00007FF7A407F797 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: a836fe27a0d5cae35f9326d9bbdda8680830951909b3b77083bcb3be45e33309
Instruction ID: bbcc5ac24ecd623aa0653b0948fd0d397ad5c3bfe5bb803a73d627efd7d317f2
Opcode Fuzzy Hash: a836fe27a0d5cae35f9326d9bbdda8680830951909b3b77083bcb3be45e33309
Instruction Fuzzy Hash: 8641DB12A0EA8245EA61AF32509437BAB90BF41794F8A05F1DD9D073F1DE2EA414E732

Function 00007FF7A407F787 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 316bb1082a1ff7fe208b000f1608c5f407bf4d7f4cc0991fefd91e9ebab00efb
Instruction ID: a844b8088a2b9fc53e89882c8bb7f65a6b881b992557f91c3166d19a6aa5b570
Opcode Fuzzy Hash: 316bb1082a1ff7fe208b000f1608c5f407bf4d7f4cc0991fefd91e9ebab00efb
Instruction Fuzzy Hash: C341DB12A0EA8254EA61AF32509437AAB90BF45794F8A05F1DD9D073F1DE2EA414E732

Function 00007FF7A407F6EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: aae2820c9649b90ef2d383910c1fadb4125827575a96e270d23418d742a52359
Instruction ID: f7c47d73bb3fabb124eae190492edc57f171075061d51d366c7f86ed1d55c802
Opcode Fuzzy Hash: aae2820c9649b90ef2d383910c1fadb4125827575a96e270d23418d742a52359
Instruction Fuzzy Hash: CA41DB12E0EA8254FA61AF32509437AAB90BF45794F8A05F1DD9D073F1DE2EA414E732

Function 00007FF7A407F708 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 0ab6ac1c18ef0320f00ca7f7923387b5228cdbe9ffea08c42e176cd2e22e9a25
Instruction ID: 74f90ad76e28a1cb1aec7303f2cf0989828ff7cd14e645799b7ce0ffe0d98e12
Opcode Fuzzy Hash: 0ab6ac1c18ef0320f00ca7f7923387b5228cdbe9ffea08c42e176cd2e22e9a25
Instruction Fuzzy Hash: C141DB12E0EA8254FA61AF32509437AAB90BF45794F8A05F1DD9D073F1DE2EA414E732

Function 00007FF7A407F6FA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 23aa1005768f67b0a7803d65c085971b2caefa34fb9e22005dc80a51b15d3ea0
Instruction ID: 1a0036422835f5b5b8ddf8ac126568ec1a04cb70cc9371e5850d1909b2c133c4
Opcode Fuzzy Hash: 23aa1005768f67b0a7803d65c085971b2caefa34fb9e22005dc80a51b15d3ea0
Instruction Fuzzy Hash: 4041FB02E0EA8254FA61AF32509437AAB90BF01794F8A05F1DD9D073F1DE2EA414E732

Function 00007FF7A407F732 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: f228cae64e71e781229f9b6479e405da6372a9773d43e5d1e04a0a821faac6b0
Instruction ID: 9e2f3329434dba89efa6306a0d2df807102db6cf193dc84380ac2ca6078edbf0
Opcode Fuzzy Hash: f228cae64e71e781229f9b6479e405da6372a9773d43e5d1e04a0a821faac6b0
Instruction Fuzzy Hash: 4D41DB12E0FA8254FA61AF32509437AAB90BF45794F8A05F1DD9D073F1DE2EA414E732

Function 00007FF7A407F7BD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F7FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407F84E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F90A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407F9FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407FA0B

Strings

%%%02x, xrefs: 00007FF7A407F8B3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: bd63b37f65a71803bae912e8edbf27233404d76ff63f84e9c836a8ed04050242
Instruction ID: c82272c27ac216247f2d1f07c38c7c4fe543009ccdd0140a24fcdc21059f32f0
Opcode Fuzzy Hash: bd63b37f65a71803bae912e8edbf27233404d76ff63f84e9c836a8ed04050242
Instruction Fuzzy Hash: 1841DB12A0EA8254EA61AF32509437AAB90BF45794F8A05F1DD9D073F1DE2EA414E732

Function 00007FF7A40648A0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF7A4064986
strchr.VCRUNTIME140 ref: 00007FF7A4064999
strchr.VCRUNTIME140 ref: 00007FF7A40649AB

Strings

Expect, xrefs: 00007FF7A4064907
100-continue, xrefs: 00007FF7A40649C6
Expect: 100-continue, xrefs: 00007FF7A4064A08
Expect:, xrefs: 00007FF7A406492E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr
String ID: 100-continue$Expect$Expect:$Expect: 100-continue
API String ID: 2830005266-711804848
Opcode ID: e99b9d8e9f113d2fb1ae666f3e3339b9bff7e13fa51ae1e990fb26d58e4bd974
Instruction ID: 5e7ec9d4eaddf10b481787993ec2ff305fa8ebce4b3ce766f3fd2a7fd0bcd335
Opcode Fuzzy Hash: e99b9d8e9f113d2fb1ae666f3e3339b9bff7e13fa51ae1e990fb26d58e4bd974
Instruction Fuzzy Hash: C8418A31B1E68291EA54FF1B64800BBE390DF45784F9E40B0DA4E07776EE9EE411A729

Function 00007FF7A407D410 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7A407D428
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7A407D591

Strings

gfff, xrefs: 00007FF7A407D49C
set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 00007FF7A407D56C
Connection time-out, xrefs: 00007FF7A407D44B
gfff, xrefs: 00007FF7A407D508

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
API String ID: 1670930206-870032562
Opcode ID: 1482dd197fc30249b75023598b4a51e44251721b587a5b4df71408df51d1a5b0
Instruction ID: b6e4cdc9e6f5b56cbb75caef9170567194a81438ef0a9ad1de2b5decef190dba
Opcode Fuzzy Hash: 1482dd197fc30249b75023598b4a51e44251721b587a5b4df71408df51d1a5b0
Instruction Fuzzy Hash: 3E41F872715A1587DB20DF2BE08056AB7A0FB98F88F915031DE0C87774DE3AE561DB41

Function 00007FF7A4087F20 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088409
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40884D2

Strings

Expire Date, xrefs: 00007FF7A40883DD
Public Key Algorithm, xrefs: 00007FF7A4088488
%s%lx, xrefs: 00007FF7A4087F7D
Public Key Algorithm: %s, xrefs: 00007FF7A40884A2
Expire Date: %s, xrefs: 00007FF7A40883F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$%s%lx$Expire Date$Public Key Algorithm
API String ID: 1294909896-3155708153
Opcode ID: 9390edc3f400d876a4391df1fadf0e16e53e9297dc30be422b19365ee7073859
Instruction ID: 50dc39f21ffc5f9f191fe54adab7eaf5e665f101f1243b96a0812c7feeb91ca4
Opcode Fuzzy Hash: 9390edc3f400d876a4391df1fadf0e16e53e9297dc30be422b19365ee7073859
Instruction Fuzzy Hash: 4E41A762A0A78144EA10BF2399841FBB761EF05785FC554B1DE4D0B7B6EF3EE124A320

Function 00007FF7A408861E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7A40886B4
Signature, xrefs: 00007FF7A40889DF
GMT, xrefs: 00007FF7A4088674
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Signature
API String ID: 2190258309-3662781045
Opcode ID: b395d39516c44ad864a1eaaf70241685fcfc5f6f8e61584dd39769494ddd85ac
Instruction ID: 97af0e3e9f54c61dfc3571ae32f6611ec9415a88468bfacf57948ffa0784a253
Opcode Fuzzy Hash: b395d39516c44ad864a1eaaf70241685fcfc5f6f8e61584dd39769494ddd85ac
Instruction Fuzzy Hash: BC419123A0AA8285EB10EF26E5801ABF360FB44B85FD90472DA8D07775DF3ED565D320

Function 00007FF7A40873E1 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
%s%lx, xrefs: 00007FF7A4087436
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%s%lx$Serial Number$Signature Algorithm
API String ID: 1294909896-659367561
Opcode ID: 753980499a01d3a6e5fd097534c5de725a24fe47e6e6276afe50a599a360c2d7
Instruction ID: 2943907ecd01f58cc2bcdd7cadec4e24f2fb1d680b7c548d3703a50737dcc1c0
Opcode Fuzzy Hash: 753980499a01d3a6e5fd097534c5de725a24fe47e6e6276afe50a599a360c2d7
Instruction Fuzzy Hash: A041AC51A0B74244EE10AF2399841BBBB51EF05785FC554B1DE4D077B6EF3EE124A320

Function 00007FF7A4070720 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407075D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40707CE

Strings

., xrefs: 00007FF7A40707C7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree
String ID: .
API String ID: 1865132094-916926321
Opcode ID: b63ea8ecd14ad69126fd20cd5c861c4bc34c19ec2643a61da08846b8492e2fd4
Instruction ID: 2662f627162f993b3451488f24b57450060088658c8595b8c7db13177bc9bdb8
Opcode Fuzzy Hash: b63ea8ecd14ad69126fd20cd5c861c4bc34c19ec2643a61da08846b8492e2fd4
Instruction Fuzzy Hash: D2419322E0AF8586E650AF12D48077BA3A0FB44B80F964171DE4D47670DF7EE461DBA1

Function 00007FF7A40876EE Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408771F
memcpy.VCRUNTIME140 ref: 00007FF7A408774A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: d7856b8d5f777aa892999a3c922b1d7cfea9bb5a062f3762ac05135a2f3dafbf
Instruction ID: 33db4c2581984f48dbe00fc4a53c60d4eef8bc4bd427168b24b72f90a3b1ec47
Opcode Fuzzy Hash: d7856b8d5f777aa892999a3c922b1d7cfea9bb5a062f3762ac05135a2f3dafbf
Instruction Fuzzy Hash: 8941A461A0A78244EA14AF2399841BBB751EF05789F8944B1CE4D1B7B9EF3DE124E320

Function 00007FF7A4080D40 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A406C850: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C878
Part of subcall function 00007FF7A406C850: GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C89E
Part of subcall function 00007FF7A406C850: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C8BF
Part of subcall function 00007FF7A406C850: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C8D0

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4080DDF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4080E28
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4080E31

Strings

%s%s.netrc, xrefs: 00007FF7A4080D9F
%s%s_netrc, xrefs: 00007FF7A4080DF4
HOME, xrefs: 00007FF7A4080D79

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$realloc$EnvironmentVariable
String ID: %s%s.netrc$%s%s_netrc$HOME
API String ID: 4174189579-3384076093
Opcode ID: 5a46b0e3afca5a6a4ec30040578a373ec9295e4f61d04f1fde2b3d00aa97b5a7
Instruction ID: 392c4aab08ba7e83e659332441eb3c211c643a0ff81843c7a5f261132668c973
Opcode Fuzzy Hash: 5a46b0e3afca5a6a4ec30040578a373ec9295e4f61d04f1fde2b3d00aa97b5a7
Instruction Fuzzy Hash: 9C317E22A0AB4285EA20AF13B880167F6A0FF84BD0F964575ED8C07775DF3DE425E720

Function 00007FF7A408886D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40888A8
memcpy.VCRUNTIME140 ref: 00007FF7A40888CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Strings

Signature, xrefs: 00007FF7A40889DF
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$memcpy
String ID: Signature: %s$Signature
API String ID: 3519880569-1663925961
Opcode ID: 34a48ab91b12ca1c89951ef2c113a6f5388b11eaa1205b049ac34310286ba828
Instruction ID: 6aeb7e38e09ac59107963de2c9e1fa05d405bdc53d231ff9b00c50e35909ac10
Opcode Fuzzy Hash: 34a48ab91b12ca1c89951ef2c113a6f5388b11eaa1205b049ac34310286ba828
Instruction Fuzzy Hash: A731B462B0A78245EE14AF17A5842BBA360FF84BD4F890571CE4D177B5EF3DE0119310

Function 00007FF7A406F246 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A404B430: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A404B474

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406F284
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A406F296

Strings

Select failed, xrefs: 00007FF7A406F328
Mailbox UIDVALIDITY has changed, xrefs: 00007FF7A406F2CE
OK [UIDVALIDITY %19[0123456789]], xrefs: 00007FF7A406F268

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: __stdio_common_vsscanf_strdupfree
String ID: Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
API String ID: 860312144-3309259123
Opcode ID: 9b6c21fb7c6599bea0d2966efac14e01a133b0400a08b8162234a834becce6a6
Instruction ID: ac930ca89fba53953e0c7a16a7746ef2c94892ff7f442986d7568648df295993
Opcode Fuzzy Hash: 9b6c21fb7c6599bea0d2966efac14e01a133b0400a08b8162234a834becce6a6
Instruction Fuzzy Hash: 53318435B0A65291EA50BF27D4C017FE290FF84780F9248B2DA0E47275DF6EE471A762

Function 00007FF7A40885F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40885F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Part of subcall function 00007FF7A4050B50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050BA2

Strings

Signature, xrefs: 00007FF7A40889DF
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: Signature: %s$Signature
API String ID: 1941130848-1663925961
Opcode ID: 7e56c2e8ba74402fe288d4c1ef97076b8df79f77a710d275dba80dddc7bb11cb
Instruction ID: dce477e1166f53a9d087d0c69dc2ee20fa8ae835e0fbaa5c36cccb9cf54b1079
Opcode Fuzzy Hash: 7e56c2e8ba74402fe288d4c1ef97076b8df79f77a710d275dba80dddc7bb11cb
Instruction Fuzzy Hash: 35215363B0AA8285EA10DF16A4846ABB364FF45BC4F850471DE4D07775EF2DD111D720

Function 00007FF7A4055F50 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A4055F85
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A4055FB1
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A4055FB9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A4055FDB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7A40532CC), ref: 00007FF7A4055FF2

Strings

Invalid zoneid: %s; %s, xrefs: 00007FF7A4055FC4

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_errnostrerrorstrtoul
String ID: Invalid zoneid: %s; %s
API String ID: 439826447-2159854051
Opcode ID: 2552f959700923b3427cb8006f2c82a18131d612df883aff6fa4de5977450510
Instruction ID: d9cf8765e464629da29e741830098f7d3d0e8275be2a736427a2f9ce7f64dd19
Opcode Fuzzy Hash: 2552f959700923b3427cb8006f2c82a18131d612df883aff6fa4de5977450510
Instruction Fuzzy Hash: 3A11D632A0B64286EB50AF23E8C057AA370FF85B44F954471DA4D83A74DE2ED860E720

Function 00007FF7A4055E80 Relevance: 10.0, APIs: 8, Instructions: 36COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055E94
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EAA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EBE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055ED2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EE6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055EFA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055F0E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A4055F22

Part of subcall function 00007FF7A407EE20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4055F3B,?,?,00000000,00007FF7A4051983,?,?,00000000,00007FF7A4051F05), ref: 00007FF7A407EE35

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: cc701dd807a2de35d7b90ce0a0f5c20ef81b97b0dbdd88433eb2069ca0843ede
Instruction ID: fb96cd70828dc5bce96b076b324f4af437e282efd770ea54594871facc9888a0
Opcode Fuzzy Hash: cc701dd807a2de35d7b90ce0a0f5c20ef81b97b0dbdd88433eb2069ca0843ede
Instruction Fuzzy Hash: 9D11B336609F80C1D710AF22E9941E973B4FBC9FCAB590531DE9A4F668CF3880A5D230

Function 00007FF7A403C610 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7A403C6FA
memcpy.VCRUNTIME140 ref: 00007FF7A403C709
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A403C73D
memcpy.VCRUNTIME140 ref: 00007FF7A403C744
memcpy.VCRUNTIME140 ref: 00007FF7A403C753
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A403C778

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 0937b708e2fe17d654e00c07f550e58b69d54d58ae64189525f92fa438c7aa15
Instruction ID: 378aa545782c939a8529675a80748b7cd5a078d99c41644b26bb5f2490b38102
Opcode Fuzzy Hash: 0937b708e2fe17d654e00c07f550e58b69d54d58ae64189525f92fa438c7aa15
Instruction Fuzzy Hash: F731132271E74181EE18AF2796841AAE251EB04BE0FC60A71DE6D477F5CF3DE061E310

Function 00007FF7A4034EC0 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF7A4033C35,?,?,?,?,?,00007FF7A4031D9B), ref: 00007FF7A4034FB3
memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF7A4033C35,?,?,?,?,?,00007FF7A4031D9B), ref: 00007FF7A4034FC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,0000000F,00007FF7A4033C35,?,?,?,?,?,00007FF7A4031D9B), ref: 00007FF7A4034FFA
memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF7A4033C35,?,?,?,?,?,00007FF7A4031D9B), ref: 00007FF7A4035004
memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF7A4033C35,?,?,?,?,?,00007FF7A4031D9B), ref: 00007FF7A4035012
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A4035041

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 13b12c59ad332770c5e2ef552953df7cc1051dc384361dca5f05cbda1b42f09a
Instruction ID: 4d4d83ae6d76fe5020381d0231881f046a14ad47bb44115cdb9947869a0be0e2
Opcode Fuzzy Hash: 13b12c59ad332770c5e2ef552953df7cc1051dc384361dca5f05cbda1b42f09a
Instruction Fuzzy Hash: 3A41E62170A68145EA24AF27A64426BE750EB04BE4F990670EF6D0B7F5CF3DF061A310

Function 00007FF7A408821F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088409
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40884D2

Strings

Expire Date, xrefs: 00007FF7A40883DD
Public Key Algorithm, xrefs: 00007FF7A4088488
Public Key Algorithm: %s, xrefs: 00007FF7A40884A2
Expire Date: %s, xrefs: 00007FF7A40883F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 1294909896-2901970132
Opcode ID: d1af9e19bfd3234d3eeaf2121e00c9d2f5c8de4f447ef79f15fbd6379bd1cdda
Instruction ID: bf49a45ac2687b74a645dcb4ace5a6ca02098c59e97f10c6dda996c751342159
Opcode Fuzzy Hash: d1af9e19bfd3234d3eeaf2121e00c9d2f5c8de4f447ef79f15fbd6379bd1cdda
Instruction Fuzzy Hash: FB41D562A0A78148EB10AF2289841FBB761FF05789F894571DE0D0B7B9EF3DE124D320

Function 00007FF7A40876AF Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: 49062338fa728a480f03ffc8c73f599868ed05a6081dec6f2208dcaaeaa7c8b2
Instruction ID: e0d251fff6640931f14c88eb6f4eeb391e1f325e5112cd7a2009accc1c14d92e
Opcode Fuzzy Hash: 49062338fa728a480f03ffc8c73f599868ed05a6081dec6f2208dcaaeaa7c8b2
Instruction Fuzzy Hash: 2D419662A0A78148EB14AF2399841FABB51FF05789F8944B1DE4D177B9EF3DE160D320

Function 00007FF7A408E160 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E209
memcpy.VCRUNTIME140 ref: 00007FF7A408E225
memcpy.VCRUNTIME140 ref: 00007FF7A408E23C
memcpy.VCRUNTIME140 ref: 00007FF7A408E257
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408E28A

Strings

PLAIN, xrefs: 00007FF7A408E16B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$freemalloc
String ID: PLAIN
API String ID: 3313557100-4000620671
Opcode ID: 7aa8b1226e8794902b3a7c6f13b299fd038e878eeaebd1f4d39a8c2478d064d5
Instruction ID: f339e879770697535c02715e05d1b27beac516d50ea99c5e81ba3358b07d2f96
Opcode Fuzzy Hash: 7aa8b1226e8794902b3a7c6f13b299fd038e878eeaebd1f4d39a8c2478d064d5
Instruction Fuzzy Hash: 6531E472A09B8182EB109F52A5802ABB790FB45BE4F854671DE9C477B6DE3DD015D320

Function 00007FF7A4087F95 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088409
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40884D2

Strings

Expire Date, xrefs: 00007FF7A40883DD
Public Key Algorithm, xrefs: 00007FF7A4088488
Public Key Algorithm: %s, xrefs: 00007FF7A40884A2
Expire Date: %s, xrefs: 00007FF7A40883F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 1294909896-2901970132
Opcode ID: fea23052cc03ec577b2374940ed169039e7147ae94743ab8b869cfc91bf29e50
Instruction ID: 2b4f8c65d81dd688c8cd83cf14b64b9fb12daaf9a87b5e0d3ebfd90a84a9fd10
Opcode Fuzzy Hash: fea23052cc03ec577b2374940ed169039e7147ae94743ab8b869cfc91bf29e50
Instruction Fuzzy Hash: 98319762A0A78144EB10BF6299801FBB761FF05789F855471DE4D1B7B6EF3DE124A320

Function 00007FF7A4070241 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40702C6
memcpy.VCRUNTIME140 ref: 00007FF7A40702E1
strchr.VCRUNTIME140 ref: 00007FF7A40702FD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407030E

Strings

Got unexpected pop3-server response, xrefs: 00007FF7A4070261
CAPA, xrefs: 00007FF7A4070324

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: callocfreememcpystrchr
String ID: CAPA$Got unexpected pop3-server response
API String ID: 2887963327-1591402739
Opcode ID: 8f7bb6eff1932f0ffaac0f1d66c4d701fe0cc7ba242ca57fc2f904d82a641f28
Instruction ID: bed812e9dd93fffd6a6383646860683104506f06dfd5767bff487476cc6b920a
Opcode Fuzzy Hash: 8f7bb6eff1932f0ffaac0f1d66c4d701fe0cc7ba242ca57fc2f904d82a641f28
Instruction Fuzzy Hash: B731C762B0BB8242FA15BF12948027BB294BB01750FC502B5DB1D032B1CF7EE475A722

Function 00007FF7A4088550 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Strings

Signature, xrefs: 00007FF7A40889DF
%s%lx, xrefs: 00007FF7A40885AD
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%s%lx$Signature
API String ID: 2190258309-1406629954
Opcode ID: 8f7e6674a1c1ba69b688cbb497cb26438ce796b53516a398fe8ab6d44bb0a6f9
Instruction ID: 4aad7b66419f072ee50a6163c5d317aaacb7fdee94719ae5523e71de8d15d06c
Opcode Fuzzy Hash: 8f7e6674a1c1ba69b688cbb497cb26438ce796b53516a398fe8ab6d44bb0a6f9
Instruction Fuzzy Hash: 9231C463B0A68285EA20AF27A5846BBB361FF45BC5F950471DE4D07775EE2EE010E720

Function 00007FF7A40785E0 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40785F1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407865D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407866F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupcallocfree
String ID:
API String ID: 1236595397-0
Opcode ID: b39798a8aef06ed82c566a2d88ee447f92a66763dc49ba57baf9da5a54a9cb28
Instruction ID: f092858c4f7f0d1423c509d60690ac49b6dcd2f4eed080add096ba4c614e30a7
Opcode Fuzzy Hash: b39798a8aef06ed82c566a2d88ee447f92a66763dc49ba57baf9da5a54a9cb28
Instruction Fuzzy Hash: 9F31A533A0AB8581EB419F26D0903BBA7A0FB85B84F590470DE4D077B5DF2ED4659B21

Function 00007FF7A4087451 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: 3d01aac320b6837197919b4d404cc678e73ef002af64dabce31c7302412ab6f4
Instruction ID: 120a6835f4707cc4032428b72030934b4e71e3f29eccde48ff3740c068060a58
Opcode Fuzzy Hash: 3d01aac320b6837197919b4d404cc678e73ef002af64dabce31c7302412ab6f4
Instruction Fuzzy Hash: F231A851A0B74244FA14AF6399841FBBB50EF05789F8954B1DE4E076BAEF3DE120A320

Function 00007FF7A408748F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4089110: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408915C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Part of subcall function 00007FF7A4050B50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050BA2

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: 632438d9ac447024213cf64137fedb5f060d340c63d455fcb278728206f4af24
Instruction ID: 11aa7eecaadc959964ec51a4412012985f5926c9ad2cbc640489f21908ca2a41
Opcode Fuzzy Hash: 632438d9ac447024213cf64137fedb5f060d340c63d455fcb278728206f4af24
Instruction Fuzzy Hash: 51319751A0A74244EA10AF6299841FBB750EF05789F8954B5DE4D073BAEF3DE120A320

Function 00007FF7A4087469 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A408AC20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408AC55

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408788E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4087933

Part of subcall function 00007FF7A4050B50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050BA2

Strings

Serial Number: %s, xrefs: 00007FF7A408787C
Serial Number, xrefs: 00007FF7A4087862
Signature Algorithm: %s, xrefs: 00007FF7A4087921
Signature Algorithm, xrefs: 00007FF7A4087907

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: 9677d2b0a011c57c10e4aa2445b7a7815ea8b8af1046fe33e2643f36df8bb4f2
Instruction ID: 7d22eb1dcbb2d36f8601b7351b689b5fdc96200b9447f4883ee2a1be320b9df5
Opcode Fuzzy Hash: 9677d2b0a011c57c10e4aa2445b7a7815ea8b8af1046fe33e2643f36df8bb4f2
Instruction Fuzzy Hash: 4531A751A0A78244FB10AF6399841FBBB50EF05789F8944B5DE4D077BAEF3DE120A320

Function 00007FF7A4076273 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407628F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407630B

Strings

OS/400, xrefs: 00007FF7A40762D9
SITE NAMEFMT 1, xrefs: 00007FF7A40762EC

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemalloc
String ID: OS/400$SITE NAMEFMT 1
API String ID: 3061335427-2049154998
Opcode ID: 4a9e05dfc51966e101f837aa05a72b838e2f85a4623016fdb596f5f70d8ea46e
Instruction ID: 1c169bc4513f8973dd858edfdb3f8af5a3f93d9b9166188033b0b4b294272126
Opcode Fuzzy Hash: 4a9e05dfc51966e101f837aa05a72b838e2f85a4623016fdb596f5f70d8ea46e
Instruction Fuzzy Hash: 7431E631E0EE8245E7B46F1294803BAA360BB457A4F8104B1CB8E13671DE3DD466EB21

Function 00007FF7A4032620 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4034320: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034351

Part of subcall function 00007FF7A4033C40: memcpy.VCRUNTIME140 ref: 00007FF7A4033C93

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40326F2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4032740
__std_exception_copy.VCRUNTIME140 ref: 00007FF7A4032790
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40327DD

Strings

out_of_range, xrefs: 00007FF7A4032666

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$__std_exception_copy
String ID: out_of_range
API String ID: 2484256320-3053435996
Opcode ID: 4910cf63ee3357ecd4b6187b3e6a3d560b349bb99ce6059dd4b311dc1bc49d05
Instruction ID: b1e6bf3bce55620c871b282d7b740c254911268fbe37ea5fac90c382e2d505e7
Opcode Fuzzy Hash: 4910cf63ee3357ecd4b6187b3e6a3d560b349bb99ce6059dd4b311dc1bc49d05
Instruction Fuzzy Hash: 0B51C132A1AB4198EB04DF76D9803AD7360FB44798F814675EA6C03AF5DF39E1A5D310

Function 00007FF7A407FE90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407FF08
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407FF3A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407FFAA

Part of subcall function 00007FF7A4068210: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7A404B23A,?,?,?,?,?,?,?,00007FF7A404B007), ref: 00007FF7A4068221

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4080025

Strings

0123456789abcdefABCDEF:., xrefs: 00007FF7A407FEFE

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _errno_strdupstrcspnstrncmpstrspn
String ID: 0123456789abcdefABCDEF:.
API String ID: 2191890455-446397347
Opcode ID: 3b096047c27d3cc3aeb4b63a3ee3fdb4ca5a52993c628db9d172197649922165
Instruction ID: 2ded34a54796dbd0bce02d8375e7837acb7f6102e23ac6bfc37e9dd07dda34cf
Opcode Fuzzy Hash: 3b096047c27d3cc3aeb4b63a3ee3fdb4ca5a52993c628db9d172197649922165
Instruction Fuzzy Hash: 88412912A0EAC545EB219F22999037BB790EF06744FC600B1DA4D437F5CF2EE465EB22

Function 00007FF7A4089E78 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A243
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A257
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A2BE

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7A4089F26
GMT, xrefs: 00007FF7A4089ED4

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: isupper$free
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 573759493-632690687
Opcode ID: ef0608db8336db747be93a541bb0dfd36b2db52adac83aae4fe57bd2a8464754
Instruction ID: ba5065e512f57a56fecc84e2b6c3e2971f5aaf8c957875e8f22f0b6b2ee55778
Opcode Fuzzy Hash: ef0608db8336db747be93a541bb0dfd36b2db52adac83aae4fe57bd2a8464754
Instruction Fuzzy Hash: C9410621A0EA9285F721EF26968027BFB91EB01741FCA41B1C68D02AB5CF7FD561D720

Function 00007FF7A405F860 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405F8CA
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405F93B
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7A405F99B

Strings

Hostname in DNS cache was stale, zapped, xrefs: 00007FF7A405F9C2
:%u, xrefs: 00007FF7A405F8DE, 00007FF7A405F944

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: tolower$_time64
String ID: :%u$Hostname in DNS cache was stale, zapped
API String ID: 4068448496-2924501231
Opcode ID: 78cbedec7f8cce32c60e4a6791c285383e5d29da9d607bd30dc434ffb4fa044e
Instruction ID: e9a246c0f1323f2470a8141fe913cfda71f536fb61bc95ff308e106f67d31e78
Opcode Fuzzy Hash: 78cbedec7f8cce32c60e4a6791c285383e5d29da9d607bd30dc434ffb4fa044e
Instruction Fuzzy Hash: 3641182261AA8291EB10EF22E4807FAA754FB44B98F858272EF5D077B5DF3DE015D311

Function 00007FF7A4034320 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034351
memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A4034416
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A403446A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A4034471

Part of subcall function 00007FF7A408FB18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF7A40343FE,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A408FB32

Strings

https://keyauth.win/api/1.2/, xrefs: 00007FF7A4034322

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: https://keyauth.win/api/1.2/
API String ID: 1155477157-3933380396
Opcode ID: e5d09450d75d7d0d2a987c36b25d823e2b26b5c7a33540b2d8d186e69df48b6a
Instruction ID: 9a14df6d1535d1ee5f8f1eccb644383ba10cee843582a8387e9547936b43cff9
Opcode Fuzzy Hash: e5d09450d75d7d0d2a987c36b25d823e2b26b5c7a33540b2d8d186e69df48b6a
Instruction Fuzzy Hash: DA310822B0764544EE1CEE27969427A9640DB05FE8FA60670DE2D0BBF5DE3DF0A29310

Function 00007FF7A4077320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A406C990: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF7A4053D1F), ref: 00007FF7A406C9BE

_open.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A40773DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407742B
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4077442
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407745B

Strings

Couldn't open file %s, xrefs: 00007FF7A4077409

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_close_openmalloc
String ID: Couldn't open file %s
API String ID: 3412525164-447283422
Opcode ID: 0074623fa6ff74a2ece1bd6b24346a1457ce3b464ab42e5d9aa92a68c6f9fb29
Instruction ID: a1b40878101e19088bc5d3860c966cb432ce13efaf1b2b0365f82b3aed14459b
Opcode Fuzzy Hash: 0074623fa6ff74a2ece1bd6b24346a1457ce3b464ab42e5d9aa92a68c6f9fb29
Instruction Fuzzy Hash: A041D631609B8182EB149F26E48027FEBA1FB45BD4F458171EA9C477B4CF3DE0219B22

Function 00007FF7A4056690 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7A405670E

Part of subcall function 00007FF7A4042E10: GetLastError.KERNEL32 ref: 00007FF7A4042E32
Part of subcall function 00007FF7A4042E10: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4042E3A

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405672C
recv.WS2_32 ref: 00007FF7A4056757
WSAGetLastError.WS2_32 ref: 00007FF7A4056769

Strings

Recv failure: %s, xrefs: 00007FF7A4056795

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLast$_errnofreememcpyrecv
String ID: Recv failure: %s
API String ID: 267823591-4276829032
Opcode ID: c0b2c462bbfc6f6cf3140b48251a684da05401aabcc64ed099c3ee0977bb49c1
Instruction ID: a1df75a41af7dce8df232c1ab613a4ff0e6f7f240f7d4f2651d88a4e7fa25858
Opcode Fuzzy Hash: c0b2c462bbfc6f6cf3140b48251a684da05401aabcc64ed099c3ee0977bb49c1
Instruction Fuzzy Hash: 1931DF76B0AB4585EB10AF12E8807AAA360FB48FD8F918535DE1C073A5DF3DD465E350

Function 00007FF7A405D120 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405D215
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405D274

Strings

Connection died, retrying a fresh connect, xrefs: 00007FF7A405D1FF
Connection died, tried %d times before giving up, xrefs: 00007FF7A405D1D8
REFUSED_STREAM, retrying a fresh connect, xrefs: 00007FF7A405D1AB

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree
String ID: Connection died, retrying a fresh connect$Connection died, tried %d times before giving up$REFUSED_STREAM, retrying a fresh connect
API String ID: 1865132094-195851662
Opcode ID: 122321848ef144a5eb798953ca0c1d251624023bb86852256078e91e6d61a04a
Instruction ID: d3588f506e46718f45c1f45ced2e2a21530f74a0c294d1bab68690f9a6f66d62
Opcode Fuzzy Hash: 122321848ef144a5eb798953ca0c1d251624023bb86852256078e91e6d61a04a
Instruction Fuzzy Hash: 4C41C832B0968181E754EF16E4903AAA790EB84B88F89C071DB4D47375CF3ED4A1D711

Function 00007FF7A405AE20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405AEA9
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405AF3F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405AF67

Strings

Unrecognized content encoding type. libcurl understands %s content encodings., xrefs: 00007FF7A405AF55
identity, xrefs: 00007FF7A405AE63, 00007FF7A405AED3, 00007FF7A405AF38

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: Unrecognized content encoding type. libcurl understands %s content encodings.$identity
API String ID: 3985033223-1703240927
Opcode ID: 3ce65709de6a11b471791b862f119d509be451c9fa4fb6099a890ec0be2c445e
Instruction ID: 741e656d633761ea822b68373104f623b7f5d031deb949f3f80c7ba25351f7c6
Opcode Fuzzy Hash: 3ce65709de6a11b471791b862f119d509be451c9fa4fb6099a890ec0be2c445e
Instruction Fuzzy Hash: 1041F761A0AA4285EF019F02E48037AE760FF44BD4F8686B1DE6D037F5DF6EE4219721

Function 00007FF7A4089D69 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4089D90
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A243
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A257
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A2BE

Strings

FALSE, xrefs: 00007FF7A4089D85

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: isupper$_strdupfree
String ID: FALSE
API String ID: 3359907120-3701058176
Opcode ID: 2d34f2484a597a418e879eedd12a99bf32e8c0fb114649a4688457f18027e939
Instruction ID: 22396fc5454754cbfdcef7fb3478b41890124286d5d010d350db49ae33958bf7
Opcode Fuzzy Hash: 2d34f2484a597a418e879eedd12a99bf32e8c0fb114649a4688457f18027e939
Instruction Fuzzy Hash: B5314D22F0F59644FB22EF2A568433AFBD0D701761F8606B1C999019F5CE6F9052D730

Function 00007FF7A40716E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A407171B
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4071761
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40717C6

Strings

RCPT TO:<%s>, xrefs: 00007FF7A40717AB
RCPT TO:<%s@%s>, xrefs: 00007FF7A407179D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfreestrpbrk
String ID: RCPT TO:<%s>$RCPT TO:<%s@%s>
API String ID: 1812939018-579818044
Opcode ID: dbaaae04e0c0637cee1d8c578a156e15624b493c6880e1ad6b2898319cc183af
Instruction ID: 9103e9691353e06a0092504ee65d8f786492033b2fd890cc5ad924575bed961c
Opcode Fuzzy Hash: dbaaae04e0c0637cee1d8c578a156e15624b493c6880e1ad6b2898319cc183af
Instruction Fuzzy Hash: F731F862A19BC181EB01EF26E4806BAE3A1FB94B80F854271EA4D077F1DF7DD511D711

Function 00007FF7A4089610 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408963D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4089B06

Strings

FALSE, xrefs: 00007FF7A4089632
TRUE, xrefs: 00007FF7A408962B
%s: %s, xrefs: 00007FF7A4089AF1

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree
String ID: %s: %s$FALSE$TRUE
API String ID: 1865132094-3430445539
Opcode ID: 48ef4f44275e059f43570315525e70aaac057089a6ab25aef8f9a0ec08dab94e
Instruction ID: f15cda98199aa77ec372b3dad39355a26512343f3b3d648492c8bd6847677076
Opcode Fuzzy Hash: 48ef4f44275e059f43570315525e70aaac057089a6ab25aef8f9a0ec08dab94e
Instruction Fuzzy Hash: 6401C851A0E78285EA60BF57A9803BBA350EB45B84F8544B1CE4D03371DF2DD055E360

Function 00007FF7A406735C Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

unknown, xrefs: 00007FF7A40673EA
SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu], xrefs: 00007FF7A40674D9
SOCKS5: connecting to HTTP proxy %s port %d, xrefs: 00007FF7A40674B0
warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu, xrefs: 00007FF7A40674F9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: SOCKS5: connecting to HTTP proxy %s port %d$SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu]$unknown$warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu
API String ID: 0-3012371547
Opcode ID: f3c5e376eb702dc3b8db46d3d4b3b824100d05c1c16a0a2f98ddfe0418445b78
Instruction ID: afcdb10934764a2b3d53ecfd02954c3df7dcc8a05427b1e18e93f1b7fcc1918c
Opcode Fuzzy Hash: f3c5e376eb702dc3b8db46d3d4b3b824100d05c1c16a0a2f98ddfe0418445b78
Instruction Fuzzy Hash: 2861237360938296E704AF2AD4802AAFF92EB41754F854175DB4E437B5EB7EE020DB21

Function 00007FF7A407234B Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4072400

Strings

Failure sending ABOR command: %s, xrefs: 00007FF7A4072521
Remembering we are in dir "%s", xrefs: 00007FF7A4072498
ABOR, xrefs: 00007FF7A40724FB
control connection looks dead, xrefs: 00007FF7A40725F2

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$Remembering we are in dir "%s"$control connection looks dead
API String ID: 1294909896-1891748601
Opcode ID: 0acd3c62f0affb71bdb4f5983a9c6071fe3b6f68cc3a26af6e82112c5b8b5546
Instruction ID: 9e1c113205fa5509a467fabc2421f2493f6f892e4365633b9728bae645bb0b11
Opcode Fuzzy Hash: 0acd3c62f0affb71bdb4f5983a9c6071fe3b6f68cc3a26af6e82112c5b8b5546
Instruction Fuzzy Hash: 7751FD6190EA8245EA64FF3290D03BBE250FB40364F814275D76D076F2DF3EE4A1A762

Function 00007FF7A408A645 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A688
memcpy.VCRUNTIME140 ref: 00007FF7A408A6AE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A77B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A7CF

Strings

TRUE, xrefs: 00007FF7A408A7D9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: TRUE
API String ID: 3401966785-3412697401
Opcode ID: fdcb7d946d6f4c56cd4cb5e04898495fa3908ca8b450039cfbc1a8853e139c9d
Instruction ID: 900f1abd5229a0666a7dff705f7bc763e1f67b682b09660e21448de9f3be96d5
Opcode Fuzzy Hash: fdcb7d946d6f4c56cd4cb5e04898495fa3908ca8b450039cfbc1a8853e139c9d
Instruction Fuzzy Hash: 1B418D52B1A65205FB055E278A94336B752E7007F1F854671CA6E43BF5CDAED0A1F320

Function 00007FF7A408DEF0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7A408DEB0), ref: 00007FF7A408DF5F

Part of subcall function 00007FF7A4068210: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7A404B23A,?,?,?,?,?,?,?,00007FF7A404B007), ref: 00007FF7A4068221

Part of subcall function 00007FF7A4068210: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF7A40683C3
Part of subcall function 00007FF7A4068210: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF7A40683E0

strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7A408DEB0), ref: 00007FF7A408DFCE
strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7A408DEB0), ref: 00007FF7A408DFE8
strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7A408DEB0), ref: 00007FF7A408E01E

Strings

xn--, xrefs: 00007FF7A408E005

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$_errno
String ID: xn--
API String ID: 2644425738-2826155999
Opcode ID: ab7718be76a938f92153ff67d8a3bc09bce830bfbfa01c6d64e135e4cc2c1985
Instruction ID: c10cf9698974af6df94f32139929da9052aa85071ef03f10c8a560160805f85a
Opcode Fuzzy Hash: ab7718be76a938f92153ff67d8a3bc09bce830bfbfa01c6d64e135e4cc2c1985
Instruction Fuzzy Hash: 6641E751B0E28645FB54AE234A5437BE282DF85BC1F8581B0DE0DC7BF2DE2ED0616760

Function 00007FF7A406ED60 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A40680B0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A40680D1

memcpy.VCRUNTIME140 ref: 00007FF7A406EED1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A406EEDF

Strings

Failed to parse FETCH response., xrefs: 00007FF7A406EDBE
Found %I64d bytes to download, xrefs: 00007FF7A406EE32
Written %zu bytes, %I64u bytes are left for transfer, xrefs: 00007FF7A406EE9D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _errnofreememcpy
String ID: Failed to parse FETCH response.$Found %I64d bytes to download$Written %zu bytes, %I64u bytes are left for transfer
API String ID: 738009125-4268564757
Opcode ID: a3fde4d6c4e737fc03a995c0e1cce9bfe319c94d4b915a96f34b7866e6dbaaba
Instruction ID: 480d9638861f4443f743fd4cd7d7b156b5ac376bc835953d2559262e6642d92e
Opcode Fuzzy Hash: a3fde4d6c4e737fc03a995c0e1cce9bfe319c94d4b915a96f34b7866e6dbaaba
Instruction Fuzzy Hash: 8151E66270D7C292EB54AF26D4802FAF360FB45784F854072EA4D03AB5DFBEE0219352

Function 00007FF7A408882E Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Strings

Signature, xrefs: 00007FF7A40889DF
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: 550720ba448e89e296b3177c9229f94ff39cbd34f470cd30af1fe67ce97d91dd
Instruction ID: 2b2b77ac253b5c209a7dae0b90475c4b55bbf078709fe474aa08664400998108
Opcode Fuzzy Hash: 550720ba448e89e296b3177c9229f94ff39cbd34f470cd30af1fe67ce97d91dd
Instruction Fuzzy Hash: E621AF23B09AC186EA109F26E8842ABB360FB44BD8F490572DE5D477B5DF3DD111D710

Function 00007FF7A40728A0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407296B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4072984
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4072998

Strings

QUIT, xrefs: 00007FF7A40728CF
Failure sending QUIT command: %s, xrefs: 00007FF7A40728F3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Failure sending QUIT command: %s$QUIT
API String ID: 1294909896-1162443993
Opcode ID: 33393fb904642c3d0dcdb626aeb8b9e9c3a7be83ef8c359fc7733d2ec1a96521
Instruction ID: 10c6d1b939af62539d585fa29065f9f594f69314e306abc87fa77f804594f491
Opcode Fuzzy Hash: 33393fb904642c3d0dcdb626aeb8b9e9c3a7be83ef8c359fc7733d2ec1a96521
Instruction Fuzzy Hash: 9F316531A0AB8285EB50EF2394903BBB3A0FB45B84F894475DA4D07A76CF2DD061D731

Function 00007FF7A40694A0 Relevance: 7.6, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4055880), ref: 00007FF7A40694D5
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4055880), ref: 00007FF7A40694EA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4055880), ref: 00007FF7A40694FF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4055880), ref: 00007FF7A406952C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4055880), ref: 00007FF7A4069535
memcpy.VCRUNTIME140(?,?,?,00007FF7A4055880), ref: 00007FF7A4069569

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$calloc$memcpy
String ID:
API String ID: 3478730034-0
Opcode ID: 625087e8469335b8afc7a4f200c7716dbfac2a474bdbc393e31681353d0923a6
Instruction ID: 690f4b0f77a21416bbc2a7a01815c6eb8aaa4dc14c8594ea8ecb7f57eb58ecb9
Opcode Fuzzy Hash: 625087e8469335b8afc7a4f200c7716dbfac2a474bdbc393e31681353d0923a6
Instruction Fuzzy Hash: E421E572B0A78186E710AF13945022BFAA1FB48BD0F964674DA9E5B7B4DF7DD0609320

Function 00007FF7A4078710 Relevance: 7.6, APIs: 5, Instructions: 62stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4078741
strchr.VCRUNTIME140 ref: 00007FF7A407876D
strchr.VCRUNTIME140 ref: 00007FF7A4078784
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40787A3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strchr$_strdupmalloc
String ID:
API String ID: 4236146995-0
Opcode ID: a40886b6908e31578bfd8f82542a965f67959f0adae9ad5dfc49a1b18558c2a1
Instruction ID: 6c989c8ae1a080274f9736bcf3e48f14c2000b9c82a69545b49e0e73d3e26ec2
Opcode Fuzzy Hash: a40886b6908e31578bfd8f82542a965f67959f0adae9ad5dfc49a1b18558c2a1
Instruction Fuzzy Hash: 5D218162B06B8581EB819F2290947AA63E1FB89B94F480074DE4D0B764EF2ED4A0D731

Function 00007FF7A40885C8 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Strings

Signature, xrefs: 00007FF7A40889DF
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: 39f8e22e6010466b82858a205a4893210a525d4427fd0ac6815d1becb6796e30
Instruction ID: 274ca9440bc8d6bb7b4941f6a254ec5d0c0ae5dd5b655bd14981456727b3021d
Opcode Fuzzy Hash: 39f8e22e6010466b82858a205a4893210a525d4427fd0ac6815d1becb6796e30
Instruction Fuzzy Hash: 94215363B0AA8285EA10EF27E5846ABB360FF44BC5F850472DE4D07775EE2ED151D720

Function 00007FF7A4088606 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4089110: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408915C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Part of subcall function 00007FF7A4050B50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050BA2

Strings

Signature, xrefs: 00007FF7A40889DF
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: fdad2967fd82f3e3d00c658805d2c6cd49370dd863365039cb22b4e2afd20a66
Instruction ID: 89b40bda29950d54239aa4f0775301b4af73fdc10e97922ecb949de6bac0629c
Opcode Fuzzy Hash: fdad2967fd82f3e3d00c658805d2c6cd49370dd863365039cb22b4e2afd20a66
Instruction Fuzzy Hash: 0F213063A0AA8285EA10EF26E4846ABB364FF84B84F850472DE4D07775EE2ED151D720

Function 00007FF7A40885E0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A408AC20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408AC55

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4088A5C

Part of subcall function 00007FF7A4050B50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050BA2

Strings

Signature, xrefs: 00007FF7A40889DF
Signature: %s, xrefs: 00007FF7A40889F7

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: 71971b022ae8657752d3f71a5c925b7cafabf4b199b24d0758c8f45fcc128391
Instruction ID: 897c6e76d1742c7611cfe1e351b078c323aa45872a276de7cf8fe20338cfdc0c
Opcode Fuzzy Hash: 71971b022ae8657752d3f71a5c925b7cafabf4b199b24d0758c8f45fcc128391
Instruction Fuzzy Hash: 78214163B0AA8286EA10EF26E4846ABB364FF84BC4F850472DE4D07775EF2DD151D710

Function 00007FF7A4043550 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7A4042E89), ref: 00007FF7A40437EF

Strings

No data record of requested type, xrefs: 00007FF7A40437D3
Host not found, try again, xrefs: 00007FF7A40437E5
Unrecoverable error in call to nameserver, xrefs: 00007FF7A40437DC
Host not found, xrefs: 00007FF7A40437B8

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strncpy
String ID: Host not found$Host not found, try again$No data record of requested type$Unrecoverable error in call to nameserver
API String ID: 3301158039-3625861382
Opcode ID: c676b4948ad8de873c01a31b3ac823a8978589e2fd7550f958a9477d6e004ffe
Instruction ID: 65d1cf7376941a9aacf94f8e0a04c88a6a6aa7e1e53b6db063c1fba8430bcc80
Opcode Fuzzy Hash: c676b4948ad8de873c01a31b3ac823a8978589e2fd7550f958a9477d6e004ffe
Instruction Fuzzy Hash: 77113DA1F2D24350EA2C5F1AE5D427A9A60DF04780FCA60F1D64D067B5CD7FE4A4A710

Function 00007FF7A404B510 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF7A404B9B3
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF7A404B9C7
CloseHandle.KERNEL32 ref: 00007FF7A404B9D4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF7A404B9F6
closesocket.WS2_32 ref: 00007FF7A404BA14
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF7A404BA2D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: cdaac871417b2815011e1e24f7daa236251f8bef380f81fe0f9f7e20ce8ad1ed
Instruction ID: 250b2ec29bfc023f2bda619a37b3ab20561f7fde89ca9ffc8a5ce5fad7d003a2
Opcode Fuzzy Hash: cdaac871417b2815011e1e24f7daa236251f8bef380f81fe0f9f7e20ce8ad1ed
Instruction Fuzzy Hash: 29115B3660AB4186E620AF53E58022AB370FB89B91F454175DF8E03B71CF3EE4B19720

Function 00007FF7A408A305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A32B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A7CF

Strings

FALSE, xrefs: 00007FF7A408A320
TRUE, xrefs: 00007FF7A408A7D9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree
String ID: FALSE$TRUE
API String ID: 1865132094-1412513891
Opcode ID: bf6eb78e637c81cfb17562e742971b14b543e94c4e502e08d1207421d1d34735
Instruction ID: 465a97ada2b85fdea2200986a3ceddfef26fba09480cc4a18116e816ae1410fc
Opcode Fuzzy Hash: bf6eb78e637c81cfb17562e742971b14b543e94c4e502e08d1207421d1d34735
Instruction Fuzzy Hash: 374159E1B1B35644FF41AF23968037AB7E1EB10795F8645B1CE0D063F0DE6FA051A220

Function 00007FF7A407C350 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99networkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7A407C391
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7A407C3D0
WSAGetLastError.WS2_32 ref: 00007FF7A407C428

Strings

TFTP response timeout, xrefs: 00007FF7A407C3EA

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _time64$ErrorLast
String ID: TFTP response timeout
API String ID: 3339832089-3820788777
Opcode ID: f198b81d17f944958fe3fa7deee032b74760f22e3bc0fdc82b00a8e68ecdc853
Instruction ID: 243f4045bdf77010804cc4bffba119b62b5c1a9535131229a7cd913048fb540d
Opcode Fuzzy Hash: f198b81d17f944958fe3fa7deee032b74760f22e3bc0fdc82b00a8e68ecdc853
Instruction Fuzzy Hash: FF41B43160EA41C5E760AF26D4802BBA750FB45BA4F824271DE1D437F9DF3DD4119B61

Function 00007FF7A4089D9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A243
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A257
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A2BE

Strings

%s%lx, xrefs: 00007FF7A4089E08

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: isupper$free
String ID: %s%lx
API String ID: 573759493-530121141
Opcode ID: 83e0216097b128f78bbf8f25ef3adfbb666302a4def33d60308c1bae42cbcd87
Instruction ID: a7cc0996119e0f0ae8f76944034270c2d95d5ea1c8f34b30222d0ff04f403487
Opcode Fuzzy Hash: 83e0216097b128f78bbf8f25ef3adfbb666302a4def33d60308c1bae42cbcd87
Instruction Fuzzy Hash: 81312721F0F5A249FB21BF2A96C037ABB91DB11742F9645B1C58A01AB5DE5F9021E730

Function 00007FF7A4056400 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4056525
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7A4056540

Strings

..., xrefs: 00007FF7A40564A8
..., xrefs: 00007FF7A4056492

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: fwrite
String ID: ...$...
API String ID: 3559309478-2253869979
Opcode ID: 302b132ee88cad9bd6f6907226ec01a6f59867d5edaea7f1bdfe6eb2bdd96f98
Instruction ID: afc1d9aa064937d493aa631736fddf86d4bc270e81acd31c66697bf564aa0a7b
Opcode Fuzzy Hash: 302b132ee88cad9bd6f6907226ec01a6f59867d5edaea7f1bdfe6eb2bdd96f98
Instruction Fuzzy Hash: D431262260AA8181EB14EF12D4847FAA3A0FB84B44F828171DA5D037B4CF3FD065C791

Function 00007FF7A4072EA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF7A4072EF2
accept.WS2_32 ref: 00007FF7A4072F11

Part of subcall function 00007FF7A40655A0: ioctlsocket.WS2_32 ref: 00007FF7A40655B9

Strings

Error accept()ing server connect, xrefs: 00007FF7A4072F2E
Connection accepted from server, xrefs: 00007FF7A4072F3F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: acceptgetsocknameioctlsocket
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 36920154-2331703088
Opcode ID: 3fdf254b2d797b3df25c41a06fa42f0211d52f1d92e7b9613cb59294973e1530
Instruction ID: 638a99f0617a85f471da7e91d79f7ede80094690977e484b32b8e74f36b2d6ae
Opcode Fuzzy Hash: 3fdf254b2d797b3df25c41a06fa42f0211d52f1d92e7b9613cb59294973e1530
Instruction Fuzzy Hash: 3A31F62170AA8186EB50EF22E4803ABF350FB48BA4F850274DA6D077F5CF3EE0109B51

Function 00007FF7A406E7F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

LIST "%s" *, xrefs: 00007FF7A406E877
%s%s, xrefs: 00007FF7A406E823

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID:
String ID: %s%s$LIST "%s" *
API String ID: 0-1744359683
Opcode ID: 85719f75dcdb96e6197976c791e40f2de33a90732eb886bb89f893e41dc579a2
Instruction ID: 7d03ba54b7a8581916ca6f7ede8d626525dbe5282cd1491846d9436b3130f847
Opcode Fuzzy Hash: 85719f75dcdb96e6197976c791e40f2de33a90732eb886bb89f893e41dc579a2
Instruction Fuzzy Hash: 45118121F0A74191EA54EF16E4801BAE360FB44BC4F894471EE0E07771DF6EE561D351

Function 00007FF7A4044DA8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4044CB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4044CCE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4044CEB

Strings

:, xrefs: 00007FF7A4044CA6

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: 03f7a82f17a8786903f37281df382a9cd04d1e7e65cde419154ad756da80fe8a
Instruction ID: f4cab00e602a93e437e176f622de187922264443d6fad731a576ccee66562b35
Opcode Fuzzy Hash: 03f7a82f17a8786903f37281df382a9cd04d1e7e65cde419154ad756da80fe8a
Instruction Fuzzy Hash: 8311993270AB4585EAA19F15E580366B360AB44790F994271CF9D437B4EF3DD424D724

Function 00007FF7A407ADA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF7A407ADDD
WSAGetLastError.WS2_32 ref: 00007FF7A407ADE7

Strings

SENT, xrefs: 00007FF7A407AE02
Sending data failed (%d), xrefs: 00007FF7A407ADED

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: 6e33643bc433ae606133d3d86b99e8efca57a3561be742b79e0d0dd8d9a006e5
Instruction ID: a2a415ba2d36f0eb3f00684107b0d722150cb0ac12a92e74924b430176a2a3c3
Opcode Fuzzy Hash: 6e33643bc433ae606133d3d86b99e8efca57a3561be742b79e0d0dd8d9a006e5
Instruction Fuzzy Hash: 3801F532709A82C5DB50AF2BE88045ABB20FB84FC4B8A4175DB5D43732DF3AD551C791

Function 00007FF7A4061EB0 Relevance: 6.3, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A40622C5), ref: 00007FF7A4061EE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A40622C5), ref: 00007FF7A4061EF1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A40622C5), ref: 00007FF7A4061F6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A40622C5), ref: 00007FF7A4061F7B
memcpy.VCRUNTIME140(?,?,00000000,00007FF7A40622C5), ref: 00007FF7A4061FA4

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$mallocmemcpy
String ID:
API String ID: 3401966785-0
Opcode ID: 64d3edcc426b7471abd7909f8ebfd8dc1fd57c216fe30615d90dc291891f8035
Instruction ID: de06e676587a7fd3446eb6a785179339391700fdfc484154e051364af4e44972
Opcode Fuzzy Hash: 64d3edcc426b7471abd7909f8ebfd8dc1fd57c216fe30615d90dc291891f8035
Instruction Fuzzy Hash: 5631A022B0AB4191EB10AF12E48036AE2A0EB14BD4F850675EE6E0B7F5DF7DD460A311

Function 00007FF7A408A4BF Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A7CF

Strings

GMT, xrefs: 00007FF7A408A56E
TRUE, xrefs: 00007FF7A408A7D9
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7A408A5E1

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
API String ID: 1294909896-910067264
Opcode ID: 3a97b54dd8c20e641dcfa4d9801de4b2c1f4c98a54d6da2505f9c7397ccb92bd
Instruction ID: 1c34cfca30ae3782ebe2a13dd134d0da0fe372a36ec4ea454762a8459b790c65
Opcode Fuzzy Hash: 3a97b54dd8c20e641dcfa4d9801de4b2c1f4c98a54d6da2505f9c7397ccb92bd
Instruction Fuzzy Hash: 36514C62A0E69544EB10AF229A8427BF765EB01791FC540B2D94D02F74DF7ED4A1E710

Function 00007FF7A40897D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4089B06

Strings

GMT, xrefs: 00007FF7A408988E
%s: %s, xrefs: 00007FF7A4089AF1
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7A40898FA

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %s: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s
API String ID: 1294909896-2632828617
Opcode ID: 837cbaf7fcdd32052fcb9ee980a98d0f492b635fa62e58f140a762f412d0c416
Instruction ID: 99f6f2b040f3e079c8bc1a93b8f9c44e0ce29df58145cfde0eef8cbf5cde8b88
Opcode Fuzzy Hash: 837cbaf7fcdd32052fcb9ee980a98d0f492b635fa62e58f140a762f412d0c416
Instruction Fuzzy Hash: 2841E861A0D69685EA60BF12A6842BAF790EB41791FC64071DE4D03775CF3EE066D720

Function 00007FF7A403D590 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A403D1A8), ref: 00007FF7A403D66E
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A403D1A8), ref: 00007FF7A403D69C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A403D1A8), ref: 00007FF7A403D705

Part of subcall function 00007FF7A408FB18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF7A40343FE,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF7A4031B59), ref: 00007FF7A408FB32

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A403D712

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemset
String ID:
API String ID: 2942768764-0
Opcode ID: be577898cfb132f12a0948304b2fb9bc36eb211b7926233c65c7c8ef3fe3742e
Instruction ID: 27f7f7b4d09acd9f069b23fc9f2417bf3d1d20137b1fefef0d679b9215dd7ea3
Opcode Fuzzy Hash: be577898cfb132f12a0948304b2fb9bc36eb211b7926233c65c7c8ef3fe3742e
Instruction Fuzzy Hash: 1041C362706A4585EA18AF36D28427EA751FF44BA0F964671CA2D077F4DF2EF0A1D310

Function 00007FF7A4040790 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4040870
memcpy.VCRUNTIME140 ref: 00007FF7A404089D
memcpy.VCRUNTIME140 ref: 00007FF7A40408AC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A40408DE

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: b289941bc787ad963bcb9495ad2c5e3cafef7c1359faf9c99362ff32d762317a
Instruction ID: 87ff2548ab7a9f13a661980cb43323e7c7ce111275e75c36bfa5255e2aeecea1
Opcode Fuzzy Hash: b289941bc787ad963bcb9495ad2c5e3cafef7c1359faf9c99362ff32d762317a
Instruction Fuzzy Hash: C7310922A0AB4181DA20FF13A98026BA250FB04BE0F954675DEAD177F5DF3DD0A1D390

Function 00007FF7A408B140 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00007FF7A406D2EB), ref: 00007FF7A408B19E

Strings

%s, xrefs: 00007FF7A408B174

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: 073ba612a2cbe85256b1cde721385677e7217a76d979108c03dc8feec761c9f4
Instruction ID: 2f2b54bbf56971da81a0973b313dc111b7fd88c36c67fd67520719c965f331cb
Opcode Fuzzy Hash: 073ba612a2cbe85256b1cde721385677e7217a76d979108c03dc8feec761c9f4
Instruction Fuzzy Hash: F841B232609B4182EA50AF16B5801AAB3A0FB84BD0F554575EFDE03B71DF3DE4A1D310

Function 00007FF7A408B580 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00007FF7A406EB30,?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?), ref: 00007FF7A408B5D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408B65C

Strings

%s, xrefs: 00007FF7A408B5A5

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: ff90f14b9c377f659e10b31d5fbc85e538c30466ebb5cf373757226f49f20229
Instruction ID: 363b38d29e94a4b1b9e3917e46b8298cbeba4eb67aebb9236bc811e1fda537f5
Opcode Fuzzy Hash: ff90f14b9c377f659e10b31d5fbc85e538c30466ebb5cf373757226f49f20229
Instruction Fuzzy Hash: 8A418232A09B4582E650AF26B5801ABF3A0FB44B90F554674DF8E03BB1DF3DE4A1D710

Function 00007FF7A403EEE0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7A403D1D9), ref: 00007FF7A403EFBA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF7A403D1D9), ref: 00007FF7A403EFEE
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7A403D1D9), ref: 00007FF7A403EFF8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A403F01B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 68a1c3225f446567fab754bf297663ac6e7eeb9fa881a6b95c3919f4eb555c52
Instruction ID: 9c73fcbd3632b6bfedad60b7318e199209277e9dc9bc9cb9dbc5ee4adc9f1fd0
Opcode Fuzzy Hash: 68a1c3225f446567fab754bf297663ac6e7eeb9fa881a6b95c3919f4eb555c52
Instruction Fuzzy Hash: 09312A2170A64188EE14AF2792842BEE751EB04BE0F850770EA6D077F5CF7DF061A310

Function 00007FF7A4034D60 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7A4034E3F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7A4034E7C
memcpy.VCRUNTIME140 ref: 00007FF7A4034E86
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A4034EB3

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 928039aa2313746df886399aeceaee311cbda049cd91d4980384f92b41959262
Instruction ID: cb12d28793790c344c9d44f3abf632390e9ff97ce2932b13f2c4ac80c33f8675
Opcode Fuzzy Hash: 928039aa2313746df886399aeceaee311cbda049cd91d4980384f92b41959262
Instruction Fuzzy Hash: 5431F62170A78154EE18AF27A78426AA655EB04BE0F950770DE6D0B7F5CF7DF061A310

Function 00007FF7A408A405 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A7CF

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7A408A4AB
TRUE, xrefs: 00007FF7A408A7D9
GMT, xrefs: 00007FF7A408A459

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$TRUE
API String ID: 1294909896-918878739
Opcode ID: 5c811be7c639e6a817eeb1eaaef6f6908bb5a2a36ecbc2e96e5375d9d862ee5c
Instruction ID: 1663fb2123da6cfb9afb62cf2f6b61a923a1c8a329f37f6f30f8c49e71d6c981
Opcode Fuzzy Hash: 5c811be7c639e6a817eeb1eaaef6f6908bb5a2a36ecbc2e96e5375d9d862ee5c
Instruction Fuzzy Hash: 5C311B62A0AB8584EB109F22DA802AAB761F744791FD540B1DB4D03B75CF7EE461E710

Function 00007FF7A4089715 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4089B06

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7A40897B9
GMT, xrefs: 00007FF7A4089769
%s: %s, xrefs: 00007FF7A4089AF1

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: %s: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 1294909896-1153420294
Opcode ID: 979e85848d636c6c0b0c76a7e7eb724a988065f1e42c35c4c663c2ae8dca01c9
Instruction ID: 10d1aa4f8897987e68a46d0d113431240e7c7cecf6d9017b58f9ddd4174d01be
Opcode Fuzzy Hash: 979e85848d636c6c0b0c76a7e7eb724a988065f1e42c35c4c663c2ae8dca01c9
Instruction Fuzzy Hash: 6831D421A0EB8188EB60BF62D9806ABB390FB45B81FD64071DB4D07272CF7ED565E310

Function 00007FF7A408A64D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A688
memcpy.VCRUNTIME140 ref: 00007FF7A408A6AE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A7CF

Strings

TRUE, xrefs: 00007FF7A408A7D9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: freemallocmemcpy
String ID: TRUE
API String ID: 3056473165-3412697401
Opcode ID: 336f45e28875de01f45820a47226f16eb8b9e84abcdede310df3c5d974aec670
Instruction ID: 1fcec62e615ea9c365395bef8e1e27c25ff415640c8e71b21137750c3644ee3d
Opcode Fuzzy Hash: 336f45e28875de01f45820a47226f16eb8b9e84abcdede310df3c5d974aec670
Instruction Fuzzy Hash: 962105A6B0B64204EF01AE179A44376B762EB04BE4F8645B1CD1D03BF4DE7ED051A320

Function 00007FF7A4089E4A Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4089E51
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A243
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A257
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A2BE

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: isupper$_strdupfree
String ID:
API String ID: 3359907120-0
Opcode ID: 3eb6ae45e014ede4233dc602f349cd239cdeeee396bdebc478bda1a783cc93d4
Instruction ID: e8e8445790d8b3a2a22680606d8826004676fdd4faabf1d6141978ba0138de99
Opcode Fuzzy Hash: 3eb6ae45e014ede4233dc602f349cd239cdeeee396bdebc478bda1a783cc93d4
Instruction Fuzzy Hash: 3E21F821F0F59645FB22EF2A46C433ABBD1DB11741F8605B0C58A019B5CE6F9121D730

Function 00007FF7A4072DC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4072DDD
strstr.VCRUNTIME140 ref: 00007FF7A4072E1C
strstr.VCRUNTIME140 ref: 00007FF7A4072E34

Strings

;type=, xrefs: 00007FF7A4072E0F, 00007FF7A4072E2D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: strstr$calloc
String ID: ;type=
API String ID: 3224321581-3507045495
Opcode ID: 01dc25b4bb57f54fc853f615e9b1a19bf24263f803805d96a8c15628a7dbba92
Instruction ID: d7c82aaabf894a33707fbcae9bfd86fd604728319d42b7da9bb0c43b980b619c
Opcode Fuzzy Hash: 01dc25b4bb57f54fc853f615e9b1a19bf24263f803805d96a8c15628a7dbba92
Instruction Fuzzy Hash: C0213632509AC285EB149F26E4803BAB7A0FB14784F894175DB9D07BF6DF3DE0A19720

Function 00007FF7A406C850 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C878
GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C89E
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C8BF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A4050DC9,?,?,?,?,00007FF7A405016B), ref: 00007FF7A406C8D0

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: realloc$EnvironmentVariablefree
String ID:
API String ID: 2828309815-0
Opcode ID: cabc26addc2401d9eb1a58dc0410cf863a4dbc7c9db6dab5f18b53f72baa0c0e
Instruction ID: bed02722f6a84ace548e6a8c85f37cedbf04088571c24d9aa8a87de0c7e6f9f3
Opcode Fuzzy Hash: cabc26addc2401d9eb1a58dc0410cf863a4dbc7c9db6dab5f18b53f72baa0c0e
Instruction Fuzzy Hash: 5C114221B0E74289E670AF1355C023BE291FB49BC0F560475DD5E43B74DE7EE4506751

Function 00007FF7A4062270 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40622CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40622EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A40622F3

Strings

Proxy-Connection: Keep-Alive, xrefs: 00007FF7A4062280

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID: Proxy-Connection: Keep-Alive
API String ID: 1294909896-2835282938
Opcode ID: 3a9a473e6be16dc48f278ee67881fb5fe137b81527da702573c6769a82dec04a
Instruction ID: bc9bfaf7396174a467defcfc5a66d62f9a72f7dec0070639b0ecde33e3f6e69d
Opcode Fuzzy Hash: 3a9a473e6be16dc48f278ee67881fb5fe137b81527da702573c6769a82dec04a
Instruction Fuzzy Hash: 19010472B06A4152FA156F46A5803BAE260AF44BE0F454674CEAA073F4DF7CD8A5D360

Function 00007FF7A408DE60 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408DE86
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408DE97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408DEC6

Part of subcall function 00007FF7A408DEF0: strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF7A408DEB0), ref: 00007FF7A408DF5F

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408DEBD

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree$strchr
String ID:
API String ID: 1739957132-0
Opcode ID: 0dd7f80735f85da8f984343497c1d3cfee0a952a3c0d7bbcc3984797b00619ee
Instruction ID: e20ca7544f7999b840116f62591fca3808d475ce4415270fcdd608f6253ad6f5
Opcode Fuzzy Hash: 0dd7f80735f85da8f984343497c1d3cfee0a952a3c0d7bbcc3984797b00619ee
Instruction Fuzzy Hash: E501D611B1F78145EE55BF1B62C417AA2D1AF48FC0F8905B0DE4D43B74EE1DD8619320

Function 00007FF7A406D7F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF7A406D1D3), ref: 00007FF7A406D8C2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF7A406D1D3), ref: 00007FF7A406D913

Strings

(){ %*], xrefs: 00007FF7A406D80D

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupmalloc
String ID: (){ %*]
API String ID: 3515966317-731572209
Opcode ID: a2d67765c7a5dc4ec3c005a88b734144e7937f55b09edc6cecbb18d84dfcb0d8
Instruction ID: c0e37b4a752d859f098573969f80a48766f7a572d2821e51366e2df89d30a472
Opcode Fuzzy Hash: a2d67765c7a5dc4ec3c005a88b734144e7937f55b09edc6cecbb18d84dfcb0d8
Instruction Fuzzy Hash: CA314901B0E64658FB216F1754C437AEBD19F56754FDA41B1CD8F032F2CA5FA425A232

Function 00007FF7A405AF90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405B009
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A405B0A2

Strings

identity, xrefs: 00007FF7A405AFC4, 00007FF7A405B033, 00007FF7A405B09B

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupmalloc
String ID: identity
API String ID: 3515966317-1788209604
Opcode ID: d4c4bbbc2fa7c735205f47a9b6ef7a324f82185f1d3be52344d8deb9db7dadb3
Instruction ID: 76e36e0701a09d2e91945217a1b9ca5b45b8df552e4f85643d8f76ed0b32904e
Opcode Fuzzy Hash: d4c4bbbc2fa7c735205f47a9b6ef7a324f82185f1d3be52344d8deb9db7dadb3
Instruction Fuzzy Hash: BC31E821E0AA4581EB019F169480377A7A0EF04BE4F8A9671DE6D033F5EE2EE4259721

Function 00007FF7A4059600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4059620
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A405967B

Strings

, xrefs: 00007FF7A4059633

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: mallocrealloc
String ID:
API String ID: 948496778-3916222277
Opcode ID: f007defbe466de477ca43de1dbeb36f93a3c148d42cae4483d77c4417899ba6d
Instruction ID: 6015f6d46490676ceb5217fea975ccf45c8e87da4692b314a99d49f6ce4777b5
Opcode Fuzzy Hash: f007defbe466de477ca43de1dbeb36f93a3c148d42cae4483d77c4417899ba6d
Instruction Fuzzy Hash: 3A11937260AB8181DB449F26E18026AB3A0FB08FD4F848575DE5E077A8EF39D5A4C350

Function 00007FF7A4055DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4055E15
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A4055E3C

Strings

%I64d-, xrefs: 00007FF7A4055E27

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree
String ID: %I64d-
API String ID: 1865132094-19666937
Opcode ID: abda5eb413ce93b11bf73c89973972c6922633c2c4b0e22d6fcd2faa1f33085e
Instruction ID: cb1ed37d5d0e296bb48b86734d6134f3a565218a6174c3a17a984c7eb742a93e
Opcode Fuzzy Hash: abda5eb413ce93b11bf73c89973972c6922633c2c4b0e22d6fcd2faa1f33085e
Instruction Fuzzy Hash: 10112972A07682C0EF149F6684893F613A1FB54B44F5D4071C90C8E275DF2F54A79331

Function 00007FF7A408A3D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A408A3DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A408A7CF

Strings

TRUE, xrefs: 00007FF7A408A7D9

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfree
String ID: TRUE
API String ID: 1865132094-3412697401
Opcode ID: 3eb87d98ead6b4b41aa3a49ae51076edf6b329d4f89bb2bede70efb61867991e
Instruction ID: 84da6598ee7802cccff790abc83861d7c2dec6bf2d5564ec5d95666250fc2f6e
Opcode Fuzzy Hash: 3eb87d98ead6b4b41aa3a49ae51076edf6b329d4f89bb2bede70efb61867991e
Instruction Fuzzy Hash: A0019BA6B0B65544EB019F13D94037A7761EB04BD5F8548B1CE0E067B4DE7ED091E320

Function 00007FF7A40896E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A40896EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4089B06

Part of subcall function 00007FF7A4050B50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4050BA2

Strings

%s: %s, xrefs: 00007FF7A4089AF1

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: %s: %s
API String ID: 3985033223-1451338302
Opcode ID: 59a004d23c9a7171389107e4b7ac2ba63d9e7849cde71739f0039903f637d0dc
Instruction ID: 1441bd0a0c8a4ad3ead7d08e91bbcffd3e6548160b08dd132f6eeeb800ed2277
Opcode Fuzzy Hash: 59a004d23c9a7171389107e4b7ac2ba63d9e7849cde71739f0039903f637d0dc
Instruction Fuzzy Hash: F2F0A451A0E78141EA60BF13A9807FBA350EB45BC4F894471CE4E07372DF2DD165E720

Function 00007FF7A404C510 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A4046040: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4050640,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A4042471), ref: 00007FF7A4046067
Part of subcall function 00007FF7A4046040: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A4050640,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A4042471), ref: 00007FF7A4046073

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C546
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C556
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A404C564
memset.VCRUNTIME140 ref: 00007FF7A404C59F

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: b476d781683bd605753166caffe2319fbc1c98f8906f10cc98198184c3fa0d6f
Instruction ID: 3a43e40d20a0c5a9be5e7e7f275c446b35184403385d4cea4632b651b42c96db
Opcode Fuzzy Hash: b476d781683bd605753166caffe2319fbc1c98f8906f10cc98198184c3fa0d6f
Instruction Fuzzy Hash: 83210933E18B91A3E214DF22D6903A9A360F799744F529225EB9D43A22DF75F1F1D310

Function 00007FF7A408B720 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A406D5A3), ref: 00007FF7A408E6B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A406D5A3), ref: 00007FF7A408E6D5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A406D5A3), ref: 00007FF7A408E6EF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7A406D5A3), ref: 00007FF7A408E6FD

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0cceb363f3383bb9859af09066e7c5d0c6a7185a683f001f5595319a996bee7d
Instruction ID: b20ec33092eae043116c5d95c73bf92a0eb88a355dcab6cd76957d1c58b62654
Opcode Fuzzy Hash: 0cceb363f3383bb9859af09066e7c5d0c6a7185a683f001f5595319a996bee7d
Instruction Fuzzy Hash: 8E111C22A0AA0181EB50AF26E5D063DB3A4FF94F85F954971CA4E02774CE3DD860E360

Function 00007FF7A4073510 Relevance: 5.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A4073548
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407356E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407358A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7A407359E

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b3c3805f82caad35ddc01d018df6cc76f4a284c910c5e9ee53ad49d6aa0b3735
Instruction ID: d69d24cd6a936514e4a3202acc328485892fb29bdb1edef9fef816daceea9ad8
Opcode Fuzzy Hash: b3c3805f82caad35ddc01d018df6cc76f4a284c910c5e9ee53ad49d6aa0b3735
Instruction Fuzzy Hash: A3112536605B80C6E750AF26E580369B3A4F784F84F984176DE8E57338CF39E8A5D760

Function 00007FF7A4085150 Relevance: 5.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A408124E), ref: 00007FF7A4085176
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A408124E), ref: 00007FF7A4085197
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A408124E), ref: 00007FF7A40851B2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7A408124E), ref: 00007FF7A40851C0

Memory Dump Source

Source File: 00000001.00000002.3300655249.00007FF7A4031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A4030000, based on PE: true

Associated: 00000001.00000002.3300641148.00007FF7A4030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300690968.00007FF7A4092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300709050.00007FF7A40A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3300724162.00007FF7A40AF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7a4030000_PlusPrivStoreAtt116.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5c8853aa7cfb41fb736cb08fd9c58292c725a3a828156dd37d5180451661d39c
Instruction ID: 75523eb0d143450165fe5d0ac16284f0b6b50e142379ab5a6457559fe0a94053
Opcode Fuzzy Hash: 5c8853aa7cfb41fb736cb08fd9c58292c725a3a828156dd37d5180451661d39c
Instruction Fuzzy Hash: C711E536606B0186EB14AF26E98012DB3B8FF94F897510576CE5D43778CF39C860D3A0

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PlusPrivStoreAtt116.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
PlusPrivStoreAtt116.exe

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre