Edit tour

Windows Analysis Report
tpmbypassprivatestore.exe

Overview

General Information

Sample name:	tpmbypassprivatestore.exe
Analysis ID:	1590934
MD5:	f9abe0d8c09682a9b0a38b96d7378d8a
SHA1:	1a5deff8373d2dd054b8709900cdc71a98264b86
SHA256:	db82d79323e0c49e67e9df543ecbe248b2f3b82ebc72b4e21f61ee079705ff4b
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found API chain indicative of debugger detection

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

tpmbypassprivatestore.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5: F9ABE0D8C09682A9B0A38B96D7378D8A)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

certutil.exe (PID: 7716 cmdline: certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)

find.exe (PID: 7724 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

find.exe (PID: 7744 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7784 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7800 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7892 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)

WerFault.exe (PID: 7916 cmdline: C:\Windows\system32\WerFault.exe -u -p 7564 -s 836 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tpmbypassprivatestore.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: tpmbypassprivatestore.exe	Virustotal: Detection: 44%			Perma Link
Source: tpmbypassprivatestore.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: tpmbypassprivatestore.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3532CD strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,_strdup,CertOpenStore,GetLastError,free,free,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,malloc,fread,fclose,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,calloc,CertFreeCertificateContext,fclose,free,CertFreeCertificateContext,free,calloc,	0_2_00007FF76C3532CD
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C36ED20 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,malloc,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,	0_2_00007FF76C36ED20
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C376090 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	0_2_00007FF76C376090
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C355550 CryptAcquireContextA,CryptCreateHash,	0_2_00007FF76C355550
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3555A0 CryptHashData,	0_2_00007FF76C3555A0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3555B0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF76C3555B0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3525C0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_00007FF76C3525C0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C352690 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF76C352690
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C36F640 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,malloc,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,free,	0_2_00007FF76C36F640
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C378180 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00007FF76C378180

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_00007FF76C339040
Source: tpmbypassprivatestore.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

0_2_00007FF76C361E90

Source: unknown

HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.9:49748 version: TLS 1.2

Source: tpmbypassprivatestore.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Bypass Valorant TPM C++\Loader TPM Bypass Novo\built\DragonBurn.pdb source: tpmbypassprivatestore.exe

Source: Joe Sandbox View

IP Address: 104.26.1.5 104.26.1.5

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C32FD20 malloc,recv,free,

0_2_00007FF76C32FD20

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: tpmbypassprivatestore.exe	String found in binary or memory: http://167.114.85.75/KMDF.exe
Source: tpmbypassprivatestore.exe	String found in binary or memory: http://167.114.85.75/KMDF.exeC:
Source: tpmbypassprivatestore.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: tpmbypassprivatestore.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: tpmbypassprivatestore.exe, tpmbypassprivatestore.exe, 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmp, tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/OCESS
Source: tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/ce
Source: tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/g3
Source: tpmbypassprivatestore.exe, 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/valorant
Source: tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/yCESS

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: unknown

HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.9:49748 version: TLS 1.2

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C376090 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

0_2_00007FF76C376090

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C322B00	0_2_00007FF76C322B00
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C341C20	0_2_00007FF76C341C20
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C313790	0_2_00007FF76C313790
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C325740	0_2_00007FF76C325740
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3408E0	0_2_00007FF76C3408E0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3428D0	0_2_00007FF76C3428D0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3532CD	0_2_00007FF76C3532CD
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C35DD80	0_2_00007FF76C35DD80
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C36ED20	0_2_00007FF76C36ED20
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C376090	0_2_00007FF76C376090
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C351050	0_2_00007FF76C351050
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C378110	0_2_00007FF76C378110
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C355960	0_2_00007FF76C355960
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C348920	0_2_00007FF76C348920
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C32EB50	0_2_00007FF76C32EB50
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C316BC0	0_2_00007FF76C316BC0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C34BC20	0_2_00007FF76C34BC20
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C33A560	0_2_00007FF76C33A560
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3665B0	0_2_00007FF76C3665B0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3436F0	0_2_00007FF76C3436F0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C34E770	0_2_00007FF76C34E770
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C36A800	0_2_00007FF76C36A800
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3697D0	0_2_00007FF76C3697D0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3328F0	0_2_00007FF76C3328F0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C3628B0	0_2_00007FF76C3628B0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C31B190	0_2_00007FF76C31B190
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C33D290	0_2_00007FF76C33D290
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C31C2C0	0_2_00007FF76C31C2C0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C35338C	0_2_00007FF76C35338C
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C353395	0_2_00007FF76C353395
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C311340	0_2_00007FF76C311340

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C32E0C0 appears 46 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C342DC0 appears 33 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C33F8D0 appears 381 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C33FA50 appears 324 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C3796A4 appears 47 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C32A960 appears 49 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C32E190 appears 36 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C342C50 appears 36 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C342CE0 appears 33 times
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: String function: 00007FF76C33A1A0 appears 70 times

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7564 -s 836

Source: classification engine

Classification label: mal68.evad.winEXE@18/0@1/2

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C329400 GetLastError,_errno,FormatMessageA,strchr,strncpy,_errno,_errno,GetLastError,SetLastError,

0_2_00007FF76C329400

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1229ccf6-fead-4310-bc48-b890d0b36896

Jump to behavior

Source: tpmbypassprivatestore.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tpmbypassprivatestore.exe	Virustotal: Detection: 44%
Source: tpmbypassprivatestore.exe	ReversingLabs: Detection: 52%

Source: tpmbypassprivatestore.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\tpmbypassprivatestore.exe "C:\Users\user\Desktop\tpmbypassprivatestore.exe"
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7564 -s 836
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: tpmbypassprivatestore.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: tpmbypassprivatestore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tpmbypassprivatestore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tpmbypassprivatestore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tpmbypassprivatestore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tpmbypassprivatestore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tpmbypassprivatestore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tpmbypassprivatestore.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: tpmbypassprivatestore.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Bypass Valorant TPM C++\Loader TPM Bypass Novo\built\DragonBurn.pdb source: tpmbypassprivatestore.exe

Source: tpmbypassprivatestore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tpmbypassprivatestore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tpmbypassprivatestore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tpmbypassprivatestore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tpmbypassprivatestore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C3425B0 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

0_2_00007FF76C3425B0

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C32CD58 push rcx; ret		0_2_00007FF76C32CD59
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C32CC2D push rcx; ret		0_2_00007FF76C32CC35

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-49648

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

API coverage: 5.0 %

Source: C:\Windows\System32\timeout.exe TID: 7896

Thread sleep count: 42 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-49301

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C379538 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF76C379538

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C379538 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF76C379538

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C3425B0 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

0_2_00007FF76C3425B0

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C311A10 GetProcessHeap,

0_2_00007FF76C311A10

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C378CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF76C378CF0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C379198 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF76C379198
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C379340 SetUnhandledExceptionFilter,	0_2_00007FF76C379340

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe

Code function: 0_2_00007FF76C3793AC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF76C3793AC

Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C34DDF0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,closesocket,closesocket,closesocket,closesocket,	0_2_00007FF76C34DDF0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C35DD80 calloc,strchr,strncpy,strchr,strncpy,strchr,strtoul,strchr,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,memmove,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,	0_2_00007FF76C35DD80
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C364AE0 calloc,calloc,calloc,bind,WSAGetLastError,	0_2_00007FF76C364AE0
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C341590 memset,strncmp,strncmp,strchr,htons,atoi,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	0_2_00007FF76C341590
Source: C:\Users\user\Desktop\tpmbypassprivatestore.exe	Code function: 0_2_00007FF76C364881 calloc,calloc,calloc,bind,WSAGetLastError,	0_2_00007FF76C364881

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tpmbypassprivatestore.exe	44%	Virustotal		Browse
tpmbypassprivatestore.exe	53%	ReversingLabs	Win64.Trojan.Generic
tpmbypassprivatestore.exe	100%	Avira	HEUR/AGEN.1315740
tpmbypassprivatestore.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://167.114.85.75/KMDF.exe	0%	Avira URL Cloud	safe
http://167.114.85.75/KMDF.exeC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.1.5	true	false		high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.2/OCESS	tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://keyauth.win/api/1.2/g3	tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://keyauth.win/api/1.2/valorant	tpmbypassprivatestore.exe, 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmp	false		high
http://167.114.85.75/KMDF.exe	tpmbypassprivatestore.exe	false	Avira URL Cloud: safe	unknown
http://167.114.85.75/KMDF.exeC:	tpmbypassprivatestore.exe	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.2/yCESS	tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	tpmbypassprivatestore.exe	false		high
https://curl.haxx.se/docs/http-cookies.html#	tpmbypassprivatestore.exe	false		high
https://keyauth.win/api/1.2/	tpmbypassprivatestore.exe, tpmbypassprivatestore.exe, 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmp, tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://keyauth.win/api/1.2/ce	tpmbypassprivatestore.exe, 00000000.00000002.1382569717.000001C3DD0FC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.1.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590934
Start date and time:	2025-01-14 16:49:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tpmbypassprivatestore.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@18/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 56 Number of non-executed functions: 228
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.1.5	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse
	CCuITQzvd4.exe	Get hash	malicious	Unknown	Browse
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Get hash	malicious	Unknown	Browse
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.6030.29502.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Generic.36879400.484.7364.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	hhcqxkb.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://forrestore.com/static/apps/437.zip	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://2ol.itectaxice.ru/Qm75/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://account.tctmagazine.com/emailclickthrough?TxActivity=239212&returnUrl=https://mighty-calm-plum-toucan.easy2.de/&Hash=1DD38A2BA32B80F59EA0F1A750C3EC0E	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
keyauth.win	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	ak3o7AZ3mH.exe	Get hash	malicious	Babadeda, Conti, Mimikatz	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Aclatis tool.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	email.eml	Get hash	malicious	unknown	Browse	172.64.41.3
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	http://brillflooring.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	172.65.251.78
	http://wagestream.acemlnb.com	Get hash	malicious	Unknown	Browse	104.20.0.15
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	CCuITQzvd4.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	dMFmJxq6oK.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	104.26.1.5
	SecuriteInfo.com.Win64.MalwareX-gen.26402.21423.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.25144.16407.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.1.5

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.427401695224324
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tpmbypassprivatestore.exe
File size:	563'200 bytes
MD5:	f9abe0d8c09682a9b0a38b96d7378d8a
SHA1:	1a5deff8373d2dd054b8709900cdc71a98264b86
SHA256:	db82d79323e0c49e67e9df543ecbe248b2f3b82ebc72b4e21f61ee079705ff4b
SHA512:	5e15dc0c924daa0053d64e8a95de1c6e95e50772ad47e69a92b1d62baa3da173a974c556fe7e72f202ab0e9eea4e0a80d1f07b354c5e22694b0a0a0faafbec32
SSDEEP:	12288:l8e6P2GGYDHSt5lbNEDAemeUs81Jz8z1un:lWOGGYDytP7emZb16Run
TLSH:	FAC47D56A7A902E9D1ABD03CC547C613F7B2B49513119BDB43A0CA792F23BE16F3A710
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J.......J...N...J...I...J...O...J...K...J.D.N...J...N...J...O...J...K...J...K.F~J...C...J.......J...H...J

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140068a08
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676DE83E [Thu Dec 26 23:35:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	503534690aeb51719377d930c26e6d60

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC09D1A08F0h
dec eax
add esp, 28h
jmp 00007FC09D19FDC7h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0001DFACh]
call dword ptr [000027B6h]
mov eax, dword ptr [0001D63Ch]
dec eax
lea ecx, dword ptr [0001DF99h]
mov edx, dword ptr [0001DF9Bh]
inc eax
mov dword ptr [0001D627h], eax
mov dword ptr [ebx], eax
dec eax
mov eax, dword ptr [00000058h]
inc ecx
mov ecx, 00000004h
dec esp
mov eax, dword ptr [eax+edx*8]
mov eax, dword ptr [0001D60Ch]
inc ebx
mov dword ptr [ecx+eax], eax
call dword ptr [0000276Eh]
dec eax
lea ecx, dword ptr [0001DF57h]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000276Bh]
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0001DF40h]
call dword ptr [0000274Ah]
cmp dword ptr [ebx], 00000000h
jne 00007FC09D19FF74h
or dword ptr [ebx], FFFFFFFFh
jmp 00007FC09D19FF97h
inc ebp
xor ecx, ecx
dec eax
lea edx, dword ptr [0001DF26h]
inc ecx
or eax, FFFFFFFFh
dec eax
lea ecx, dword ptr [0001DF13h]
call dword ptr [00002735h]
jmp 00007FC09D19FF2Bh
cmp dword ptr [ebx], FFFFFFFFh
je 00007FC09D19FF30h
dec eax
mov eax, dword ptr [00000058h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x823f8	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8d000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x88000	0x4740	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0x578	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7a9a0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7aa80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7a860	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6b000	0xb60	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69900	0x69a00	bf95f57b3eeaac052c8d6166a45faafa	False	0.5313886834319527	data	6.347064890226745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6b000	0x1a184	0x1a200	428eb8a57b64a4426e5d8c1c141b9661	False	0.38158829246411485	data	5.598322596927925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x86000	0x1390	0x800	c76cf58d1d552732f4980d7479f95149	False	0.20751953125	data	3.76760610115393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x88000	0x4740	0x4800	61ead6eea1aa491aa690c762edffc6ad	False	0.4814995659722222	data	5.781604397759615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x8d000	0x1e8	0x200	c317bfdbea1210b1ab592ac9f5a906ff	False	0.54296875	data	4.772037401703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0x578	0x600	5906dee2ce41997ba62968ce18249c3c	False	0.5423177083333334	data	5.165401574106448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x8d060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceFrequency, VerSetConditionMask, SleepEx, LeaveCriticalSection, EnterCriticalSection, GetSystemDirectoryA, FreeLibrary, GetProcAddress, LoadLibraryA, VerifyVersionInfoA, QueryPerformanceCounter, GetTickCount, MoveFileExA, FormatMessageA, HeapAlloc, GetEnvironmentVariableA, GetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, CreateFileA, GetFileSizeEx, WideCharToMultiByte, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetCurrentProcessId, LocalFree, SetLastError, QueryFullProcessImageNameW, GetModuleHandleW, GetModuleHandleA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, VirtualProtect, CreateThread, GetCurrentProcess, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, WaitForSingleObjectEx, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, HeapDestroy, GetLastError, HeapReAlloc, CloseHandle, GetConsoleWindow, SetConsoleScreenBufferInfoEx, GetModuleFileNameA, GetConsoleMode, Sleep, GetConsoleScreenBufferInfoEx, SetConsoleMode, GetStdHandle, SetConsoleTitleA, SetConsoleTextAttribute, MultiByteToWideChar, CreateFileW
USER32.dll	MoveWindow, GetWindowLongW, SetWindowLongW, MessageBoxA, GetWindowRect
MSVCP140.dll	??1_Lockit@std@@QEAA@XZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Xbad_function_call@std@@YAXXZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??Bid@locale@std@@QEAA_KXZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?good@ios_base@std@@QEBA_NXZ, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ??0_Lockit@std@@QEAA@H@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, _Thrd_detach, _Cnd_do_broadcast_at_thread_exit, ?_Xlength_error@std@@YAXPEBD@Z, ?_Random_device@std@@YAIXZ, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPEBD@Z
urlmon.dll	URLDownloadToFileA
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertCloseStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CryptStringToBinaryA, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertOpenStore
WS2_32.dll	gethostname, recvfrom, freeaddrinfo, closesocket, recv, send, getaddrinfo, ntohl, sendto, __WSAFDIsSet, ioctlsocket, listen, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, select, ntohs, htons, WSAGetLastError, getsockopt, getsockname, getpeername, connect, bind
RPCRT4.dll	RpcStringFreeA, UuidToStringA, UuidCreate
PSAPI.DLL	GetModuleInformation
USERENV.dll	UnloadUserProfile
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__current_exception, strrchr, __current_exception_context, strchr, strstr, __C_specific_handler, memset, __std_exception_destroy, __std_exception_copy, memmove, memcpy, memcmp, memchr, __std_terminate, _CxxThrowException
api-ms-win-crt-runtime-l1-1-0.dll	_seh_filter_exe, exit, _configure_narrow_argv, system, _getpid, _initialize_onexit_table, terminate, _cexit, _resetstkoflw, _invalid_parameter_noinfo, _register_onexit_function, __sys_nerr, strerror, _set_app_type, _crt_atexit, _beginthreadex, _get_initial_narrow_environment, _initterm_e, _exit, __p___argc, __p___argv, _c_exit, _errno, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _initialize_narrow_environment, _initterm
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, fwrite, fflush, fclose, fgetpos, fgetc, __stdio_common_vfprintf, setvbuf, ungetc, fgets, fputc, _open, _close, _write, _read, _pclose, __p__commode, _set_fmode, _popen, __stdio_common_vsprintf, _get_stream_buffer_pointers, _lseeki64, fopen, fsetpos, fputs, __stdio_common_vsscanf, ftell, fseek, feof, fread, _fseeki64
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, realloc, _callnewh, _set_new_mode, calloc
api-ms-win-crt-time-l1-1-0.dll	_localtime64_s, strftime, _time64, _gmtime64
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _unlink, _lock_file, _access, _stat64, _fstat64
api-ms-win-crt-convert-l1-1-0.dll	strtoull, strtol, strtoll, atoi, strtoul, strtod
api-ms-win-crt-locale-l1-1-0.dll	localeconv, _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dclass
api-ms-win-crt-string-l1-1-0.dll	strpbrk, strcmp, strncmp, strncpy, strspn, isupper, _strdup, tolower, strcspn
api-ms-win-crt-utility-l1-1-0.dll	qsort
ADVAPI32.dll	CryptGenRandom, SetSecurityInfo, CopySid, ConvertSidToStringSidA, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, InitializeAcl, GetTokenInformation, GetLengthSid, CryptHashData, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptDestroyHash, AddAccessAllowedAce, OpenProcessToken, IsValidSid
SHELL32.dll	ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:50:52.194935083 CET	49748	443	192.168.2.9	104.26.1.5
Jan 14, 2025 16:50:52.194972038 CET	443	49748	104.26.1.5	192.168.2.9
Jan 14, 2025 16:50:52.195024967 CET	49748	443	192.168.2.9	104.26.1.5
Jan 14, 2025 16:50:52.205396891 CET	49748	443	192.168.2.9	104.26.1.5
Jan 14, 2025 16:50:52.205418110 CET	443	49748	104.26.1.5	192.168.2.9
Jan 14, 2025 16:50:52.686660051 CET	443	49748	104.26.1.5	192.168.2.9
Jan 14, 2025 16:50:52.686732054 CET	49748	443	192.168.2.9	104.26.1.5
Jan 14, 2025 16:50:52.698174953 CET	49748	443	192.168.2.9	104.26.1.5
Jan 14, 2025 16:50:52.698206902 CET	443	49748	104.26.1.5	192.168.2.9
Jan 14, 2025 16:50:52.698329926 CET	49748	443	192.168.2.9	104.26.1.5
Jan 14, 2025 16:50:52.698452950 CET	443	49748	104.26.1.5	192.168.2.9
Jan 14, 2025 16:50:52.698496103 CET	49748	443	192.168.2.9	104.26.1.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:50:52.183197021 CET	63145	53	192.168.2.9	1.1.1.1
Jan 14, 2025 16:50:52.190325022 CET	53	63145	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:50:52.183197021 CET	192.168.2.9	1.1.1.1	0x1058	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:50:45.537754059 CET	1.1.1.1	192.168.2.9	0xe696	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 16:50:45.537754059 CET	1.1.1.1	192.168.2.9	0xe696	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:50:52.190325022 CET	1.1.1.1	192.168.2.9	0x1058	No error (0)	keyauth.win		104.26.1.5	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:50:52.190325022 CET	1.1.1.1	192.168.2.9	0x1058	No error (0)	keyauth.win		172.67.72.57	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:50:52.190325022 CET	1.1.1.1	192.168.2.9	0x1058	No error (0)	keyauth.win		104.26.0.5	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:50:48
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\tpmbypassprivatestore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\tpmbypassprivatestore.exe"
Imagebase:	0x7ff76c310000
File size:	563'200 bytes
MD5 hash:	F9ABE0D8C09682A9B0A38B96D7378D8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:50:48
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:50:50
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Imagebase:	0x7ff68c850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:50:50
Start date:	14/01/2025
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -hashfile "C:\Users\user\Desktop\tpmbypassprivatestore.exe" MD5
Imagebase:	0x7ff663ac0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:50:51
Start date:	14/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "md5"
Imagebase:	0x7ff6121f0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:50:51
Start date:	14/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "certutil"
Imagebase:	0x7ff6121f0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:50:51
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff68c850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:50:51
Start date:	14/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff68c850000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:50:52
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:50:52
Start date:	14/01/2025
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 5
Imagebase:	0x7ff694f90000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:50:52
Start date:	14/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7564 -s 836
Imagebase:	0x7ff778f60000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.2%
Total number of Nodes:	1910
Total number of Limit Nodes:	91

Executed Functions

Function 00007FF76C313790 Relevance: 191.7, APIs: 96, Strings: 13, Instructions: 916
processsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF76C3784F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3157CA,?,?,?,?,?,?,?,00007FF76C31118E), ref: 00007FF76C37850A

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C313804
_Thrd_detach.MSVCP140 ref: 00007FF76C313833
GetStdHandle.KERNEL32 ref: 00007FF76C31384F
GetConsoleMode.KERNELBASE ref: 00007FF76C313860
SetConsoleMode.KERNELBASE ref: 00007FF76C313873
GetStdHandle.KERNEL32 ref: 00007FF76C31387E
GetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF76C313895
SetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF76C3138BB
GetConsoleMode.KERNELBASE ref: 00007FF76C3138C9
SetConsoleMode.KERNELBASE ref: 00007FF76C3138DD
GetConsoleWindow.KERNELBASE ref: 00007FF76C3138E3
GetWindowLongW.USER32 ref: 00007FF76C3138F4
SetWindowLongW.USER32 ref: 00007FF76C31390A
GetConsoleWindow.KERNELBASE ref: 00007FF76C313910
GetWindowRect.USER32 ref: 00007FF76C313920
MoveWindow.USER32 ref: 00007FF76C313946
SleepEx.KERNELBASE ref: 00007FF76C313951
GetStdHandle.KERNEL32 ref: 00007FF76C31395C
SetConsoleTextAttribute.KERNELBASE ref: 00007FF76C31396A

Part of subcall function 00007FF76C313570: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C313763

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31397C
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C313989
GetStdHandle.KERNEL32 ref: 00007FF76C313994
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3139A2

Part of subcall function 00007FF76C311B90: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C311BB4
Part of subcall function 00007FF76C311B90: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C311BD5

GetStdHandle.KERNEL32 ref: 00007FF76C3139C5
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3139D3
GetStdHandle.KERNEL32 ref: 00007FF76C3139EA
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3139F8
GetStdHandle.KERNEL32 ref: 00007FF76C313A0F
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313A1D
GetStdHandle.KERNEL32 ref: 00007FF76C313A34
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313A42
GetStdHandle.KERNEL32 ref: 00007FF76C313A59
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313A67
GetStdHandle.KERNEL32 ref: 00007FF76C313A7E
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313A8C
GetStdHandle.KERNEL32 ref: 00007FF76C313AAF
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313ABD
GetStdHandle.KERNEL32 ref: 00007FF76C313AD4
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313AE2
GetStdHandle.KERNEL32 ref: 00007FF76C313AF9
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313B07
GetStdHandle.KERNEL32 ref: 00007FF76C313B2A
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313B38
GetStdHandle.KERNEL32 ref: 00007FF76C313B4F
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313B5D
GetStdHandle.KERNEL32 ref: 00007FF76C313B74
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C313B82
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF76C313BA0
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C313BD7
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C314061
_localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C3140C2
strftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C3140F3
memmove.VCRUNTIME140 ref: 00007FF76C314142
memmove.VCRUNTIME140 ref: 00007FF76C3141D4
Sleep.KERNEL32 ref: 00007FF76C314491
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31449E
GetStdHandle.KERNEL32 ref: 00007FF76C3144A9
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3144B7
GetStdHandle.KERNEL32 ref: 00007FF76C3144DA
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3144E8
GetStdHandle.KERNEL32 ref: 00007FF76C3144FF
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C31450D
GetStdHandle.KERNEL32 ref: 00007FF76C314524
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C314532
GetStdHandle.KERNEL32 ref: 00007FF76C314549
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C314557
GetStdHandle.KERNEL32 ref: 00007FF76C31456E
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C31457C
GetStdHandle.KERNEL32 ref: 00007FF76C314593
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3145A1
GetStdHandle.KERNEL32 ref: 00007FF76C3145C4
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3145D2
GetStdHandle.KERNEL32 ref: 00007FF76C3145E9
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C3145F7
GetStdHandle.KERNEL32 ref: 00007FF76C31460E
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C31461C

Part of subcall function 00007FF76C3784F0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C378520
Part of subcall function 00007FF76C3784F0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C378526

GetStdHandle.KERNEL32 ref: 00007FF76C31463F
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C31464D
GetStdHandle.KERNEL32 ref: 00007FF76C314664
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C314672
GetStdHandle.KERNEL32 ref: 00007FF76C314689
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C314697
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF76C3146B5
URLDownloadToFileA.URLMON ref: 00007FF76C31471D
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31472A
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C314737
Sleep.KERNEL32 ref: 00007FF76C314742
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31474A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C314751
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C314758
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31475F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C314766
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C314774
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF76C3147B7
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF76C3147C8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C3147D5

Strings

Selecione a opcao: , xrefs: 00007FF76C313B88, 00007FF76C31469D
http://167.114.85.75/KMDF.exe, xrefs: 00007FF76C3146D1
[ Selecione uma opcao: ], xrefs: 00007FF76C3139D9, 00007FF76C3144EE
cd C:\, xrefs: 00007FF76C314723
cls, xrefs: 00007FF76C313975, 00007FF76C313982, 00007FF76C313BD0, 00007FF76C314497
##########################################################, xrefs: 00007FF76C3139B4, 00007FF76C3144C9
##########################################################, xrefs: 00007FF76C3139FE, 00007FF76C314513
Informacoes da Key: , xrefs: 00007FF76C313A92, 00007FF76C3145A7
C:\Windows\KMDF.exe, xrefs: 00007FF76C3146E2
O[L3{bC, xrefs: 00007FF76C313DB7
%a %m/%d/%y %H:%M:%S %Z, xrefs: 00007FF76C3140E3
start C:\Windows\KMDF.exe, xrefs: 00007FF76C314730
Iniciar Bypass: , xrefs: 00007FF76C313B0D, 00007FF76C314622

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Console$Handle$AttributeText$Windowsystem$_invalid_parameter_noinfo_noreturn$Mode$Concurrency::cancel_current_taskSleep$??5?$basic_istream@BufferCpp_error@std@@D@std@@@std@@InfoLongScreenThrow_U?$char_traits@V01@memmove$DownloadFileMoveRectThrd_detach__acrt_iob_func__stdio_common_vfprintf_beginthreadex_localtime64_sexitmallocstrftimestrtolterminate
String ID: Informacoes da Key: $ Iniciar Bypass: $ Selecione a opcao: $##########################################################$##########################################################$%a %m/%d/%y %H:%M:%S %Z$C:\Windows\KMDF.exe$O[L3{bC$[ Selecione uma opcao: ]$cd C:\$cls$http://167.114.85.75/KMDF.exe$start C:\Windows\KMDF.exe
API String ID: 2610904833-770532400
Opcode ID: 8e83d5c6a47920a14e129d855d6b53270a34d5ab458b7d8379ec2d018bf0d079
Instruction ID: 584983ed998f59d243bf3acf1dbff1da433948f07fba180cea37761830b2d507
Opcode Fuzzy Hash: 8e83d5c6a47920a14e129d855d6b53270a34d5ab458b7d8379ec2d018bf0d079
Instruction Fuzzy Hash: 1B92D621D19683C5FB02BB36D8159B8B360EF56796F808339E91D16AE5EF3CE185C321

Function 00007FF76C3532CD Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C353428
strchr.VCRUNTIME140 ref: 00007FF76C353454
strchr.VCRUNTIME140 ref: 00007FF76C35348E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3534B2
strchr.VCRUNTIME140 ref: 00007FF76C3535C2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3535DA

Strings

schannel: unable to allocate memory, xrefs: 00007FF76C35394C, 00007FF76C353BD7
LocalMachine, xrefs: 00007FF76C3534E3
Services, xrefs: 00007FF76C353527
schannel: AcquireCredentialsHandle failed: %s, xrefs: 00007FF76C353A45
CurrentUserGroupPolicy, xrefs: 00007FF76C35355D
Users, xrefs: 00007FF76C353546
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 00007FF76C353894
Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00007FF76C3534C7
schannel: Failed to read cert file %s, xrefs: 00007FF76C353989
schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00007FF76C353640
LocalMachineEnterprise, xrefs: 00007FF76C35359B
Microsoft Unified Security Protocol Provider, xrefs: 00007FF76C3539CF
CurrentService, xrefs: 00007FF76C353505
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF76C353AC3
schannel: TLS 1.3 is not yet supported, xrefs: 00007FF76C35335B
LocalMachineGroupPolicy, xrefs: 00007FF76C35357C
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF76C353869
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 00007FF76C3538DF
http/1.1, xrefs: 00007FF76C353AE3
CurrentUser, xrefs: 00007FF76C3534A2
schannel: Failed to get certificate location or file for %s, xrefs: 00007FF76C3539B2
http/1.1, xrefs: 00007FF76C353AF7
schannel: ALPN, offering %s, xrefs: 00007FF76C353B05

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchr$_strdupstrncmpstrtol
String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$Services$Unable to set ciphers to passed via SSL_CONN_CONFIG$Users$http/1.1$http/1.1$schannel: ALPN, offering %s$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: TLS 1.3 is not yet supported$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.
API String ID: 707411602-3372543188
Opcode ID: 0e9624d2271164690d4c89ec25625efcdf37d709121030a49ad146a9211cd1c5
Instruction ID: f7771ba75f2897de32e791d50f0fb076d6a68bfab9554a70ef2132d951e3f803
Opcode Fuzzy Hash: 0e9624d2271164690d4c89ec25625efcdf37d709121030a49ad146a9211cd1c5
Instruction Fuzzy Hash: 7C42B061A09B42C1EBA4AB27D440AB9BBA0FF45B96FC0413DDA1E47794DF3CE544C722

Function 00007FF76C322B00 Relevance: 58.7, APIs: 21, Strings: 12, Instructions: 908
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF76C322B5F
UuidCreate.RPCRT4 ref: 00007FF76C322BB0
UuidToStringA.RPCRT4 ref: 00007FF76C322BCB
RpcStringFreeA.RPCRT4 ref: 00007FF76C322C00
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C322D4E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C322DED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C32303E

Part of subcall function 00007FF76C317300: memmove.VCRUNTIME140(?,?,00000008,?,?,?,?,00007FF76C321ACD), ref: 00007FF76C31740B
Part of subcall function 00007FF76C317300: memmove.VCRUNTIME140(?,?,00000008,?,?,?,?,00007FF76C321ACD), ref: 00007FF76C31741A

Part of subcall function 00007FF76C321A90: memmove.VCRUNTIME140 ref: 00007FF76C321B0C
Part of subcall function 00007FF76C321A90: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C321B6B
Part of subcall function 00007FF76C321A90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C321BA5
Part of subcall function 00007FF76C321A90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C321BF7

Part of subcall function 00007FF76C315550: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3155A8

memcmp.VCRUNTIME140 ref: 00007FF76C3232A9
MessageBoxA.USER32 ref: 00007FF76C323341
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C323349
memset.VCRUNTIME140 ref: 00007FF76C323407
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF76C3234D2
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140 ref: 00007FF76C3234F1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF76C32350F
memcmp.VCRUNTIME140 ref: 00007FF76C323570
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C322E2C

Part of subcall function 00007FF76C31FEB0: memmove.VCRUNTIME140 ref: 00007FF76C31FEE1

MessageBoxA.USER32 ref: 00007FF76C323BA9
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C323BB1

Strings

W]GP, xrefs: 00007FF76C324B38
ND[C, xrefs: 00007FF76C323929
YN_^, xrefs: 00007FF76C323674
B@QU, xrefs: 00007FF76C323933
GN_^, xrefs: 00007FF76C32338D
K\C, xrefs: 00007FF76C324C28
BFTG, xrefs: 00007FF76C32383F
WA, xrefs: 00007FF76C323847
9/0$, xrefs: 00007FF76C323AC8
^R\H, xrefs: 00007FF76C322EB2
CEJB, xrefs: 00007FF76C324D5F
Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00007FF76C323594, 00007FF76C324BE5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$??6?$basic_ostream@CreateD@std@@@std@@MessageStringU?$char_traits@UuidV01@exitmemcmp$?setw@std@@FreeJ@1@_Smanip@_ThreadU?$_V21@@Vios_base@1@memsetsystem
String ID: 9/0$$B@QU$BFTG$CEJB$GN_^$K\C$ND[C$Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $WA$W]GP$YN_^$^R\H
API String ID: 2665268123-4031576690
Opcode ID: aeaec02193e3c949c61d92025d3771b3f9f26bf87d2a4300e1b57fdd01a6c616
Instruction ID: 46c1f4aaba596466822b8fdaa6264fd32f4599e82e7404b9bcbc1128a09f0a89
Opcode Fuzzy Hash: aeaec02193e3c949c61d92025d3771b3f9f26bf87d2a4300e1b57fdd01a6c616
Instruction Fuzzy Hash: A9A2E222918BC1C9EB21EF35D8457ECB761FB85748F801239DA8D1BA9ADF78D284C351

Function 00007FF76C3428D0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF76C3428F8
WSACleanup.WS2_32 ref: 00007FF76C342913
GetModuleHandleA.KERNEL32 ref: 00007FF76C342964
GetProcAddress.KERNEL32 ref: 00007FF76C342990
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3429AA
LoadLibraryA.KERNEL32 ref: 00007FF76C3429CD
GetProcAddress.KERNEL32 ref: 00007FF76C3429EA
LoadLibraryExA.KERNELBASE ref: 00007FF76C342A00
GetSystemDirectoryA.KERNEL32 ref: 00007FF76C342A16
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C342A2E
GetSystemDirectoryA.KERNEL32 ref: 00007FF76C342A42
LoadLibraryA.KERNEL32 ref: 00007FF76C342AB0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C342ABC
GetProcAddress.KERNEL32 ref: 00007FF76C342AE8
VerSetConditionMask.KERNEL32 ref: 00007FF76C342B71
VerSetConditionMask.KERNEL32 ref: 00007FF76C342B84
VerSetConditionMask.KERNEL32 ref: 00007FF76C342B93
VerSetConditionMask.KERNEL32 ref: 00007FF76C342BA2
VerSetConditionMask.KERNEL32 ref: 00007FF76C342BB2
VerifyVersionInfoA.KERNEL32 ref: 00007FF76C342BC3
QueryPerformanceFrequency.KERNEL32 ref: 00007FF76C342BDF

Strings

LoadLibraryExA, xrefs: 00007FF76C34297E
if_nametoindex, xrefs: 00007FF76C342ADE
AddDllDirectory, xrefs: 00007FF76C3429E0
kernel32, xrefs: 00007FF76C34294B
iphlpapi.dll, xrefs: 00007FF76C342996

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ConditionMask$AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleInfoModulePerformanceQueryStartupVerifyVersionfreemallocstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 2612373469-2794540096
Opcode ID: 4872d325a19d9fb6c40740734e13ce5fd15efe50214027a5591dfac4347baa5e
Instruction ID: d96b88daff41a3446a2cdd1b9ae897527d44a13530ec28cbe7356f616543171a
Opcode Fuzzy Hash: 4872d325a19d9fb6c40740734e13ce5fd15efe50214027a5591dfac4347baa5e
Instruction Fuzzy Hash: 3B919421A0D782C1EB60AB13E9487B9B3A0FF89B85F848139C94E5B754EF2CE445C771

Function 00007FF76C341C20 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.VCRUNTIME140 ref: 00007FF76C341CBC
socket.WS2_32 ref: 00007FF76C341D05
htons.WS2_32 ref: 00007FF76C341D91
setsockopt.WS2_32 ref: 00007FF76C341DF3
WSAGetLastError.WS2_32 ref: 00007FF76C341DFD
getsockopt.WS2_32 ref: 00007FF76C341E9F
setsockopt.WS2_32 ref: 00007FF76C341ECE
setsockopt.WS2_32 ref: 00007FF76C341F0D
WSAIoctl.WS2_32 ref: 00007FF76C341F9A
WSAGetLastError.WS2_32 ref: 00007FF76C341FA4

Part of subcall function 00007FF76C34E020: ioctlsocket.WS2_32 ref: 00007FF76C34E039

Part of subcall function 00007FF76C346B40: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF76C32F78F), ref: 00007FF76C346B57

connect.WS2_32 ref: 00007FF76C3420CB
WSAGetLastError.WS2_32 ref: 00007FF76C3420E8

Part of subcall function 00007FF76C329BF0: GetLastError.KERNEL32 ref: 00007FF76C329C12
Part of subcall function 00007FF76C329BF0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329C1A

Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB75
Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB90

Part of subcall function 00007FF76C340530: closesocket.WS2_32 ref: 00007FF76C340573

Strings

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00007FF76C341FAD
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00007FF76C341F1A
Immediate connect fail for %s: %s, xrefs: 00007FF76C342118
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00007FF76C34218E
@, xrefs: 00007FF76C341E37
Could not set TCP_NODELAY: %s, xrefs: 00007FF76C341E1A
Trying %s:%ld..., xrefs: 00007FF76C341D9F

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast$setsockopt$fwrite$CounterIoctlPerformanceQuery_errnoclosesocketconnectgetsockopthtonsioctlsocketmemmovesocket
String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 1781130894-3868455274
Opcode ID: 2b5a2510aa50124972eb9ca0f9588a045ade6e9fe1a179ee9cc75cd6561153bb
Instruction ID: 1724880766089ba5d6f1ffb63e508408f7263cc5be8c27211fde564bcd8794d0
Opcode Fuzzy Hash: 2b5a2510aa50124972eb9ca0f9588a045ade6e9fe1a179ee9cc75cd6561153bb
Instruction Fuzzy Hash: 8EF1E671A08682C6E750EB26D844ABDB3A0FB45749FC0813DEA4D8B794DF3DE549CB21

Function 00007FF76C325740 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF76C32582D
OpenProcessToken.ADVAPI32 ref: 00007FF76C32583F
GetTokenInformation.KERNELBASE ref: 00007FF76C325864
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32586D
GetTokenInformation.KERNELBASE ref: 00007FF76C325898
IsValidSid.ADVAPI32 ref: 00007FF76C3258A9
GetLengthSid.ADVAPI32 ref: 00007FF76C3258BA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3258C5
InitializeAcl.ADVAPI32 ref: 00007FF76C3258DE
AddAccessAllowedAce.ADVAPI32 ref: 00007FF76C3258F9
GetCurrentProcess.KERNEL32 ref: 00007FF76C325903
SetSecurityInfo.ADVAPI32 ref: 00007FF76C325926
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C325935
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32593E
CloseHandle.KERNELBASE ref: 00007FF76C32594D
GetModuleHandleA.KERNEL32 ref: 00007FF76C3259D3
GetCurrentProcess.KERNEL32 ref: 00007FF76C3259DC
GetModuleInformation.PSAPI ref: 00007FF76C3259F2
SleepEx.KERNELBASE ref: 00007FF76C325AA5

Strings

Pattern checksum failed, don't tamper with the program., xrefs: 00007FF76C325A7B
check_section_integrity() failed, don't tamper with the program., xrefs: 00007FF76C3257FD
LockMemAccess() failed, don't tamper with the program., xrefs: 00007FF76C325962

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Process$CurrentInformationToken$HandleModulefreemalloc$AccessAllowedCloseInfoInitializeLengthOpenSecuritySleepValid
String ID: LockMemAccess() failed, don't tamper with the program.$Pattern checksum failed, don't tamper with the program.$check_section_integrity() failed, don't tamper with the program.
API String ID: 2765164163-3085296333
Opcode ID: dbc6a34358edf015fdd5a397761274142b1365d3841517b9439bd518cf2b0785
Instruction ID: 1f47b1ee9ec3be01c84302f710944a22197094be731c704e9f6eaae5e9a9308f
Opcode Fuzzy Hash: dbc6a34358edf015fdd5a397761274142b1365d3841517b9439bd518cf2b0785
Instruction Fuzzy Hash: 42A19E32A19782C9EB00EF62D455ABDB7B0FB45B49F804538DA4D1BA99DF3CD209C325

Function 00007FF76C329400 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF76C329428
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329430

Strings

Unknown error, xrefs: 00007FF76C329920
SEC_I_CONTINUE_NEEDED, xrefs: 00007FF76C32988C
%s (0x%08X), xrefs: 00007FF76C329485
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00007FF76C329939
CRYPT_E_REVOKED, xrefs: 00007FF76C329862
No error, xrefs: 00007FF76C329880
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_CONTINUE_NEEDED$Unknown error
API String ID: 3939687465-1752685260
Opcode ID: d1cd40ccc3b4c734d3b50056bbea7e2c8efc7a7ceefb2c843091186e0d6d3f74
Instruction ID: ab83a41ccf26345b83fd4de492a6bfffe01216459128ea0a08f01161b71811ed
Opcode Fuzzy Hash: d1cd40ccc3b4c734d3b50056bbea7e2c8efc7a7ceefb2c843091186e0d6d3f74
Instruction Fuzzy Hash: 6651C121A0C782C9FB60AF22A445BBAF765FB85796FC44539CA4D06695CF3CE404C632

Function 00007FF76C3425B0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF76C36B70A,?,?,?,?,00007FF76C34293B), ref: 00007FF76C3425C4
GetProcAddress.KERNEL32(?,?,?,?,00007FF76C34293B), ref: 00007FF76C3425E9
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF76C34293B), ref: 00007FF76C3425FC

Strings

LoadLibraryExA, xrefs: 00007FF76C3425DA
AddDllDirectory, xrefs: 00007FF76C342643
kernel32, xrefs: 00007FF76C3425BD

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: 315b0eebd0cc31cdeae7e4329cee2aba8adf1212ef2c096617c568d4166ec44f
Instruction ID: 5bc3f62950d12a33333216e696a1571bc72be3be8bfcc5e10e33f783e04f1c03
Opcode Fuzzy Hash: 315b0eebd0cc31cdeae7e4329cee2aba8adf1212ef2c096617c568d4166ec44f
Instruction Fuzzy Hash: 5341FC12B0A642C1FB05AF17A904539B7A1EF46BE2F888138CE0D4B790DE3DD48AC731

Function 00007FF76C34DDF0 Relevance: 22.6, APIs: 15, Instructions: 127
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF76C34DE31
htonl.WS2_32 ref: 00007FF76C34DE5E
setsockopt.WS2_32 ref: 00007FF76C34DE95
bind.WS2_32 ref: 00007FF76C34DEB0
getsockname.WS2_32 ref: 00007FF76C34DECC
listen.WS2_32 ref: 00007FF76C34DEE1
socket.WS2_32 ref: 00007FF76C34DEF8
connect.WS2_32 ref: 00007FF76C34DF17
accept.WS2_32 ref: 00007FF76C34DF2E
send.WS2_32 ref: 00007FF76C34DF7C
recv.WS2_32 ref: 00007FF76C34DF9A
closesocket.WS2_32 ref: 00007FF76C34DFC1

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: socket$acceptbindclosesocketconnectgetsocknamehtonllistenrecvsendsetsockopt
String ID:
API String ID: 168862445-0
Opcode ID: d63aad0e708308e9982271fd4dfb771163dbcc6aadaa09a663a9854ceda95677
Instruction ID: d100117b0c7db6e17c71c865b2a2f858dc0ed31eface30fc6b32197ffd396296
Opcode Fuzzy Hash: d63aad0e708308e9982271fd4dfb771163dbcc6aadaa09a663a9854ceda95677
Instruction Fuzzy Hash: 7E51C831618A81C1D720AF26E844969B361FF45BB6F905738EA7E0BAE4DF3CD449C721

Function 00007FF76C3408E0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

connect to %s port %ld failed: %s, xrefs: 00007FF76C340B5D
Connection time-out, xrefs: 00007FF76C3409C9
Connection failed, xrefs: 00007FF76C340CC6
Failed to connect to %s port %ld: %s, xrefs: 00007FF76C340E0E
After %I64dms connect time, move on!, xrefs: 00007FF76C340AA5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
API String ID: 0-3307081561
Opcode ID: 35ddda60072be1b82066e66c520409bd8b5c02298e670ff7c99eea46cb2c83e1
Instruction ID: 9e372e973942a89ae3459c49769db6b0440342b1c9ddd73871d4fce90778a1f2
Opcode Fuzzy Hash: 35ddda60072be1b82066e66c520409bd8b5c02298e670ff7c99eea46cb2c83e1
Instruction Fuzzy Hash: C1E10331B08AC2C2EB54AB26D944ABDB7A0FB45795F808239EA5D0B7D1DF3CE458C711

Function 00007FF76C32FD20 Relevance: 4.8, APIs: 3, Instructions: 309networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF76C330116
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C330137

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freerecv
String ID:
API String ID: 2032557106-0
Opcode ID: cbf2f302d8d5cbd4e250dcd541a8e96e372b699c05a7429feaa5665b8696d7b8
Instruction ID: 9b374ff76163412c4385f682bc0c429ab34c9cd581caf4c98f02e01f7eb17dbb
Opcode Fuzzy Hash: cbf2f302d8d5cbd4e250dcd541a8e96e372b699c05a7429feaa5665b8696d7b8
Instruction Fuzzy Hash: 28C10836A086D2C6EB759B26D440BBAB2A0FF487A9F844239DE9E437C4DF3CD4418751

Function 00007FF76C353DE0 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C353ED0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C353F21
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C353F64
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C354047
memmove.VCRUNTIME140 ref: 00007FF76C3540E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C354152
memmove.VCRUNTIME140 ref: 00007FF76C35422A
memset.VCRUNTIME140 ref: 00007FF76C3543F7
CertFreeCertificateContext.CRYPT32 ref: 00007FF76C35445A

Strings

schannel: unable to allocate memory, xrefs: 00007FF76C35454F
schannel: next InitializeSecurityContext failed: %s, xrefs: 00007FF76C3542EE, 00007FF76C354502
SSL: failed retrieving public key from server certificate, xrefs: 00007FF76C35447A
schannel: SNI or certificate check failed: %s, xrefs: 00007FF76C3542BB
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF76C35449A
SSL: public key does not match pinned public key!, xrefs: 00007FF76C35443C, 00007FF76C354464
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 00007FF76C354304
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 00007FF76C354256
schannel: unable to re-allocate memory, xrefs: 00007FF76C353F72

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: malloc$memmove$CertCertificateContextFreefreememsetrealloc
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 3540109735-3059304359
Opcode ID: 01a8396fcf8a8984c2b0b77adef490cd8866a73293fdb215e71c9c8c00139fae
Instruction ID: cb2f96bd85774b4158801cb00d96b93126435d3715f91347e17a7ee6567d7ace
Opcode Fuzzy Hash: 01a8396fcf8a8984c2b0b77adef490cd8866a73293fdb215e71c9c8c00139fae
Instruction Fuzzy Hash: 0212BF72A08B81C5EB64DB2AD840BAEBBA4FB44B86F90013ADB5D47794DF3CE451C711

Function 00007FF76C353000 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF76C3530D1
GetProcAddress.KERNEL32 ref: 00007FF76C3530E1

Strings

schannel: unable to allocate memory, xrefs: 00007FF76C353BD7
Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 00007FF76C353A7F
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF76C353172
schannel: SNI or certificate check failed: %s, xrefs: 00007FF76C353CBD
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00007FF76C353C9C, 00007FF76C353CE3
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00007FF76C353D79
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF76C353AC3
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00007FF76C3530B2
ntdll, xrefs: 00007FF76C3530CA
http/1.1, xrefs: 00007FF76C353AE3
wine_get_version, xrefs: 00007FF76C3530DA
http/1.1, xrefs: 00007FF76C353AF7
schannel: ALPN, offering %s, xrefs: 00007FF76C353B05

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Unrecognized parameter passed via CURLOPT_SSLVERSION$http/1.1$http/1.1$ntdll$schannel: ALPN, offering %s$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 1646373207-2477831187
Opcode ID: ebe7249b8a623ee0adaacdaa9af966c55755f1c81da76e672cad530d957ca62b
Instruction ID: 196fac7203bf3bdecadde02b565af7431d39cbec18949d36731a87dd927e8999
Opcode Fuzzy Hash: ebe7249b8a623ee0adaacdaa9af966c55755f1c81da76e672cad530d957ca62b
Instruction Fuzzy Hash: F702D172A08B81CAEB90AB26D840BEDBBA4FB44786F804139DB4D47791DF3CE545C751

Function 00007FF76C335210 Relevance: 28.7, APIs: 19, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335242
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3352DD
InitializeCriticalSectionEx.KERNEL32 ref: 00007FF76C3352F6

Part of subcall function 00007FF76C34DDF0: socket.WS2_32 ref: 00007FF76C34DE31

DeleteCriticalSection.KERNEL32 ref: 00007FF76C335330
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33533A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335344
closesocket.WS2_32 ref: 00007FF76C335362
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335398
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C33539E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3353CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3353E7
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3353F0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C335425
EnterCriticalSection.KERNEL32 ref: 00007FF76C335446
LeaveCriticalSection.KERNEL32 ref: 00007FF76C33545A
CloseHandle.KERNEL32 ref: 00007FF76C335467
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335492
closesocket.WS2_32 ref: 00007FF76C3354AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3354BF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$CriticalSection$_errno_strdupclosesocket$CloseDeleteEnterHandleInitializeLeavecallocmallocsocket
String ID:
API String ID: 259767416-0
Opcode ID: 3cea796c4ab6d43bb44ebccbaba82a4bb8b4cab9e88935d4d37f5a9545faa07b
Instruction ID: 5e5c046bc69af685bf82a1aff555da3ba940078f937d7a97c887404e6de1ec54
Opcode Fuzzy Hash: 3cea796c4ab6d43bb44ebccbaba82a4bb8b4cab9e88935d4d37f5a9545faa07b
Instruction Fuzzy Hash: 8D815B26E09B81C2E624EF22E450669B370FB99B65F445239CB9E037A1DF78E4D48311

Function 00007FF76C33C880 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON

Download Yara Rule

Strings

ftp@example.com, xrefs: 00007FF76C33CA3F
Re-using existing connection! (#%ld) with %s %s, xrefs: 00007FF76C33CF63
NTLM-proxy picked AND auth done set, clear picked!, xrefs: 00007FF76C33D100
No connections available., xrefs: 00007FF76C33D021
anonymous, xrefs: 00007FF76C33CA38
NTLM picked AND auth done set, clear picked!, xrefs: 00007FF76C33D0D2
No connections available in cache, xrefs: 00007FF76C33D27B
No more connections allowed to host %s: %zu, xrefs: 00007FF76C33D012
host, xrefs: 00007FF76C33CF50
proxy, xrefs: 00007FF76C33CF42

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host %s: %zu$Re-using existing connection! (#%ld) with %s %s$anonymous$ftp@example.com$host$proxy
API String ID: 0-760484938
Opcode ID: a4ee3c226da19ac9b3bfc119dafb89bea3250f5e273201e9c10916868d071bb9
Instruction ID: bb986652e40e33c38dbfba7af99dbcae924b1dd76d75aca35cc1a316ea5b1617
Opcode Fuzzy Hash: a4ee3c226da19ac9b3bfc119dafb89bea3250f5e273201e9c10916868d071bb9
Instruction Fuzzy Hash: 0C42B322A09BC2D1EB98AB26D540BF9B3A0FB45B85F844139CE5D47795DF3CE461C322

Function 00007FF76C320410 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF76C32045C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3205D5
_popen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C32061B
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C320648
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C320692
_pclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C3206A0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3206DB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C32072D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C32076C

Part of subcall function 00007FF76C31DB90: __std_exception_copy.VCRUNTIME140 ref: 00007FF76C31DBDD

_CxxThrowException.VCRUNTIME140 ref: 00007FF76C3207DC

Strings

certutil -hashfile ", xrefs: 00007FF76C3204D1
>, xrefs: 00007FF76C320605

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$fgets$ExceptionFileModuleNameThrow__std_exception_copy_pclose_popen
String ID: >$certutil -hashfile "
API String ID: 2652878437-631556956
Opcode ID: 42e81e09b282e3ce56ef6d79b2f5cfc8eb907fe3127405b72f82002261537153
Instruction ID: 36518cf0929d4239c9c3a83192f9e9c4590ff9e65257455beac7d85c0923a8aa
Opcode Fuzzy Hash: 42e81e09b282e3ce56ef6d79b2f5cfc8eb907fe3127405b72f82002261537153
Instruction Fuzzy Hash: 8AB1E232A18B81C5FB109B25E4407ADB771FB857A8F905239EA9D13AE9DF3CD184C721

Function 00007FF76C341260 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32 ref: 00007FF76C3412CC
WSAGetLastError.WS2_32 ref: 00007FF76C3412D6

Part of subcall function 00007FF76C329BF0: GetLastError.KERNEL32 ref: 00007FF76C329C12
Part of subcall function 00007FF76C329BF0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329C1A

getsockname.WS2_32 ref: 00007FF76C341356
WSAGetLastError.WS2_32 ref: 00007FF76C341360

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00007FF76C34147C
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00007FF76C3413E6
getpeername() failed with errno %d: %s, xrefs: 00007FF76C3412F6
getsockname() failed with errno %d: %s, xrefs: 00007FF76C341380

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast$_errnogetpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 2911674258-670633250
Opcode ID: dfd64f3e4ee894f2a2cd0aee9ce05e39984ea76269b8298c7e1ada0bd8398cfe
Instruction ID: 6a272b5d2c71c30a93a880c1f272af6f1047a3dcdfb08cb26bd467f4ded79a2f
Opcode Fuzzy Hash: dfd64f3e4ee894f2a2cd0aee9ce05e39984ea76269b8298c7e1ada0bd8398cfe
Instruction Fuzzy Hash: AD91B032A19BC1C2D710DF26D4446E9B3A0FB99B88F84923ADE4C4B715DF39E195CB21

Function 00007FF76C351A60 Relevance: 19.6, APIs: 13, Instructions: 128
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FF76C351A82
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351AEE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351B28
memmove.VCRUNTIME140(?,?,?,00007FF76C335155), ref: 00007FF76C351B41
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351B4F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351B8A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351B93
freeaddrinfo.WS2_32(?,?,?,00007FF76C335155), ref: 00007FF76C351BC1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351BD5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351BDF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351BEC
WSASetLastError.WS2_32(?,?,?,00007FF76C335155), ref: 00007FF76C351C0D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc$ErrorLast_strdupfreeaddrinfogetaddrinfomemmove
String ID:
API String ID: 2030585312-0
Opcode ID: c73a1ddb93678955e96ed9fe8250f35de1f3267e0c47f90d42628c61896ab2c1
Instruction ID: fad6d731346d073dcbf68c7f0694d90c917fd534efbe0210fae2674721383a55
Opcode Fuzzy Hash: c73a1ddb93678955e96ed9fe8250f35de1f3267e0c47f90d42628c61896ab2c1
Instruction Fuzzy Hash: 5C513F36A09B41C2EA65AF13A540939FBA0FF48B91F844139CF4E17750EF3CE8448761

Function 00007FF76C34F370 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF76C34F3CD
Sleep.KERNEL32 ref: 00007FF76C34F3DE
WSASetLastError.WS2_32 ref: 00007FF76C34F548
Sleep.KERNEL32 ref: 00007FF76C34F559
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F60C
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F623
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F63E
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F652
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F66D
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F681

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 6c89998b3861bb271573c33cc10dd2f140672442e4191bc457384d7c51f1ad03
Instruction ID: 9e7350ac1837eed07692edd0a74f345451359554a75fd47c03d760d6586d2c5b
Opcode Fuzzy Hash: 6c89998b3861bb271573c33cc10dd2f140672442e4191bc457384d7c51f1ad03
Instruction Fuzzy Hash: 4D910E31B0C682C6E765AE26AC409B9F291FF4C35AF98813DD91D8EBC4DE3CD9448625

Function 00007FF76C3201F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 141filememoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF76C32021E

Part of subcall function 00007FF76C31EB60: GetCurrentProcess.KERNEL32 ref: 00007FF76C31EB8F
Part of subcall function 00007FF76C31EB60: QueryFullProcessImageNameW.KERNELBASE ref: 00007FF76C31EBA4
Part of subcall function 00007FF76C31EB60: CreateFileW.KERNELBASE ref: 00007FF76C31EBD2
Part of subcall function 00007FF76C31EB60: CreateFileMappingW.KERNELBASE ref: 00007FF76C31EBF9
Part of subcall function 00007FF76C31EB60: CloseHandle.KERNEL32 ref: 00007FF76C31EC07

VirtualProtect.KERNEL32 ref: 00007FF76C32037A
VirtualProtect.KERNEL32 ref: 00007FF76C3203A2
UnmapViewOfFile.KERNEL32 ref: 00007FF76C3203B5
CloseHandle.KERNELBASE ref: 00007FF76C3203C0
UnmapViewOfFile.KERNEL32 ref: 00007FF76C3203D7
CloseHandle.KERNEL32 ref: 00007FF76C3203E0

Strings

@, xrefs: 00007FF76C320369
MZ, xrefs: 00007FF76C320230

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: FileHandle$Close$CreateProcessProtectUnmapViewVirtual$CurrentFullImageMappingModuleNameQuery
String ID: @$MZ
API String ID: 1757686097-1266540735
Opcode ID: 38d93b1ba382539a941b458f15fcb31aec6d553212edffd4774a9d6343df3541
Instruction ID: 98a7f37057286532e70d8bcd184cf4b1e2fa849e810ce263cbd2ba8ee1b4edd1
Opcode Fuzzy Hash: 38d93b1ba382539a941b458f15fcb31aec6d553212edffd4774a9d6343df3541
Instruction Fuzzy Hash: E251B232A08682C3EE64AB169590A7DB7A1FF85B59F844139DB8D03785DF3CE449C721

Function 00007FF76C329562 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

%s (0x%08X), xrefs: 00007FF76C329485
SEC_E_CANNOT_PACK, xrefs: 00007FF76C329562
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
API String ID: 600764987-1502336670
Opcode ID: 2ce5276a5cc664a886a814e98f296c9e857e3f15d8c7c5f5c118684607e67c7c
Instruction ID: 3f7c86c64c711b2e31b7700f5aa0b74187e16379db8da9abb65ec87261b0b2aa
Opcode Fuzzy Hash: 2ce5276a5cc664a886a814e98f296c9e857e3f15d8c7c5f5c118684607e67c7c
Instruction Fuzzy Hash: EE31812260D7C2C9EA21AF22E4557AEF7A4FB85756F80053DCA8D02A95CF3CD544CB36

Function 00007FF76C32956E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

SEC_E_CERT_EXPIRED, xrefs: 00007FF76C32956E
%s (0x%08X), xrefs: 00007FF76C329485
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
API String ID: 600764987-3862749013
Opcode ID: 91b5616460a0af12a7406937b79b1e441725fa28e22edcf4789f462d657d5b44
Instruction ID: 415d2112e7c51eae321eb3536685a195e5975bf50abb4d660e99540075ee4a8f
Opcode Fuzzy Hash: 91b5616460a0af12a7406937b79b1e441725fa28e22edcf4789f462d657d5b44
Instruction Fuzzy Hash: B731812260D7C2C9EA21AF22E4557AEF7A4FB85756F80053DCA8D02A55CF3CD544CB36

Function 00007FF76C32957A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

%s (0x%08X), xrefs: 00007FF76C329485
SEC_E_CERT_UNKNOWN, xrefs: 00007FF76C32957A
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
API String ID: 600764987-1381340633
Opcode ID: 72fe8ae3f33d2f7f43d5b5c9da451da30333587a853f2dbec50f57c52d1a1a92
Instruction ID: 7732f7456ee098455bcfa93520e4f74b4f07c659ec50a9c29a2ef18f979f1676
Opcode Fuzzy Hash: 72fe8ae3f33d2f7f43d5b5c9da451da30333587a853f2dbec50f57c52d1a1a92
Instruction Fuzzy Hash: 8B31832260D7C1C9EA21AF22E4557AEF7A4FB85756F80053DCA8D02A95CF3CD544CB35

Function 00007FF76C329532 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

%s (0x%08X), xrefs: 00007FF76C329485
SEC_E_BAD_BINDINGS, xrefs: 00007FF76C329532
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
API String ID: 600764987-2710416593
Opcode ID: f1a8deda9fbddce59cbbdb6f4da1c785ec9d58355b47cd71b992628e989ea143
Instruction ID: 93041bd6927f8343fad259691e60a117df970b0b28159477fba5be38ae51960b
Opcode Fuzzy Hash: f1a8deda9fbddce59cbbdb6f4da1c785ec9d58355b47cd71b992628e989ea143
Instruction Fuzzy Hash: 9F31812260D7C2C9EA21AF22E4557AEF7A4FB85756F80053DCA8D02A55CF3CD544CB36

Function 00007FF76C32953E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

SEC_E_BAD_PKGID, xrefs: 00007FF76C32953E
%s (0x%08X), xrefs: 00007FF76C329485
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
API String ID: 600764987-1052566392
Opcode ID: 8acdbdbfed93b79d10794a5d665c971d4e5c62445efd2b0aad0b461d1cb45db7
Instruction ID: 70ce0c60b05524a983e9f8e800795fc7bd25cb33f6ff027e9e04ad4fa0c7b2b7
Opcode Fuzzy Hash: 8acdbdbfed93b79d10794a5d665c971d4e5c62445efd2b0aad0b461d1cb45db7
Instruction Fuzzy Hash: 3E31812260D7C2C9EA21AF22E4557AEF7A4FB85756F80053DCA8D02A95CF3CD544CB36

Function 00007FF76C32954A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

%s (0x%08X), xrefs: 00007FF76C329485
SEC_E_BUFFER_TOO_SMALL, xrefs: 00007FF76C32954A
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 600764987-1965992168
Opcode ID: 1c94952b2ef98d388dcd44bc1db4b84b1386a3b0077bf35b840c8f961d3d9a83
Instruction ID: 786d9390a3774e0be9111c01816191fca822fe361f54512cf30ba7f83daa0cb7
Opcode Fuzzy Hash: 1c94952b2ef98d388dcd44bc1db4b84b1386a3b0077bf35b840c8f961d3d9a83
Instruction Fuzzy Hash: F431A12260D7C2C9EA21AF22E4457AEF7A4FB85756F80043DCA8D02A95CF3CD404CB36

Function 00007FF76C329556 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

SEC_E_CANNOT_INSTALL, xrefs: 00007FF76C329556
%s (0x%08X), xrefs: 00007FF76C329485
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
API String ID: 600764987-2628789574
Opcode ID: d97066d4d0c1a1f2873a3f8222b0199b54bff4b53b2eaa110a41c85ed0f2070e
Instruction ID: 33067ed337be8752a2761c0c956821b07e168cfedf500ace37a77f0ce33bb611
Opcode Fuzzy Hash: d97066d4d0c1a1f2873a3f8222b0199b54bff4b53b2eaa110a41c85ed0f2070e
Instruction Fuzzy Hash: 4D31812260D7C2C9EA21AF22E4557AEF7A4FB85756F80053DCA8D02A55CF3CD544CB36

Function 00007FF76C32947E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE ref: 00007FF76C3294D9
strchr.VCRUNTIME140 ref: 00007FF76C329500
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32999F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3299B5
GetLastError.KERNEL32 ref: 00007FF76C3299BE
SetLastError.KERNEL32 ref: 00007FF76C3299CA

Strings

SEC_E_ALGORITHM_MISMATCH, xrefs: 00007FF76C32947E
%s (0x%08X), xrefs: 00007FF76C329485
%s - %s, xrefs: 00007FF76C329989

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 600764987-618797061
Opcode ID: 34a37ceff78000e0dda867f7041e27dbdc954633bffdabb9c6f23139e263810f
Instruction ID: 0b50b741c3f57259dfc1cfd5efa925519c013448aefe106a17baa8df3d75a46b
Opcode Fuzzy Hash: 34a37ceff78000e0dda867f7041e27dbdc954633bffdabb9c6f23139e263810f
Instruction Fuzzy Hash: 5831812260D7C2C9EA21AF22E4557AEF7A4FB85756F80053DCA8D02A55CF3CD544CB35

Function 00007FF76C33B810 Relevance: 15.2, APIs: 10, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C32A7B1,?,?,?,?,00007FF76C326FF0), ref: 00007FF76C33B828
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33B871

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 4cbf1edf0252ae1ad2dd9c0472ac3c4b217a9908fb37d5f9a56c7cecaddf4659
Instruction ID: 9320623cd8579c788839a684a9b1b81ef4cd9e59d42ffb3cfac6ea26f070aee6
Opcode Fuzzy Hash: 4cbf1edf0252ae1ad2dd9c0472ac3c4b217a9908fb37d5f9a56c7cecaddf4659
Instruction Fuzzy Hash: 43915872909BC1C6E3009F25D4443E877A0FB99B5CF485239CE9D1E39ADFBAA094C721

Function 00007FF76C312ED0 Relevance: 15.1, APIs: 10, Instructions: 136COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF76C312F0A
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF76C312F29
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF76C312F5D
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF76C312F7C

Part of subcall function 00007FF76C315AD0: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF76C315B07
Part of subcall function 00007FF76C315AD0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF76C315B24
Part of subcall function 00007FF76C315AD0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C315B4D
Part of subcall function 00007FF76C315AD0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF76C315B98
Part of subcall function 00007FF76C315AD0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF76C315BAD

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF76C312FC0
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140 ref: 00007FF76C313002
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C313062
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF76C31307E
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF76C3130AB
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF76C3130DC

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$?setstate@?$basic_ios@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?widen@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointersfclose
String ID:
API String ID: 3580038112-0
Opcode ID: 0eb18120dffc8427e000f1e7bb9ed03decf0b92471f0fec08224aee13d6305ac
Instruction ID: ce1a078bd182a9c78ee7fafcad7de9084563cc5283142d66d9d1bedb2fbebc25
Opcode Fuzzy Hash: 0eb18120dffc8427e000f1e7bb9ed03decf0b92471f0fec08224aee13d6305ac
Instruction Fuzzy Hash: C1616A32A18B81CAEB11DF61E484BADB7B4FB85749F904039DA8E53B68DF38D415CB11

Function 00007FF76C33EE50 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EE9F

Strings

Couldn't resolve proxy '%s', xrefs: 00007FF76C33F07C
Unix socket path too long: '%s', xrefs: 00007FF76C33EEF6
Couldn't resolve host '%s', xrefs: 00007FF76C33EFD1

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: calloc
String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$Unix socket path too long: '%s'
API String ID: 2635317215-3812100122
Opcode ID: fc39e735afd21a233c7accef9b052feb2157579c17906b7cf8e5ffbf85187e34
Instruction ID: b314030a373fa7400be6836a3364eb55936668babca8e51534cbdaa9969c5f55
Opcode Fuzzy Hash: fc39e735afd21a233c7accef9b052feb2157579c17906b7cf8e5ffbf85187e34
Instruction Fuzzy Hash: 4351E532A0DB82C2FA59AB2AD440BB9B790EB88791F940039DF4D47391DF3DE8548761

Function 00007FF76C321A90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 131processCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C317300: memmove.VCRUNTIME140(?,?,00000008,?,?,?,?,00007FF76C321ACD), ref: 00007FF76C31740B
Part of subcall function 00007FF76C317300: memmove.VCRUNTIME140(?,?,00000008,?,?,?,?,00007FF76C321ACD), ref: 00007FF76C31741A

memmove.VCRUNTIME140 ref: 00007FF76C321B0C
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C321B6B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C321BA5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C321BF7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C321C6E

Strings

&& timeout /t 5", xrefs: 00007FF76C321B02, 00007FF76C321B20
start cmd /C "color b && title Error && echo , xrefs: 00007FF76C321ABC

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$system
String ID: && timeout /t 5"$start cmd /C "color b && title Error && echo
API String ID: 1752041281-3357973498
Opcode ID: 7b9ca40bc73603f3bb408701a9eb25cfb5a84f1d58a45754d0f194109f0e8143
Instruction ID: acee2a64e950d6744cc18a772aa2d95751c871e80fd43146084bf3212d9c8e1c
Opcode Fuzzy Hash: 7b9ca40bc73603f3bb408701a9eb25cfb5a84f1d58a45754d0f194109f0e8143
Instruction Fuzzy Hash: 3B51AF72A18B89C1EE00AB26E54476DB321FB46BD5F904239DB9D03BA5DF7DD480C721

Function 00007FF76C315AD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF76C315B07
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF76C315B24
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C315B4D
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF76C315B98

Part of subcall function 00007FF76C316360: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,00007FF76C3148B5,?,?,?,?,?,?,?,00007FF76C3154DB), ref: 00007FF76C316376
Part of subcall function 00007FF76C316360: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,00007FF76C3148B5,?,?,?,?,?,?,?,00007FF76C3154DB), ref: 00007FF76C316390
Part of subcall function 00007FF76C316360: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,00007FF76C3148B5,?,?,?,?,?,?,?,00007FF76C3154DB), ref: 00007FF76C3163C2
Part of subcall function 00007FF76C316360: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,00007FF76C3148B5,?,?,?,?,?,?,?,00007FF76C3154DB), ref: 00007FF76C3163ED
Part of subcall function 00007FF76C316360: std::_Facet_Register.LIBCPMT ref: 00007FF76C316406
Part of subcall function 00007FF76C316360: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,00007FF76C3148B5,?,?,?,?,?,?,?,00007FF76C3154DB), ref: 00007FF76C316425

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF76C315BAD
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF76C315BC4

Strings

C:\Windows\keyspoofer.txt, xrefs: 00007FF76C315B00

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID: C:\Windows\keyspoofer.txt
API String ID: 3911317180-140772259
Opcode ID: 8a0f4ddd246f5943024a9039051c79a83b026ab09755d7c5fde9eecff730277d
Instruction ID: 4ecbce534b0f809675c706d49da1b987def8a23f41cd2b54d8204a57e5210803
Opcode Fuzzy Hash: 8a0f4ddd246f5943024a9039051c79a83b026ab09755d7c5fde9eecff730277d
Instruction Fuzzy Hash: 65316632609B81C6EB50AF26F844629B3B4FB89F89F840139DA8D47B68DF3CD594C750

Function 00007FF76C37888C Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF76C3788B5
__scrt_release_startup_lock.LIBCMT ref: 00007FF76C378923
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C378971
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C378976
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C37897E
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C378986
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3789A8
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C378A02

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: 560487b49758e7811f71a7fa1aa8e16bf24763dedb573d0d6273195996342808
Instruction ID: 3391eb459bc7cc485c99aa6b1528fd53d112e2e8e2f01de2d608a38f7f2ac47e
Opcode Fuzzy Hash: 560487b49758e7811f71a7fa1aa8e16bf24763dedb573d0d6273195996342808
Instruction Fuzzy Hash: F9316C21A0C243C1FA54BB279557BB9B291AF47796FC0413ED64D2B2D3DE2CA804867B

Function 00007FF76C335100 Relevance: 12.1, APIs: 8, Instructions: 67networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C351A60: getaddrinfo.WS2_32 ref: 00007FF76C351A82
Part of subcall function 00007FF76C351A60: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351AEE
Part of subcall function 00007FF76C351A60: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351B28
Part of subcall function 00007FF76C351A60: memmove.VCRUNTIME140(?,?,?,00007FF76C335155), ref: 00007FF76C351B41
Part of subcall function 00007FF76C351A60: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351B4F
Part of subcall function 00007FF76C351A60: freeaddrinfo.WS2_32(?,?,?,00007FF76C335155), ref: 00007FF76C351BC1
Part of subcall function 00007FF76C351A60: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351BD5
Part of subcall function 00007FF76C351A60: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351BDF
Part of subcall function 00007FF76C351A60: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335155), ref: 00007FF76C351BEC

WSAGetLastError.WS2_32 ref: 00007FF76C33515B
WSAGetLastError.WS2_32 ref: 00007FF76C335165
EnterCriticalSection.KERNEL32 ref: 00007FF76C335180
LeaveCriticalSection.KERNEL32 ref: 00007FF76C33518F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3351A0
send.WS2_32 ref: 00007FF76C3351C3
WSAGetLastError.WS2_32 ref: 00007FF76C3351CD
LeaveCriticalSection.KERNEL32 ref: 00007FF76C3351E0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$CriticalErrorLastSection$Leavemalloc$Enter_strdupfreeaddrinfogetaddrinfomemmovesend
String ID:
API String ID: 3577680466-0
Opcode ID: fc2c5a681f9e38949678be65599ab0e84eb98308ef84f758d0073a105ae9d2bb
Instruction ID: 9bf08569dc4cb772465321bab6f67c7a18952e330804a2f78bf6a1468e1f5172
Opcode Fuzzy Hash: fc2c5a681f9e38949678be65599ab0e84eb98308ef84f758d0073a105ae9d2bb
Instruction Fuzzy Hash: 5A31B931A08642C1EB40AF26D455A69B7B0FF44F9AF801139D94E87694DF3CD445C7A2

Function 00007FF76C34EFD0 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF76C34F036
WSASetLastError.WS2_32 ref: 00007FF76C34F1F6
Sleep.KERNEL32 ref: 00007FF76C34F206
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F31A
__WSAFDIsSet.WS2_32 ref: 00007FF76C34F332
Sleep.KERNEL32 ref: 00007FF76C34F35D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: c2201ef84f1469e825e22acc8bee876f0231f9a4b4c355a8423869777bf9ad38
Instruction ID: f8e840efc051dcfe980b07dfb9bf803dcdb0a3b61fd878da426722b8c61bc4b7
Opcode Fuzzy Hash: c2201ef84f1469e825e22acc8bee876f0231f9a4b4c355a8423869777bf9ad38
Instruction Fuzzy Hash: 63A16B35A18651C6EB696A26DC00BB9B295FF4C756F88823CED1D4B7C4DF3CD8058322

Function 00007FF76C326FB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3271C1

Part of subcall function 00007FF76C315550: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3155A8

Strings

EZZ, xrefs: 00007FF76C32708C
ANUL, xrefs: 00007FF76C32707E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ANUL$EZZ
API String ID: 3668304517-3347727684
Opcode ID: 17b08860ac0d795205c49af8ecce8c45f755290064b7e1a07427b66776b3e6a7
Instruction ID: 2162631b56947ea15e187277019db2d8fc41bc87d51538cafbd0e0abd3530f9d
Opcode Fuzzy Hash: 17b08860ac0d795205c49af8ecce8c45f755290064b7e1a07427b66776b3e6a7
Instruction Fuzzy Hash: 3491BF32B04782CAFB10EB66D4057AD7362AB02B99F804538DE5D17BCACF3CD55483A6

Function 00007FF76C352240 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35246A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3524AF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3524D7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C352519

Strings

schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 00007FF76C3522BE
schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 00007FF76C352433
schannel: ApplyControlToken failure: %s, xrefs: 00007FF76C352348

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
API String ID: 1294909896-116363806
Opcode ID: 4555a0a7d86c6f60568588da6ac00a0257dcbd78f45fe19e0092576b48bd8d7a
Instruction ID: b586378fc24c29541e9775db0ff90742c75c7cb6702d4da82a11e1104202a3fd
Opcode Fuzzy Hash: 4555a0a7d86c6f60568588da6ac00a0257dcbd78f45fe19e0092576b48bd8d7a
Instruction Fuzzy Hash: 3E916772609B81C6EB10DF26D894AADBBB4FB48B86F840139CE4D47768DF38D445CB51

Function 00007FF76C313570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C312ED0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF76C312F0A
Part of subcall function 00007FF76C312ED0: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF76C312F29
Part of subcall function 00007FF76C312ED0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF76C312F5D
Part of subcall function 00007FF76C312ED0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF76C312F7C
Part of subcall function 00007FF76C312ED0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF76C312FC0
Part of subcall function 00007FF76C312ED0: ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140 ref: 00007FF76C313002
Part of subcall function 00007FF76C312ED0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C313062

Part of subcall function 00007FF76C322B00: CreateThread.KERNELBASE ref: 00007FF76C322B5F
Part of subcall function 00007FF76C322B00: UuidCreate.RPCRT4 ref: 00007FF76C322BB0
Part of subcall function 00007FF76C322B00: UuidToStringA.RPCRT4 ref: 00007FF76C322BCB
Part of subcall function 00007FF76C322B00: RpcStringFreeA.RPCRT4 ref: 00007FF76C322C00

Part of subcall function 00007FF76C312D10: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C312D20
Part of subcall function 00007FF76C312D10: GetStdHandle.KERNEL32 ref: 00007FF76C312D2B
Part of subcall function 00007FF76C312D10: SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312D39
Part of subcall function 00007FF76C312D10: GetStdHandle.KERNEL32 ref: 00007FF76C312D5C
Part of subcall function 00007FF76C312D10: SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312D6A
Part of subcall function 00007FF76C312D10: GetStdHandle.KERNEL32 ref: 00007FF76C312D81
Part of subcall function 00007FF76C312D10: SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312D8F
Part of subcall function 00007FF76C312D10: GetStdHandle.KERNEL32 ref: 00007FF76C312DA6
Part of subcall function 00007FF76C312D10: SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312DB4
Part of subcall function 00007FF76C312D10: GetStdHandle.KERNEL32 ref: 00007FF76C312DD6
Part of subcall function 00007FF76C312D10: SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312DE4
Part of subcall function 00007FF76C312D10: GetStdHandle.KERNEL32 ref: 00007FF76C312DFB
Part of subcall function 00007FF76C312D10: SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312E09
Part of subcall function 00007FF76C312D10: GetStdHandle.KERNEL32 ref: 00007FF76C312E20
Part of subcall function 00007FF76C312D10: SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312E2E

Sleep.KERNEL32 ref: 00007FF76C31367F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31369E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C313719
Sleep.KERNEL32 ref: 00007FF76C31372A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C313763

Strings

valorant tpm, xrefs: 00007FF76C3135A0, 00007FF76C31362C, 00007FF76C31365A

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: AttributeConsoleHandleTextU?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$CreateSleepStringUuid$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?setstate@?$basic_ios@?widen@?$basic_ios@D@std@@@1@_FreeInit@?$basic_streambuf@ThreadV?$basic_streambuf@fclosesystem
String ID: valorant tpm
API String ID: 1726691479-2065167152
Opcode ID: a3e552ea481289e06771e0388e34eaeaebb21b447971fce1f61716ef0726cf18
Instruction ID: 318cdf84df825b9f26a861fbe313b5d934c2be80acb3b6597117e821d2d252fd
Opcode Fuzzy Hash: a3e552ea481289e06771e0388e34eaeaebb21b447971fce1f61716ef0726cf18
Instruction Fuzzy Hash: 54519161F18642C8FB41BB76D8917BCB720AF4576AF940239DA1D17AD6DE2CA481C322

Function 00007FF76C3128E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C3784F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3157CA,?,?,?,?,?,?,?,00007FF76C31118E), ref: 00007FF76C37850A

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF76C31299B

Strings

?, xrefs: 00007FF76C31294B
>, xrefs: 00007FF76C312942
456789, xrefs: 00007FF76C312981

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Random_device@std@@malloc
String ID: 456789$>$?
API String ID: 2115826380-3395382736
Opcode ID: f6316a32dc5ad1a96f886e62bd89d608c8076d3b0713c5a646cccbc348894fbd
Instruction ID: b81886d018846322a4f9d98cf00c70630a79344e2916886205fb9328362322de
Opcode Fuzzy Hash: f6316a32dc5ad1a96f886e62bd89d608c8076d3b0713c5a646cccbc348894fbd
Instruction Fuzzy Hash: B6510632D18B81CAE310AF21E8447A9B7A1FB99744F545239EA8C47BA5EF7CE1C0C711

Function 00007FF76C330C60 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C330CAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C330CC5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C330DF2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C330E1E

Strings

Connection #%ld to host %s left intact, xrefs: 00007FF76C330EDB
%s, xrefs: 00007FF76C330F27

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %s$Connection #%ld to host %s left intact
API String ID: 1294909896-118628944
Opcode ID: 10131e2cb1aa6f22e2ee3b146201c522d287f8f42c78b94e51c4eb1dad2d3d36
Instruction ID: 610b52b9d30ec51c888b783de65440d1a382aba2e332f86775c377b792f8e0c7
Opcode Fuzzy Hash: 10131e2cb1aa6f22e2ee3b146201c522d287f8f42c78b94e51c4eb1dad2d3d36
Instruction Fuzzy Hash: 5D914372B08AC1C2EB59BB26D540BFDB391EB44B86F844439DE4E0B795CF38E4648761

Function 00007FF76C33B0F0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33B11B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33B131

Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF4D
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF6A
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF7E
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF9A
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AFB7
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AFDA
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AFEE
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B002
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B028
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B03C
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B050
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B09F
Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B0AC

Part of subcall function 00007FF76C33AED0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B0D5

memset.VCRUNTIME140 ref: 00007FF76C33B165

Strings

Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF76C33B341
User-Agent: %s, xrefs: 00007FF76C33B1FF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$memset
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 2717317152-3248832348
Opcode ID: 43e8a476d1e9a08a3144ffeb7185b141074180460611bf871d67cb668cbabf4e
Instruction ID: 8232db2b065107d0acdc33095aa71960edc35b878a82bf4273f28062ae17b24a
Opcode Fuzzy Hash: 43e8a476d1e9a08a3144ffeb7185b141074180460611bf871d67cb668cbabf4e
Instruction Fuzzy Hash: EA717F2290CBC2C1E751EF26D4507BDB760EB85B99F884239DA9D4F295DF38E4818362

Function 00007FF76C31EB60 Relevance: 9.1, APIs: 6, Instructions: 60fileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF76C31EB8F
QueryFullProcessImageNameW.KERNELBASE ref: 00007FF76C31EBA4
CreateFileW.KERNELBASE ref: 00007FF76C31EBD2
CreateFileMappingW.KERNELBASE ref: 00007FF76C31EBF9
CloseHandle.KERNEL32 ref: 00007FF76C31EC07
MapViewOfFile.KERNELBASE ref: 00007FF76C31EC4E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: File$CreateProcess$CloseCurrentFullHandleImageMappingNameQueryView
String ID:
API String ID: 1024061024-0
Opcode ID: 06fda7f3e68c2c3f3cea317f2c6b0cfd4844cc8cb5b8532ea46a47707e4afbf9
Instruction ID: daa3a7e271eeb8e29693177adacccf905475b9fbe02726ddd68f7a2eabfca79b
Opcode Fuzzy Hash: 06fda7f3e68c2c3f3cea317f2c6b0cfd4844cc8cb5b8532ea46a47707e4afbf9
Instruction Fuzzy Hash: AB215E32608B81C2E7209F12F859B5AB3A4FB88B99F804239DA9D07B54DF3CD445CB51

Function 00007FF76C33FE30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33FEF6
recv.WS2_32 ref: 00007FF76C33FF20
send.WS2_32 ref: 00007FF76C33FF43
WSAGetLastError.WS2_32 ref: 00007FF76C33FF55

Strings

Send failure: %s, xrefs: 00007FF76C33FF85

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastmallocrecvsend
String ID: Send failure: %s
API String ID: 25851408-857917747
Opcode ID: b646754a63c242f285528627dd3e449bf7f1e4516c86649b32f59f149c96bf92
Instruction ID: 0be551dbaad6da106727a2eb34f4f8f2f78ee31dad283a2f7b1fdfa9c74f070e
Opcode Fuzzy Hash: b646754a63c242f285528627dd3e449bf7f1e4516c86649b32f59f149c96bf92
Instruction Fuzzy Hash: 0941A03270AB8185EB64AF26E840B79B2A0AF49BEAFC44239DE5D47394DF3CD451C711

Function 00007FF76C36B6D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C3425B0: GetModuleHandleA.KERNEL32(?,?,00000000,00007FF76C36B70A,?,?,?,?,00007FF76C34293B), ref: 00007FF76C3425C4

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF76C34293B), ref: 00007FF76C36B720

Strings

secur32.dll, xrefs: 00007FF76C36B6F3
InitSecurityInterfaceA, xrefs: 00007FF76C36B716
security.dll, xrefs: 00007FF76C36B6FA

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: AddressCallerHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2084706301-3788156360
Opcode ID: 5f9ba379c3d9fc8f413ad3dcf5974fedc70beb2deca750b73fe5729b4a75610e
Instruction ID: eef33bd5c74497460c40fa378b377d4bedd4c9237f5c65009d8aad1db60f38aa
Opcode Fuzzy Hash: 5f9ba379c3d9fc8f413ad3dcf5974fedc70beb2deca750b73fe5729b4a75610e
Instruction Fuzzy Hash: C8F01960E0AB03C0FE54BB17A985BB0F2A06F1434AFC5403CD40D9A291FE3CA5899B72

Function 00007FF76C34A660 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34A760

Part of subcall function 00007FF76C34ACF0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AD4A

Part of subcall function 00007FF76C34AAA0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AB38
Part of subcall function 00007FF76C34AAA0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AB41

Strings

TCP4, xrefs: 00007FF76C34A6FA
TCP6, xrefs: 00007FF76C34A6E7
PROXY %s %s %s %li %li, xrefs: 00007FF76C34A734

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$calloc
String ID: PROXY %s %s %s %li %li$TCP4$TCP6
API String ID: 3095843317-1242256665
Opcode ID: 827c2aa87ce17e0013e05fd712a68a9dd3230884c9ea86d0e45197574c2b49c9
Instruction ID: f6f6d12fb45e1d043021541a66d7dcead0243f78f81120e733fd20b423fd31d2
Opcode Fuzzy Hash: 827c2aa87ce17e0013e05fd712a68a9dd3230884c9ea86d0e45197574c2b49c9
Instruction Fuzzy Hash: C141BE31A0C682C5F760EB66E8007BAB7A1EF85785F94803ADA4D4B695DF3CD448C712

Function 00007FF76C32FB20 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00007FF76C32A846,?,?,?,?,?,?,00007FF76C327125), ref: 00007FF76C32FB3D
closesocket.WS2_32 ref: 00007FF76C32FC49
closesocket.WS2_32 ref: 00007FF76C32FC56

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: closesocket$calloc
String ID:
API String ID: 2958813939-0
Opcode ID: a05756b925b676b2f5eddd10200ae43443ab68b5a084b8e1e1ee587c463db630
Instruction ID: 943a33cb43da6580081674d1862c6f6780bf6ad9788bc7478001c5cbaa60be32
Opcode Fuzzy Hash: a05756b925b676b2f5eddd10200ae43443ab68b5a084b8e1e1ee587c463db630
Instruction Fuzzy Hash: C7416131608A92C1E750FF32D8406E9B360EF88759FC48639DE5D8A2D6EF3CD5498362

Function 00007FF76C352E10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

select/poll on SSL/TLS socket, errno: %d, xrefs: 00007FF76C352F53
SSL/TLS connection timeout, xrefs: 00007FF76C352F6C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 51d7f8d5dc6845581baafe3fd4c405b6984cf48231267efa5bc797a584dc4db0
Instruction ID: 3f2b5f61e5ae4583c2b3ec6ecff98f2036e1f9bb87ab6785823b668780401dfd
Opcode Fuzzy Hash: 51d7f8d5dc6845581baafe3fd4c405b6984cf48231267efa5bc797a584dc4db0
Instruction Fuzzy Hash: DF51A721A09682C5EB54AB13A648A79BB91EF447A9FD48239DF1D473D4DF3EE041C322

Function 00007FF76C33BDF0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BE55

Strings

Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF76C33BF94
User-Agent: %s, xrefs: 00007FF76C33BE66

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 1294909896-3248832348
Opcode ID: b3abda95d4842e6979c77852f044f7e7c33953268195e6f6111f5e5a8aa4b6e6
Instruction ID: f24ae69e182a6cf2305f07bb4bad0b905beb616a45634c6085d916e70c720e10
Opcode Fuzzy Hash: b3abda95d4842e6979c77852f044f7e7c33953268195e6f6111f5e5a8aa4b6e6
Instruction Fuzzy Hash: 69517062A08AC1C1E7419F2AD4407ADB7A0EB84B9DF485139DF8C4B39ADF7CD495C721

Function 00007FF76C33FC50 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF76C33FC5C
WSAGetLastError.WS2_32 ref: 00007FF76C33FC6B

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 23d35c8dc031321845488c5a0f8de9bde46f9af8990e6a04dc0b523b5a353112
Instruction ID: 77de9b6603a2325f6ea1e445fcef46a6242899a64490f3ba7bf77a21a44cd8bc
Opcode Fuzzy Hash: 23d35c8dc031321845488c5a0f8de9bde46f9af8990e6a04dc0b523b5a353112
Instruction Fuzzy Hash: 85E0DF21F0450982FF286772E855B7921A0CF88777F846338CA3A8A7C0CA2C44D28321

Function 00007FF76C312680 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3128D6

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 6c7e0b4c6c98e4680503481da4b43372955a089c43a8a3f83a3351b47374b09e
Instruction ID: 89f5b883b88cb00696e0a292535a7b6da926f9a720d521b4c50033226832a1b9
Opcode Fuzzy Hash: 6c7e0b4c6c98e4680503481da4b43372955a089c43a8a3f83a3351b47374b09e
Instruction Fuzzy Hash: 6E516362A046C9C5DB45EB26D5583BC7352FB02FC9F94403ADA4D0AA6ADF6AC4C4C321

Function 00007FF76C340530 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF76C340573

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 0d1bf1fb7a2dacee2398b3ec2e74f674ac83464c917e10b2ef8acc80dbb8198f
Instruction ID: e8b21234904c0566a51301c427e707f13973c86ad9fdfd503a467df1dd992470
Opcode Fuzzy Hash: 0d1bf1fb7a2dacee2398b3ec2e74f674ac83464c917e10b2ef8acc80dbb8198f
Instruction Fuzzy Hash: CE018052B095C1C1EF44EB2BE58876DB3A0EF88B85F489135DB0E4B296CF2CD4958752

Function 00007FF76C347480 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF76C3474A9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: b96352ea3a50238ed1975b8a8e8f3d2b95264ea245a5395ea7beb32c57450c63
Instruction ID: 59d413ee2ac459fd0e63b6649825306308d30f3785f8e76c1865ac678aa8ca73
Opcode Fuzzy Hash: b96352ea3a50238ed1975b8a8e8f3d2b95264ea245a5395ea7beb32c57450c63
Instruction Fuzzy Hash: 33E06D26E06645C2DE08A7368892AB97360AB51725FC48779C63D0A3D0DE2C965A9B20

Function 00007FF76C3520E0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3520FB

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 3db009872c8f4d40c76b5c2b2c72ed268fe907ed1841dcdbb931e42fdbfba48b
Instruction ID: dd73c1b3b61993454bd47260d25b5007b6ecc2f34ccc281263c0e782b5773879
Opcode Fuzzy Hash: 3db009872c8f4d40c76b5c2b2c72ed268fe907ed1841dcdbb931e42fdbfba48b
Instruction Fuzzy Hash: 66D02B63718A04839F10DF72A881029F251F789774B88433CAE7D837E0DB3CD1414A04

Function 00007FF76C316D50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00007FF76C316D5B

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: 4dfc203e525642a0fb965529a17836da1f3f79d63cf12ee4ef218f93b00fb93d
Instruction ID: 8e90d1a0835e2786ed742b5249c1cf6bef527928b6da6e004320b2f9b8e9f449
Opcode Fuzzy Hash: 4dfc203e525642a0fb965529a17836da1f3f79d63cf12ee4ef218f93b00fb93d
Instruction Fuzzy Hash: 35C08C40B20202C2EB5437B3A80B5B962A0AF4EF22F985038C95649351CD3D84DA8726

Function 00007FF76C34E020 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF76C34E039

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 4febc3c8d7f5aed8233ee5d24087e21b0bbc05b5b2815716bdc9645dd1b00dbb
Instruction ID: 36a81a58961490f3c465b9cf28fec2d411ce1896c7da9f503cbe53e2ebddfff0
Opcode Fuzzy Hash: 4febc3c8d7f5aed8233ee5d24087e21b0bbc05b5b2815716bdc9645dd1b00dbb
Instruction Fuzzy Hash: 56C08056F145C1C3C3446F725885087B771FFC4205FD5643DD14741124DD3CC2A58B54

Non-executed Functions

Function 00007FF76C348920 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3489F8
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C348A05
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C348AD8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C348B5C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C348C03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C348C9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C348D65
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C348D9D
strchr.VCRUNTIME140 ref: 00007FF76C348F17
strchr.VCRUNTIME140 ref: 00007FF76C348F2A
strchr.VCRUNTIME140 ref: 00007FF76C348F3C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C349043
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3490B3
memmove.VCRUNTIME140 ref: 00007FF76C3490DA
strchr.VCRUNTIME140 ref: 00007FF76C3490EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C349102
strstr.VCRUNTIME140 ref: 00007FF76C349338
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C349471
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3495E9

Part of subcall function 00007FF76C32E0C0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32E133

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34969C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C349721
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34997A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C349990
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34999F

Part of subcall function 00007FF76C34ACF0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AD4A

strchr.VCRUNTIME140 ref: 00007FF76C349F57
strchr.VCRUNTIME140 ref: 00007FF76C349F6A
strchr.VCRUNTIME140 ref: 00007FF76C349F7C

Part of subcall function 00007FF76C34ACF0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AD6A
Part of subcall function 00007FF76C34ACF0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AD73

strchr.VCRUNTIME140 ref: 00007FF76C34A1CF
strchr.VCRUNTIME140 ref: 00007FF76C34A1E2
strchr.VCRUNTIME140 ref: 00007FF76C34A1F4

Part of subcall function 00007FF76C34D320: strchr.VCRUNTIME140 ref: 00007FF76C34D406
Part of subcall function 00007FF76C34D320: strchr.VCRUNTIME140 ref: 00007FF76C34D419
Part of subcall function 00007FF76C34D320: strchr.VCRUNTIME140 ref: 00007FF76C34D42B

Strings

Last-Modified, xrefs: 00007FF76C349BDB
Host: %s%s%s:%d, xrefs: 00007FF76C349202
Content-Range: bytes %s/%I64d, xrefs: 00007FF76C349636
Host: %s%s%s, xrefs: 00007FF76C3491BD
upload completely sent off: %I64d out of %I64d bytes, xrefs: 00007FF76C34A4FE
Expect:, xrefs: 00007FF76C349F15, 00007FF76C34A18A
Failed sending HTTP POST request, xrefs: 00007FF76C34A3FB
100-continue, xrefs: 00007FF76C349F96, 00007FF76C34A216
ftp, xrefs: 00007FF76C349309
Accept: */*, xrefs: 00007FF76C349405
Transfer-Encoding: chunked, xrefs: 00007FF76C34900F
Transfer-Encoding, xrefs: 00007FF76C348EAD
1.0, xrefs: 00007FF76C349680
Content-Length: %I64d, xrefs: 00007FF76C349D4B, 00007FF76C349EA0, 00007FF76C34A125
%s%s, xrefs: 00007FF76C349B30
PUT, xrefs: 00007FF76C348A98
Could not seek stream, xrefs: 00007FF76C3494E8
ftp://%s:%s@%s, xrefs: 00007FF76C34974B
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF76C34995B
multipart/form-data, xrefs: 00007FF76C348E4A
Referer, xrefs: 00007FF76C348CB3
Chunky upload is not supported by HTTP 1.0, xrefs: 00007FF76C34901C
Cookie, xrefs: 00007FF76C348D22
Content-Range, xrefs: 00007FF76C3495CE
Accept-Encoding, xrefs: 00007FF76C348D41
%s?%s, xrefs: 00007FF76C348AF5
Expect, xrefs: 00007FF76C349EF4, 00007FF76C34A169
Host, xrefs: 00007FF76C349049
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00007FF76C349C74
1.1, xrefs: 00007FF76C34968E
Host:%s, xrefs: 00007FF76C349146
Failed sending HTTP request, xrefs: 00007FF76C34A0C6
Failed sending PUT request, xrefs: 00007FF76C349DC9
http, xrefs: 00007FF76C34929B
;type=, xrefs: 00007FF76C34932E
;type=%c, xrefs: 00007FF76C3493A1
Transfer-Encoding:, xrefs: 00007FF76C348ECE
If-Modified-Since, xrefs: 00007FF76C349BED
Host:, xrefs: 00007FF76C349111
Accept, xrefs: 00007FF76C3493F3
Proxy-Connection: Keep-Alive, xrefs: 00007FF76C34981F, 00007FF76C349834
OPTIONS, xrefs: 00007FF76C348A8B
Range, xrefs: 00007FF76C349452
Referer: %s, xrefs: 00007FF76C348CCE
Proxy-Connection, xrefs: 00007FF76C3497F3
GET, xrefs: 00007FF76C348AB2
%x, xrefs: 00007FF76C34A2F5
User-Agent, xrefs: 00007FF76C348ABD
Content-Range: bytes 0-%I64d/%I64d, xrefs: 00007FF76C349604
If-Unmodified-Since, xrefs: 00007FF76C349BE4
Invalid TIMEVALUE, xrefs: 00007FF76C349BA3
HEAD, xrefs: 00007FF76C348A61
Content-Length, xrefs: 00007FF76C349D34, 00007FF76C349E89, 00007FF76C34A10E
0, xrefs: 00007FF76C34A346, 00007FF76C34A445
Accept-Encoding: %s, xrefs: 00007FF76C348D72
Could only read %I64d bytes from the input, xrefs: 00007FF76C3495A5
Cookie: , xrefs: 00007FF76C349A8E, 00007FF76C349B04
chunked, xrefs: 00007FF76C348F56
Content-Type, xrefs: 00007FF76C348E07, 00007FF76C34A13D
%s, xrefs: 00007FF76C349ED3
Range: bytes=%s, xrefs: 00007FF76C34947E
%s , xrefs: 00007FF76C3496B3
POST, xrefs: 00007FF76C348AA5
Content-Type: application/x-www-form-urlencoded, xrefs: 00007FF76C34A151
Content-Length: 0, xrefs: 00007FF76C349DF0
File already completely uploaded, xrefs: 00007FF76C349589
?%s, xrefs: 00007FF76C34978B
%s%s=%s, xrefs: 00007FF76C349AA9
Content-Range: bytes %s%I64d/%I64d, xrefs: 00007FF76C349628
Failed sending POST request, xrefs: 00007FF76C349E29, 00007FF76C34A06D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$strchr$_strdup$callocmemmovestrstr
String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s: %s, %02d %s %4d %02d:%02d:%02d GMT$%s?%s$%x$0$1.0$1.1$100-continue$;type=$;type=%c$?%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified$OPTIONS$POST$PUT$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp$ftp://%s:%s@%s$http$multipart/form-data$upload completely sent off: %I64d out of %I64d bytes
API String ID: 3050856829-4264080130
Opcode ID: 6391a40f627db0bb6010f84a819358c4fdba3e5b4bf572a4ba6bff6913ed97cf
Instruction ID: 66b916cf910c177369eb3f0235d0b5587066a161ae2c6d3502c9312af1d58bc5
Opcode Fuzzy Hash: 6391a40f627db0bb6010f84a819358c4fdba3e5b4bf572a4ba6bff6913ed97cf
Instruction Fuzzy Hash: 1F03C221A09782C5FB54BF239940AB9B7A4AF45B86F848039CE0D5B795DF3CE449C362

Function 00007FF76C34BC20 Relevance: 127.2, APIs: 25, Strings: 47, Instructions: 1228stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C34CDE3

Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB75
Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB90

memchr.VCRUNTIME140 ref: 00007FF76C34CED6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C34CFEE
strchr.VCRUNTIME140 ref: 00007FF76C34D002
strchr.VCRUNTIME140 ref: 00007FF76C34D02A
strchr.VCRUNTIME140 ref: 00007FF76C34D040

Strings

Content-Encoding:, xrefs: 00007FF76C34C621
RTSP/, xrefs: 00007FF76C34BD14
The requested URL returned error: %s, xrefs: 00007FF76C34D057
Got 417 while waiting for a 100, xrefs: 00007FF76C34CDC3
HTTP/%1d.%1d%c%3d, xrefs: 00007FF76C34BDB9
no chunk, no close, no size. Assume close to signal end, xrefs: 00007FF76C34CBD6
HTTP error before end of send, keep sending, xrefs: 00007FF76C34CE09
Content-Range:, xrefs: 00007FF76C34C6EE
HTTP %3d, xrefs: 00007FF76C34BE88
Received 101, xrefs: 00007FF76C34D0BB
Negotiate: noauthpersist -> %d, header part: %s, xrefs: 00007FF76C34C9AC
close, xrefs: 00007FF76C34C3B3, 00007FF76C34C533
HTTP/1.1 proxy connection set close!, xrefs: 00007FF76C34C5CD
Content-Length:, xrefs: 00007FF76C34C12F
Content-Type:, xrefs: 00007FF76C34C1D6
, xrefs: 00007FF76C34BE0C
, xrefs: 00007FF76C34BFC2
Persistent-Auth, xrefs: 00007FF76C34C952
HTTP/%1[23] %d, xrefs: 00007FF76C34BDE4
Connection:, xrefs: 00007FF76C34C3EB, 00007FF76C34C4A0
RTSP/%1d.%1d%c%3d, xrefs: 00007FF76C34BFAD
keep-alive, xrefs: 00007FF76C34C2E6, 00007FF76C34C476
HTTP/1.0 connection set to keep alive!, xrefs: 00007FF76C34C5EB
Invalid Content-Length: value, xrefs: 00007FF76C34D098
Set-Cookie:, xrefs: 00007FF76C34C7B3
Maximum file size exceeded, xrefs: 00007FF76C34D07F
Overflow Content-Length: value!, xrefs: 00007FF76C34C1BB
Location:, xrefs: 00007FF76C34C9EE
HTTP, xrefs: 00007FF76C34CFDE
false, xrefs: 00007FF76C34C990
HTTP/, xrefs: 00007FF76C34BF29
Lying server, not serving HTTP/2, xrefs: 00007FF76C34BE3C
Last-Modified:, xrefs: 00007FF76C34C857
WWW-Authenticate:, xrefs: 00007FF76C34C8B6
Proxy-authenticate:, xrefs: 00007FF76C34C8E1
HTTP error before end of send, stop sending, xrefs: 00007FF76C34CE2D
Retry-After:, xrefs: 00007FF76C34C663
Mark bundle as not supporting multiuse, xrefs: 00007FF76C34BE5F
Unsupported HTTP version in response, xrefs: 00007FF76C34CFC1
HTTP 1.0, assume close after body, xrefs: 00007FF76C34C087
Received HTTP/0.9 when not allowed, xrefs: 00007FF76C34CF4B
Keep sending data to get tossed away!, xrefs: 00007FF76C34CE7C
HTTP/1.0 proxy connection set to keep alive!, xrefs: 00007FF76C34C5AC
The requested URL returned error: %d, xrefs: 00007FF76C34D1B3
Connection closure while negotiating auth (HTTP 1.0?), xrefs: 00007FF76C34CC2C, 00007FF76C34CC78
Transfer-Encoding:, xrefs: 00007FF76C34C56A
Proxy-Connection:, xrefs: 00007FF76C34C253, 00007FF76C34C32C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchr$fwrite$_strdupmemchrstrncmp
String ID: $ $ HTTP %3d$ HTTP/%1[23] %d$ HTTP/%1d.%1d%c%3d$ RTSP/%1d.%1d%c%3d$Connection closure while negotiating auth (HTTP 1.0?)$Connection:$Content-Encoding:$Content-Length:$Content-Range:$Content-Type:$Got 417 while waiting for a 100$HTTP$HTTP 1.0, assume close after body$HTTP error before end of send, keep sending$HTTP error before end of send, stop sending$HTTP/$HTTP/1.0 connection set to keep alive!$HTTP/1.0 proxy connection set to keep alive!$HTTP/1.1 proxy connection set close!$Invalid Content-Length: value$Keep sending data to get tossed away!$Last-Modified:$Location:$Lying server, not serving HTTP/2$Mark bundle as not supporting multiuse$Maximum file size exceeded$Negotiate: noauthpersist -> %d, header part: %s$Overflow Content-Length: value!$Persistent-Auth$Proxy-Connection:$Proxy-authenticate:$RTSP/$Received 101$Received HTTP/0.9 when not allowed$Retry-After:$Set-Cookie:$The requested URL returned error: %d$The requested URL returned error: %s$Transfer-Encoding:$Unsupported HTTP version in response$WWW-Authenticate:$close$false$keep-alive$no chunk, no close, no size. Assume close to signal end
API String ID: 3939785054-690044944
Opcode ID: 705ee5aeba5fc1df9a6f88bafb3aeaff7a9893b70d81290ff0ac56fe8684f09f
Instruction ID: 454d410abfc5b2d0d4d9f8bf4c7fdbe6cc83520f887c5e57845e02f4bcc21395
Opcode Fuzzy Hash: 705ee5aeba5fc1df9a6f88bafb3aeaff7a9893b70d81290ff0ac56fe8684f09f
Instruction Fuzzy Hash: 2DC29671A08682C5FB50BF279904BF9B791EB45B8AF848139CE4D4F295DE2DA44CC732

Function 00007FF76C3328F0 Relevance: 105.7, APIs: 41, Strings: 19, Instructions: 744stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000000,?,00000000,?,?,00007FF76C334147), ref: 00007FF76C332960
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33297B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3329B4
strchr.VCRUNTIME140 ref: 00007FF76C3329C7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C332B47
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C332B68
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C332B8B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C332B98
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C332C31
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C332C3A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C332C52
strchr.VCRUNTIME140 ref: 00007FF76C332E3F
strchr.VCRUNTIME140 ref: 00007FF76C332E59
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C332F4C
strchr.VCRUNTIME140 ref: 00007FF76C332F78
strrchr.VCRUNTIME140 ref: 00007FF76C332F8A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C332FAB
memmove.VCRUNTIME140 ref: 00007FF76C332FC4
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333038
strchr.VCRUNTIME140 ref: 00007FF76C33305B
strchr.VCRUNTIME140 ref: 00007FF76C333070

Strings

expires, xrefs: 00007FF76C332DD5
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 00007FF76C332ECF
__Host-, xrefs: 00007FF76C332B61
secure, xrefs: 00007FF76C332BBE
#HttpOnly_, xrefs: 00007FF76C33302E
Replaced, xrefs: 00007FF76C333561
httponly, xrefs: 00007FF76C332BF6
FALSE, xrefs: 00007FF76C3330AE, 00007FF76C3332AB
version, xrefs: 00007FF76C332D7B
__Secure-, xrefs: 00007FF76C332B40
max-age, xrefs: 00007FF76C332DA8
%4095[^;=] =%4095[^;], xrefs: 00007FF76C332A06
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF76C333577
TRUE, xrefs: 00007FF76C3330A7
localhost, xrefs: 00007FF76C332C9F
Added, xrefs: 00007FF76C33356D
domain, xrefs: 00007FF76C332C71
path, xrefs: 00007FF76C332C1D
skipped cookie with bad tailmatch domain: %s, xrefs: 00007FF76C332D5E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchr$_strdup$freestrncmp$_time64callocmallocmemmovestrrchr
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 1480346526-3844637060
Opcode ID: 0ccbd0169f4b0ff4825d33c0f4ede31d96c845e13c4baf141d7dd962c627e433
Instruction ID: d8d1e24dfe7d5df477d6c69f819c079990e26308ad4240acfa49862b998aa6e0
Opcode Fuzzy Hash: 0ccbd0169f4b0ff4825d33c0f4ede31d96c845e13c4baf141d7dd962c627e433
Instruction Fuzzy Hash: 2D720121A0CBC2C5FB61AB23D544BB9B7A0EF05796F844139CA8E426D6DF3DE445C362

Function 00007FF76C3665B0 Relevance: 102.1, APIs: 45, Strings: 13, Instructions: 580COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB75
Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB90

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36663E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C366672
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36667C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C366699
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3666AC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3666B5
#22.WLDAP32 ref: 00007FF76C3666C6
#211.WLDAP32 ref: 00007FF76C366760
#217.WLDAP32 ref: 00007FF76C36677C
#211.WLDAP32 ref: 00007FF76C366795
#211.WLDAP32 ref: 00007FF76C3667A7
#60.WLDAP32 ref: 00007FF76C3667D7
#211.WLDAP32 ref: 00007FF76C3668F2
#60.WLDAP32 ref: 00007FF76C366917
#22.WLDAP32 ref: 00007FF76C3669BA
#41.WLDAP32 ref: 00007FF76C366DD6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C366DFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C366E08
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C366E28
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C366E3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C366E44
#46.WLDAP32 ref: 00007FF76C366E56

Strings

;binary, xrefs: 00007FF76C366C40
encrypted, xrefs: 00007FF76C36670E
LDAP local: Cannot connect to %s:%ld, xrefs: 00007FF76C3667FB
LDAP local: bind via ldap_win_bind %s, xrefs: 00007FF76C3669C4
cleartext, xrefs: 00007FF76C3666EF
LDAP local: %s, xrefs: 00007FF76C3666CC
There are more than %d entries, xrefs: 00007FF76C366DE6
Microsoft Corporation., xrefs: 00007FF76C3665D0
LDAP remote: %s, xrefs: 00007FF76C366A37
LDAP local: LDAP Vendor = %s ; LDAP Version = %d, xrefs: 00007FF76C3665E4
LDAP local: %s, xrefs: 00007FF76C366627
LDAP local: trying to establish %s connection, xrefs: 00007FF76C3666F9
DN: , xrefs: 00007FF76C366AB2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$#211$fwrite$#217calloc
String ID: ;binary$DN: $LDAP local: %s$LDAP local: %s$LDAP local: Cannot connect to %s:%ld$LDAP local: LDAP Vendor = %s ; LDAP Version = %d$LDAP local: bind via ldap_win_bind %s$LDAP local: trying to establish %s connection$LDAP remote: %s$Microsoft Corporation.$There are more than %d entries$cleartext$encrypted
API String ID: 2742731861-78870445
Opcode ID: c4fa293890821b9014b5e3bf5da57906fb6f97ba27b4b3abdc5a7683c1d28741
Instruction ID: cea5a500c1df50addb8e310a93296e6ea83bfa4cf9a18492bcc5aa5e8ac72ef4
Opcode Fuzzy Hash: c4fa293890821b9014b5e3bf5da57906fb6f97ba27b4b3abdc5a7683c1d28741
Instruction Fuzzy Hash: 5D428D75B09A42C6EB10AB63D454AB9B3B1FF49BC9F814039CE0E67794DE3CE4098361

Function 00007FF76C36ED20 Relevance: 72.3, APIs: 17, Strings: 24, Instructions: 549encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF76C36EE8F
GetLastError.KERNEL32 ref: 00007FF76C36EEA2
CertCreateCertificateChainEngine.CRYPT32 ref: 00007FF76C36EF54
GetLastError.KERNEL32 ref: 00007FF76C36EF5E
CertGetCertificateChain.CRYPT32 ref: 00007FF76C36EFEB
GetLastError.KERNEL32 ref: 00007FF76C36EFF5
CertGetNameStringA.CRYPT32 ref: 00007FF76C36F163
CertFreeCertificateChainEngine.CRYPT32 ref: 00007FF76C36F5DB
CertCloseStore.CRYPT32 ref: 00007FF76C36F5F0
CertFreeCertificateChain.CRYPT32 ref: 00007FF76C36F600
CertFreeCertificateContext.CRYPT32 ref: 00007FF76C36F610

Strings

schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 00007FF76C36F075
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF76C36EE61
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 00007FF76C36F08C
2.5.29.17, xrefs: 00007FF76C36F1C3, 00007FF76C36F1F4, 00007FF76C36F35F, 00007FF76C36F39B
schannel: server certificate name verification failed, xrefs: 00007FF76C36F54E
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00007FF76C36F22E, 00007FF76C36F3D5
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 00007FF76C36F4A3
schannel: CertFindExtension() returned no extension., xrefs: 00007FF76C36F1DB, 00007FF76C36F377
schannel: failed to create certificate store: %s, xrefs: 00007FF76C36EEBC
schannel: Null certificate context., xrefs: 00007FF76C36F178, 00007FF76C36F327
schannel: Empty DNS name., xrefs: 00007FF76C36F26A, 00007FF76C36F418
schannel: Not enough memory to list all host names., xrefs: 00007FF76C36F48C
schannel: failed to create certificate chain engine: %s, xrefs: 00007FF76C36EF78
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 00007FF76C36F519
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 00007FF76C36F566
schannel: CertGetCertificateChain failed: %s, xrefs: 00007FF76C36F00F
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 00007FF76C36F0B9
schannel: Failed to read remote certificate context: %s, xrefs: 00007FF76C36F58D
schannel: CertGetNameString() returned no certificate name information, xrefs: 00007FF76C36F2AD
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 00007FF76C36F509
schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 00007FF76C36F0CA
schannel: Null certificate info., xrefs: 00007FF76C36F1B3, 00007FF76C36F344
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 00007FF76C36F05D
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 00007FF76C36F0A2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Cert$Certificate$Chain$ErrorFreeLast$EngineStore$CloseContextCreateNameOpenString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Failed to read remote certificate context: %s$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: failed to create certificate chain engine: %s$schannel: failed to create certificate store: %s$schannel: server certificate name verification failed$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 561913010-2037819326
Opcode ID: bc3d470d67b8c6f26bf1a52cddf1d089605b5e228c222f1a0e36e97f5b24815e
Instruction ID: bb433251f7968f85b7e19a905a6dee2d476ff1af59e95dda868372077e83f799
Opcode Fuzzy Hash: bc3d470d67b8c6f26bf1a52cddf1d089605b5e228c222f1a0e36e97f5b24815e
Instruction Fuzzy Hash: 2A42BE32A09B42C5EB10AB17E440BB9B3A1FB48B96F914139DE5D17798DF3CE844C762

Function 00007FF76C35DD80 Relevance: 67.0, APIs: 25, Strings: 13, Instructions: 515networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35DE61
getsockname.WS2_32 ref: 00007FF76C35E05A
WSAGetLastError.WS2_32 ref: 00007FF76C35E064
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35E59B

Strings

socket failure: %s, xrefs: 00007FF76C35E15F, 00007FF76C35E366
Failure sending EPRT command: %s, xrefs: 00007FF76C35E54F
PORT, xrefs: 00007FF76C35E4A2
%s %s, xrefs: 00007FF76C35E4A9
bind() failed, we ran out of ports!, xrefs: 00007FF76C35E256
EPRT, xrefs: 00007FF76C35E512
%s |%d|%s|%hu|, xrefs: 00007FF76C35E529
failed to resolve the address provided to PORT: %s, xrefs: 00007FF76C35E589
Failure sending PORT command: %s, xrefs: 00007FF76C35E4CC
bind(port=%hu) on non-local address failed: %s, xrefs: 00007FF76C35E1F4
bind(port=%hu) failed: %s, xrefs: 00007FF76C35E2C5
,%d,%d, xrefs: 00007FF76C35E479
getsockname() failed: %s, xrefs: 00007FF76C35E07E, 00007FF76C35E28E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastcallocfreegetsockname
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 2454324209-2383553807
Opcode ID: 1eeeab696e3d791c9bf331c78a868181a07cadec384da2eacbb8ae0852a43e07
Instruction ID: 6f91109219348e7e8c92fc5b4b7e1bf861cf3e4bfbac4ddf3518fe0d5fe3c67f
Opcode Fuzzy Hash: 1eeeab696e3d791c9bf331c78a868181a07cadec384da2eacbb8ae0852a43e07
Instruction Fuzzy Hash: 6A22B361A0C782C1EB50BB23D440ABABBA1FB45786FC4503AEA4E47785DF3CE545C762

Function 00007FF76C339040 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 254stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3390A6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3390CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C339128

Strings

-----END PUBLIC KEY-----, xrefs: 00007FF76C33932E
sha256//, xrefs: 00007FF76C33909C, 00007FF76C3391EE
public key hash: sha256//%s, xrefs: 00007FF76C33913E
-----BEGIN PUBLIC KEY-----, xrefs: 00007FF76C3392FA
;sha256//, xrefs: 00007FF76C3391A0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemallocstrncmp
String ID: public key hash: sha256//%s$-----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$;sha256//$sha256//
API String ID: 1436789207-471711153
Opcode ID: b43ae07099be95f4639f7f5e7bee081ca5bc71f2c6de42ad2eded526886e1f03
Instruction ID: c4870131cb07cc92dd00ee0260c6a66e2f2bed6075b47fd7670081f12ab656e6
Opcode Fuzzy Hash: b43ae07099be95f4639f7f5e7bee081ca5bc71f2c6de42ad2eded526886e1f03
Instruction Fuzzy Hash: 27A18F61A0D782C1FA50AF23D455A79F7A0AF49BE2FC84139DD0E4B794EE3CE4458722

Function 00007FF76C36F640 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 253fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76C36F686

Part of subcall function 00007FF76C329D30: GetLastError.KERNEL32 ref: 00007FF76C329D4C
Part of subcall function 00007FF76C329D30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329D54

CreateFileA.KERNEL32 ref: 00007FF76C36F6E0
GetLastError.KERNEL32 ref: 00007FF76C36F6F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36FA2D

Strings

schannel: failed to open CA file '%s': %s, xrefs: 00007FF76C36F70B
-----BEGIN CERTIFICATE-----, xrefs: 00007FF76C36F82E
schannel: added %d certificate(s) from CA file '%s', xrefs: 00007FF76C36FA03
schannel: invalid path name for CA file '%s': %s, xrefs: 00007FF76C36F6A0
schannel: CA file '%s' is not correctly formatted, xrefs: 00007FF76C36F9D1
schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 00007FF76C36F966
schannel: failed to read from CA file '%s': %s, xrefs: 00007FF76C36F930
schannel: failed to determine size of CA file '%s': %s, xrefs: 00007FF76C36F752
-----END CERTIFICATE-----, xrefs: 00007FF76C36F859
schannel: did not add any certificates from CA file '%s', xrefs: 00007FF76C36F9F2
schannel: failed to extract certificate from CA file '%s': %s, xrefs: 00007FF76C36F9B5
schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 00007FF76C36F985
schannel: CA file exceeds max size of %u bytes, xrefs: 00007FF76C36F789

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast$CreateFile_errnofree
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: CA file exceeds max size of %u bytes$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to determine size of CA file '%s': %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
API String ID: 1377488173-902404565
Opcode ID: 7f311b7e71c6f1d1298a73c1e19e7cb2c25d99a9beccf30fe3e55696d5328150
Instruction ID: 7e6e516b5b6c8165a8852cee7902c715a9e563084faf1cde1894587f6229031b
Opcode Fuzzy Hash: 7f311b7e71c6f1d1298a73c1e19e7cb2c25d99a9beccf30fe3e55696d5328150
Instruction Fuzzy Hash: 7AB1A221F18742C2EA10AB27E400BA9B6A1BF49786FC1413ADD4D6B794DF7CE504CB62

Function 00007FF76C36A800 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 425COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36A8B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36A971
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36A97F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36A991

Strings

WDigest, xrefs: 00007FF76C36A841, 00007FF76C36AC75
realm, xrefs: 00007FF76C36AB17
digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 00007FF76C36ABAB

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$realm
API String ID: 2190258309-2223379150
Opcode ID: 762747e3dd0d6dc23d47ce4e052777f3f2dcd9bd673a44f06668da85d425ee35
Instruction ID: d90212c10240736f3d0442c3046e4d95eec936756250c6ad93f67d5da14e38f3
Opcode Fuzzy Hash: 762747e3dd0d6dc23d47ce4e052777f3f2dcd9bd673a44f06668da85d425ee35
Instruction Fuzzy Hash: 8D129D72A09B56CAEB50EF23E444AA9B7B4FB44B8AF910039DE4E53B94DF38D405C711

Function 00007FF76C341590 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 317stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF76C341662
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C34167D
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3416BC

Strings

Name '%s' family %i resolved to '%s' family %i, xrefs: 00007FF76C341888
bind failed with errno %d: %s, xrefs: 00007FF76C341A48
Local port: %hu, xrefs: 00007FF76C341A65
Couldn't bind to interface '%s', xrefs: 00007FF76C341800
getsockname() failed with errno %d: %s, xrefs: 00007FF76C341A0C
Local Interface %s is ip %s using address family %i, xrefs: 00007FF76C341777
Couldn't bind to '%s', xrefs: 00007FF76C341752
Bind to local port %hu failed, trying next, xrefs: 00007FF76C341970

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strncmp$memset
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
API String ID: 3268688168-2769131373
Opcode ID: 1e0d4f6515f6bf4db3e575e4e8632aa774591cfb3602211e1656b23fdfbbb5ae
Instruction ID: bf8c6f0d242426d59e31388b1e9adb246727b0662ade2bb317a8fc39252104c5
Opcode Fuzzy Hash: 1e0d4f6515f6bf4db3e575e4e8632aa774591cfb3602211e1656b23fdfbbb5ae
Instruction Fuzzy Hash: 0DE1D432E18B82C5E710EB22D840AB9B760FB89789F80913AEE4E4B755DF6CD554C721

Function 00007FF76C3697D0 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000468,00000470,00000000,?), ref: 00007FF76C369863
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C36988D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369952
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C36995E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3699C2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3699CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369AD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369ADF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C369AEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369B3F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369B5E

Strings

password, xrefs: 00007FF76C369A09
login, xrefs: 00007FF76C3699EE
, xrefs: 00007FF76C3698A1, 00007FF76C369AA2
machine, xrefs: 00007FF76C369A21, 00007FF76C369A62
default, xrefs: 00007FF76C369A7D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup$fclosefgetsfopen
String ID: $default$login$machine$password
API String ID: 431015889-155862542
Opcode ID: 0666d7a69f5a3d087a33b176ed23337d280181dd53fdf0eee873212d8639e86b
Instruction ID: d243ee9cd0e857876a797180696946ddeae1de010d96656bc1f7d62b12ea5383
Opcode Fuzzy Hash: 0666d7a69f5a3d087a33b176ed23337d280181dd53fdf0eee873212d8639e86b
Instruction Fuzzy Hash: 36A1B322A0D782C5FA61BF23D540B7AF6E0AF85786F894039DE4E56794DE3CE4448732

Function 00007FF76C351050 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3512CE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3512D6
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C3512EC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3512F5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3512FD
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C351307

Strings

%02d:%02d:%02d%n, xrefs: 00007FF76C351279
%02d:%02d%n, xrefs: 00007FF76C3512AD
GMT, xrefs: 00007FF76C3511C7
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00007FF76C35110E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: 43dd529dc28cfafc5e78a4d5ffc7bb8958316a3aaea1f1d2542b836935997550
Instruction ID: 99272a706615683e04be2e9012afd1df00c60bf2dee71767b86750dda76d1801
Opcode Fuzzy Hash: 43dd529dc28cfafc5e78a4d5ffc7bb8958316a3aaea1f1d2542b836935997550
Instruction Fuzzy Hash: 6FF1F272F08511CAEB24AF6A94009BCBBB1AB4475AFD04239DF1E977C4DE38E9058751

Function 00007FF76C352690 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF76C3526D0
CryptAcquireContextA.ADVAPI32(?,?,?,?,?,?,?,?,00007FF76C352659), ref: 00007FF76C3526EF
CryptCreateHash.ADVAPI32(?,?,?,?,?,?,?,?,00007FF76C352659), ref: 00007FF76C352719
CryptHashData.ADVAPI32(?,?,?,?,?,?,?,?,00007FF76C352659), ref: 00007FF76C352731
CryptGetHashParam.ADVAPI32(?,?,?,?,?,?,?,?,00007FF76C352659), ref: 00007FF76C352756
CryptGetHashParam.ADVAPI32(?,?,?,?,?,?,?,?,00007FF76C352659), ref: 00007FF76C352782
CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,?,00007FF76C352659), ref: 00007FF76C352792
CryptReleaseContext.ADVAPI32(?,?,?,?,?,?,?,?,00007FF76C352659), ref: 00007FF76C3527A4

Strings

@, xrefs: 00007FF76C3526E5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyReleasememset
String ID: @
API String ID: 2041421932-2766056989
Opcode ID: dd68ff11af13008f035dc987d9aeec5544f0d6030b669bc89ad29880cb7134dc
Instruction ID: 1ac77129d6e2455f5663c2235ef6a65e17a8e9c791eb677ad97c530de140f6ae
Opcode Fuzzy Hash: dd68ff11af13008f035dc987d9aeec5544f0d6030b669bc89ad29880cb7134dc
Instruction Fuzzy Hash: 4E319236608682C6E760DF22E548AAAB7B4FBC5B85F844139DF8D57B14CF3CD4058B14

Function 00007FF76C33A560 Relevance: 14.3, Strings: 11, Instructions: 540COMMON

Download Yara Rule

Strings

serially, xrefs: 00007FF76C33A66E
Could multiplex, but not asked to!, xrefs: 00007FF76C33A6FC
Server doesn't support multiplex yet, wait, xrefs: 00007FF76C33A6AB
Found pending candidate for reuse and CURLOPT_PIPEWAIT is set, xrefs: 00007FF76C33AE2A
Multiplexed connection found!, xrefs: 00007FF76C33ADD1
Can not multiplex, even if we wanted to!, xrefs: 00007FF76C33A71A
Server doesn't support multiplex (yet), xrefs: 00007FF76C33A6CF
Found bundle for host %s: %p [%s], xrefs: 00007FF76C33A679
Connection #%ld is still name resolving, can't reuse, xrefs: 00007FF76C33A7A1
Connection #%ld isn't open enough, can't reuse, xrefs: 00007FF76C33A7C6
can multiplex, xrefs: 00007FF76C33A662

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: Can not multiplex, even if we wanted to!$Connection #%ld is still name resolving, can't reuse$Connection #%ld isn't open enough, can't reuse$Could multiplex, but not asked to!$Found bundle for host %s: %p [%s]$Found pending candidate for reuse and CURLOPT_PIPEWAIT is set$Multiplexed connection found!$Server doesn't support multiplex (yet)$Server doesn't support multiplex yet, wait$can multiplex$serially
API String ID: 0-2774518510
Opcode ID: 06262a617c1d5cc64fa05beb9c8d9c87a130ac8c9bbb3e9d2f95238eaa44d340
Instruction ID: 6e0dcc2d1fc46324ee5c17a3535babe22ce8300ed1aa203b73467a5d90c7a1b2
Opcode Fuzzy Hash: 06262a617c1d5cc64fa05beb9c8d9c87a130ac8c9bbb3e9d2f95238eaa44d340
Instruction Fuzzy Hash: 6F42FA62A0C7C2C5EF9AAAAAC154BB9B7A1FF41747F84403DCA5D47285DF2CA450C732

Function 00007FF76C376090 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF76C3760D7
CryptImportKey.ADVAPI32 ref: 00007FF76C3761A9
CryptReleaseContext.ADVAPI32 ref: 00007FF76C3761C1
CryptEncrypt.ADVAPI32 ref: 00007FF76C3761F2
CryptDestroyKey.ADVAPI32 ref: 00007FF76C3761FC
CryptReleaseContext.ADVAPI32 ref: 00007FF76C376208

Strings

@, xrefs: 00007FF76C3760BD

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID: @
API String ID: 3016261861-2766056989
Opcode ID: 7c4d4c2105dac821a974f8275c4e737bb47a2d390b2f6b484e47d0f81788c90e
Instruction ID: 45ade3b7cfd2c0f80da5b69ee69a39542a218e5b95c46edb5d51aa7790343ff5
Opcode Fuzzy Hash: 7c4d4c2105dac821a974f8275c4e737bb47a2d390b2f6b484e47d0f81788c90e
Instruction Fuzzy Hash: C141BD22A046A0CEF7108BB6E4557EE7BB0FB4A349F444025DE9D57A4ACB3CC11AD764

Function 00007FF76C355960 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF76C355958,?,?,?,?,?,?,00007FF76C36CA5E), ref: 00007FF76C3559D6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF76C355958,?,?,?,?,?,?,00007FF76C36CA5E), ref: 00007FF76C355B3D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C355C9C

Strings

%c%c%c%c, xrefs: 00007FF76C355A93
%c%c%c=, xrefs: 00007FF76C355AD1
%c%c==, xrefs: 00007FF76C355B03

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: %c%c%c%c$%c%c%c=$%c%c==
API String ID: 3985033223-3943651191
Opcode ID: e6d497f4e9d8cf3d787a12f0ecc3c7fd30026ee7bd3c9da48e127d890584b040
Instruction ID: 92b26605970bf3ecd28960b2e8cea8a5c1d50429c5e87205749c759b735014ab
Opcode Fuzzy Hash: e6d497f4e9d8cf3d787a12f0ecc3c7fd30026ee7bd3c9da48e127d890584b040
Instruction Fuzzy Hash: CA910572A086D1C5E721AB26A400BBABFA0EB45796FC84239DBAD477D5DF3CE4008711

Function 00007FF76C364AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C364B2F
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C364B8C
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C364BB0
bind.WS2_32 ref: 00007FF76C364C2B
WSAGetLastError.WS2_32 ref: 00007FF76C364C35

Strings

bind() failed; %s, xrefs: 00007FF76C364C50

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: calloc$ErrorLastbind
String ID: bind() failed; %s
API String ID: 2604820300-1141498939
Opcode ID: 2ab2b724ac8a5d716146213e00084d423a1857bb837b2ec39420f5dff8d0a031
Instruction ID: 722c9cc9e2ce3e45651ec4754e34f308054d40e344a9135252d359e69ff0c609
Opcode Fuzzy Hash: 2ab2b724ac8a5d716146213e00084d423a1857bb837b2ec39420f5dff8d0a031
Instruction Fuzzy Hash: 5D51A172A08782D6EB15EF27D4607B9B2A1FB44B89F844038DA4D57785EF3CE4618362

Function 00007FF76C364881 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3648FE
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36495B
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C364983
bind.WS2_32 ref: 00007FF76C364A02
WSAGetLastError.WS2_32 ref: 00007FF76C364A0C

Strings

bind() failed; %s, xrefs: 00007FF76C364A27

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: calloc$ErrorLastbind
String ID: bind() failed; %s
API String ID: 2604820300-1141498939
Opcode ID: 4350c40aa74f367b8e7769cb97430262adb1528d0f8f2e38291eeba2e77620e5
Instruction ID: abf4a09f23329083855a5ac8dc36cf3de466eb2cb0048196799e7c258df95fa8
Opcode Fuzzy Hash: 4350c40aa74f367b8e7769cb97430262adb1528d0f8f2e38291eeba2e77620e5
Instruction Fuzzy Hash: 3A51D472B08B85D6EB15DB23D4547A8B3A0FB44B85F850039CA4D5B781EF7CE464C762

Function 00007FF76C34E770 Relevance: 10.1, Strings: 8, Instructions: 72COMMON

Download Yara Rule

Strings

%4I64dT, xrefs: 00007FF76C34E880
%4I64dG, xrefs: 00007FF76C34E864
%4I64dM, xrefs: 00007FF76C34E80C
%4I64dP, xrefs: 00007FF76C34E88D
%4I64dk, xrefs: 00007FF76C34E79E
%2I64d.%0I64dG, xrefs: 00007FF76C34E82A
%5I64d, xrefs: 00007FF76C34E785
%2I64d.%0I64dM, xrefs: 00007FF76C34E7B9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 0-2102732564
Opcode ID: c44bcfe33980ef3a0f1d971bf3190cdbc9de0a4f7c438327ea66066fda808475
Instruction ID: 444a4c6817a4b975be4152483943afc631df11f4ef16b23a80696808477612cf
Opcode Fuzzy Hash: c44bcfe33980ef3a0f1d971bf3190cdbc9de0a4f7c438327ea66066fda808475
Instruction Fuzzy Hash: F621A750E49B4AC3FE18E797AA14FF4E2505B44B82FC0843AEC0E0A7D1DE6D6549C1A3

Function 00007FF76C3525C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF76C3525F1
CryptGenRandom.ADVAPI32 ref: 00007FF76C352605
CryptReleaseContext.ADVAPI32 ref: 00007FF76C352616
CryptReleaseContext.ADVAPI32 ref: 00007FF76C35262C

Strings

@, xrefs: 00007FF76C3525D9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireRandom
String ID: @
API String ID: 2916321625-2766056989
Opcode ID: 1f384798deb8f8ca1f5c4a1ab48fd3a1020f6e2f3c7e5064afbcf50612595059
Instruction ID: 29c8c1fcbf77ff847ad552dbc2338456bd19d26d9af96fc4262439bfaf75e07c
Opcode Fuzzy Hash: 1f384798deb8f8ca1f5c4a1ab48fd3a1020f6e2f3c7e5064afbcf50612595059
Instruction Fuzzy Hash: 60F08666B08681C2E7009B22F44976AF760FF897E5F844034DF9C4B669DF7DC0858B19

Function 00007FF76C32EB50 Relevance: 8.2, Strings: 6, Instructions: 693COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00007FF76C32F06B, 00007FF76C32F0D6
(nil), xrefs: 00007FF76C32F3B6
.%ld, xrefs: 00007FF76C32EEB9
(nil), xrefs: 00007FF76C32F334
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FF76C32EB93, 00007FF76C32F064, 00007FF76C32F0CB
%ld, xrefs: 00007FF76C32EE60

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: %ld$(nil)$(nil)$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-1379995092
Opcode ID: 9deb1b9577f49ba21a346aa79a883c1ce45ba1e35fd4efc707b3a565828952a4
Instruction ID: 9627cda7aadc3d7748fc941cccb1b19c1ec17ce63e2186ff1ae0b88fb41ede27
Opcode Fuzzy Hash: 9deb1b9577f49ba21a346aa79a883c1ce45ba1e35fd4efc707b3a565828952a4
Instruction Fuzzy Hash: 9F422A32908AA3C5EF246A269400B7AF791FF49796FD14638DE5E477C4DF3CE8018662

Function 00007FF76C379538 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76C379599
IsDebuggerPresent.KERNEL32 ref: 00007FF76C3795B1
OutputDebugStringW.KERNEL32 ref: 00007FF76C3795C2

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF76C3795BB

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 2c6b95d41a77ba3a3599d5c3fc017d9d2231307e7b7061d113b98fedc1d41e58
Instruction ID: 5e46731b636549de7d80286d2dd6324e6ea947ac1365c7b10b7f22ed148244f7
Opcode Fuzzy Hash: 2c6b95d41a77ba3a3599d5c3fc017d9d2231307e7b7061d113b98fedc1d41e58
Instruction Fuzzy Hash: E2118F32608B92D7E744AB23D6557B9B2A0FF05356F804239C64D46A50EF3CE074C775

Function 00007FF76C3555B0 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF76C3555E0
CryptGetHashParam.ADVAPI32 ref: 00007FF76C355606
CryptDestroyHash.ADVAPI32 ref: 00007FF76C355615
CryptReleaseContext.ADVAPI32 ref: 00007FF76C355625

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 66c61ba7b73b83539a3b08911e90df6eeb6efa10a922950d407ccf2b734cdc51
Instruction ID: ba5c35fe549bf7877e44b71945d4a3a9cb9f223cd5b370a2301e76dd3c25a415
Opcode Fuzzy Hash: 66c61ba7b73b83539a3b08911e90df6eeb6efa10a922950d407ccf2b734cdc51
Instruction Fuzzy Hash: 24015E36609681C6EB109F22E459B6AF770FB85B89F944139DB4D06A68CF3CD4488B25

Function 00007FF76C355550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF76C35556C
CryptCreateHash.ADVAPI32 ref: 00007FF76C35558D

Strings

@, xrefs: 00007FF76C35555C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID: @
API String ID: 1914063823-2766056989
Opcode ID: 7ff71ec8e4c1874b63cb0a23044fd854c3ca10547940388fb3e5fedb972fe85a
Instruction ID: 3c45305d8caa48e3ebd9a55445fcecae935a8fa7c0889f13049551902de8d25b
Opcode Fuzzy Hash: 7ff71ec8e4c1874b63cb0a23044fd854c3ca10547940388fb3e5fedb972fe85a
Instruction Fuzzy Hash: 6EE09221B1465282F7205B62E405F56B361FB88B49F8440348B8C0BA14DF3CC0458B28

Function 00007FF76C361E90 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF76C361ECB
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C361EFF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _getpidhtons
String ID:
API String ID: 3416910171-0
Opcode ID: b37bdbeda7a57138afcfd5a137ed18c61444f6927a4934071a14dd94ea03c48a
Instruction ID: bde74d35d928ece8262c6717341e4523059f063dabb18123bb26b6fbe5873c51
Opcode Fuzzy Hash: b37bdbeda7a57138afcfd5a137ed18c61444f6927a4934071a14dd94ea03c48a
Instruction Fuzzy Hash: AF117C22A247D0CAD304CF36E4001AD7770FB58B88F44962AFB8987B18EB78D6D0C705

Function 00007FF76C311A10 Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF76C311AF3

Part of subcall function 00007FF76C378A88: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF76C311AD3), ref: 00007FF76C378A98

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: AcquireExclusiveHeapLockProcess
String ID:
API String ID: 3110430671-0
Opcode ID: 7560b114f0a385840403cfbc50c5e3af2c217ed3d4dec2e3c2772d2b301649dd
Instruction ID: cd90e0b0712fad66c940e119216eb634b0b8cc471f445aa664d98594e74c28da
Opcode Fuzzy Hash: 7560b114f0a385840403cfbc50c5e3af2c217ed3d4dec2e3c2772d2b301649dd
Instruction Fuzzy Hash: BC31E471D1AA02C5EA80BB16E8819B0B3B4EF55352FD0517EC44D822A0EF3CA894C3B7

Function 00007FF76C3436F0 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e4efab93c6ab704ad5aff1c2f387911547288a6c84c4b6456d7d387cab398a
Instruction ID: 8485d14eecfef51f85330845c333aed576f074ad152542b94eca87dabb3fb3ff
Opcode Fuzzy Hash: 16e4efab93c6ab704ad5aff1c2f387911547288a6c84c4b6456d7d387cab398a
Instruction Fuzzy Hash: A8026EB2A181A04AD36DCB2EA465639BFE1F389741B04912EE7A7C3781D93CC955DF10

Function 00007FF76C316BC0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6493d6e35529629c397c204590ddb3bde36fd56b60c7bb670539de328662dbf
Instruction ID: 58a8795b3cbab8c6abd072bb06b7f0d3afa4411fcd6dc3abcbc9cf26c046caed
Opcode Fuzzy Hash: d6493d6e35529629c397c204590ddb3bde36fd56b60c7bb670539de328662dbf
Instruction Fuzzy Hash: 82418433B155548BE78CDF2AC825AAD73A2F7D8304F85C23DEA0AC7785DA399905CB40

Function 00007FF76C378110 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction ID: 3229d07800f2bc6543b1ea3408e93a3b664117935dd35b9b83b99e76ad098a7d
Opcode Fuzzy Hash: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction Fuzzy Hash: 4FF08C25324767BEFE00853B4624FBD6E409BC1701FA369798C80020CB869E54D3D724

Function 00007FF76C3555A0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d970218e3aa96889e2f23fa12dc07f649a3e20bed6a2250d26d7c1d68203ed
Instruction ID: 142b4b2c7a260132be1c6a8ea12e491b193c148fe097494af5e194119df2aef8
Opcode Fuzzy Hash: a7d970218e3aa96889e2f23fa12dc07f649a3e20bed6a2250d26d7c1d68203ed
Instruction Fuzzy Hash: 8DA01261605945C092004701E154D106320EB847093404020880C058108E2480418214

Function 00007FF76C3527C0 Relevance: 145.9, APIs: 50, Strings: 47, Instructions: 399stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF76C3527F3
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C352843
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C352864
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C35287A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C352898
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3528B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3528D4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3528EC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C352904

Strings

CALG_SHA, xrefs: 00007FF76C3528CD
CALG_DSS_SIGN, xrefs: 00007FF76C352939
CALG_SKIPJACK, xrefs: 00007FF76C352ADD
CALG_AES_192, xrefs: 00007FF76C352CBD
CALG_TEK, xrefs: 00007FF76C352AFB
CALG_SSL2_MASTER, xrefs: 00007FF76C352BEB
CALG_DES, xrefs: 00007FF76C352993
CALG_DESX, xrefs: 00007FF76C3529ED
CALG_AES_256, xrefs: 00007FF76C352CDB
CALG_AES, xrefs: 00007FF76C352CF9
CALG_SHA_512, xrefs: 00007FF76C352D53
CALG_DH_SF, xrefs: 00007FF76C352A65
CALG_SCHANNEL_MASTER_HASH, xrefs: 00007FF76C352B73
CALG_SEAL, xrefs: 00007FF76C352A47
CALG_TLS1PRF, xrefs: 00007FF76C352C63
CALG_HASH_REPLACE_OWF, xrefs: 00007FF76C352C81
CALG_SHA_256, xrefs: 00007FF76C352D17
CALG_HMAC, xrefs: 00007FF76C352C45
CALG_3DES_112, xrefs: 00007FF76C3529B1
CALG_3DES, xrefs: 00007FF76C3529CF
CALG_SSL3_SHAMD5, xrefs: 00007FF76C352B37
CALG_ECDSA, xrefs: 00007FF76C352DA4
CALG_RC2, xrefs: 00007FF76C352A0B
CALG_CYLINK_MEK, xrefs: 00007FF76C352B19
CALG_ECDH, xrefs: 00007FF76C352D6E
CALG_RC4, xrefs: 00007FF76C352A29
CALG_RSA_SIGN, xrefs: 00007FF76C35291B
CALG_DH_EPHEM, xrefs: 00007FF76C352A83
CALG_AGREEDKEY_ANY, xrefs: 00007FF76C352AA1
CALG_MD2, xrefs: 00007FF76C352873
CALG_MAC, xrefs: 00007FF76C3528FD
CALG_MD4, xrefs: 00007FF76C352891
CALG_SSL3_MASTER, xrefs: 00007FF76C352B55
CALG_RC5, xrefs: 00007FF76C352C27
CALG_SCHANNEL_MAC_KEY, xrefs: 00007FF76C352B91
CALG_SCHANNEL_ENC_KEY, xrefs: 00007FF76C352BAF
CALG_NO_SIGN, xrefs: 00007FF76C352957
CALG_SHA1, xrefs: 00007FF76C3528E5
CALG_MD5, xrefs: 00007FF76C3528AF
CALG_RSA_KEYX, xrefs: 00007FF76C352975
CALG_PCT1_MASTER, xrefs: 00007FF76C352BCD
CALG_ECDH_EPHEM, xrefs: 00007FF76C352DBF
CALG_TLS1_MASTER, xrefs: 00007FF76C352C09
CALG_HUGHES_MD5, xrefs: 00007FF76C352ABF
CALG_SHA_384, xrefs: 00007FF76C352D35
CALG_AES_128, xrefs: 00007FF76C352C9F
CALG_ECMQV, xrefs: 00007FF76C352D89

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strcmp$strncpy$strchr
String ID: CALG_3DES$CALG_3DES_112$CALG_AES$CALG_AES_128$CALG_AES_192$CALG_AES_256$CALG_AGREEDKEY_ANY$CALG_CYLINK_MEK$CALG_DES$CALG_DESX$CALG_DH_EPHEM$CALG_DH_SF$CALG_DSS_SIGN$CALG_ECDH$CALG_ECDH_EPHEM$CALG_ECDSA$CALG_ECMQV$CALG_HASH_REPLACE_OWF$CALG_HMAC$CALG_HUGHES_MD5$CALG_MAC$CALG_MD2$CALG_MD4$CALG_MD5$CALG_NO_SIGN$CALG_PCT1_MASTER$CALG_RC2$CALG_RC4$CALG_RC5$CALG_RSA_KEYX$CALG_RSA_SIGN$CALG_SCHANNEL_ENC_KEY$CALG_SCHANNEL_MAC_KEY$CALG_SCHANNEL_MASTER_HASH$CALG_SEAL$CALG_SHA$CALG_SHA1$CALG_SHA_256$CALG_SHA_384$CALG_SHA_512$CALG_SKIPJACK$CALG_SSL2_MASTER$CALG_SSL3_MASTER$CALG_SSL3_SHAMD5$CALG_TEK$CALG_TLS1PRF$CALG_TLS1_MASTER
API String ID: 1395212091-3550120021
Opcode ID: fd9132446598627dac80f3361285ecd42b717152dc9d498104ac5f675495c2f5
Instruction ID: 71c31a9c941caab9b864d1eed83c28dde430ebb23507d7977049620bdf7ffb8e
Opcode Fuzzy Hash: fd9132446598627dac80f3361285ecd42b717152dc9d498104ac5f675495c2f5
Instruction Fuzzy Hash: C4021C50F1C613D1FB50BB26DE859B8B6A5EF11386FC0013AEA1E96196EE1EE505C332

Function 00007FF76C33E9B0 Relevance: 52.7, APIs: 34, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C346B40: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF76C32F78F), ref: 00007FF76C346B57

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EB3D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EB51
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EB65
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EB79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EB8D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EBA1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EBB5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EBC9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EBDD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EBF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC05
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC19
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC2D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC41
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC69

Part of subcall function 00007FF76C348270: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B3DF), ref: 00007FF76C3482AE

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EC91
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ECA5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ECB9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ECCD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ECE1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ECF5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ED09
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ED1D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ED31
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ED45
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ED59
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ED6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33ED81

Part of subcall function 00007FF76C33C800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C788,?,?,?,00007FF76C33B4CC), ref: 00007FF76C33C81B
Part of subcall function 00007FF76C33C800: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C788,?,?,?,00007FF76C33B4CC), ref: 00007FF76C33C849

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EDAB

Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FC1
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FD1
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FDF
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FED
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FFB
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339009
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339017
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339025

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EDD7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EDEB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33EDFB

Strings

Closing connection %ld, xrefs: 00007FF76C33EAA9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$CounterPerformanceQuery
String ID: Closing connection %ld
API String ID: 3490100708-2599090834
Opcode ID: 90f4a61b890676859e828e6c98ff77484596098afe6d505de62526d5a9d4fae4
Instruction ID: 77f4fb7af5e17610e591623db8322bccbdb871321ae14e5659a3ab58b854fb58
Opcode Fuzzy Hash: 90f4a61b890676859e828e6c98ff77484596098afe6d505de62526d5a9d4fae4
Instruction Fuzzy Hash: 1FC17135908B81C2E740AF22E4905EC7374FF89F69F480139DE5E4B359DF3895898762

Function 00007FF76C359CC0 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 297stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C359D1E
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C359D52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C359DD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C359DEB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C359DFA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C359E47
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C359E58

Strings

<%s@%s>, xrefs: 00007FF76C359DB6, 00007FF76C359EFA
%I64d, xrefs: 00007FF76C35A00E
Mime-Version: 1.0, xrefs: 00007FF76C359FB4
Mime-Version, xrefs: 00007FF76C359F99
AUTH=, xrefs: 00007FF76C35A0B5
MAIL FROM:%s%s%s%s%s%s, xrefs: 00007FF76C35A0EC
SMTPUTF8, xrefs: 00007FF76C35A0AA
<%s>, xrefs: 00007FF76C359DD9, 00007FF76C359F1D
SIZE=, xrefs: 00007FF76C35A0C1

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree$strpbrk
String ID: AUTH=$ SIZE=$ SMTPUTF8$%I64d$<%s>$<%s@%s>$MAIL FROM:%s%s%s%s%s%s$Mime-Version$Mime-Version: 1.0
API String ID: 2737852498-2994854565
Opcode ID: b81f58161addea24da3c0a21f3837032f9f7d46342d51fc4cf5e3eea1c814e60
Instruction ID: c21e28ea04be2452ff7ebe4452c1707695d002e8ef7a6ce85384ad75bd1a205a
Opcode Fuzzy Hash: b81f58161addea24da3c0a21f3837032f9f7d46342d51fc4cf5e3eea1c814e60
Instruction Fuzzy Hash: 87D1A361F09B52C4FA51EB23D454AB9B7A0AF45B86FC40039DE4E07795EF3CA44AC362

Function 00007FF76C312D10 Relevance: 47.3, APIs: 21, Strings: 6, Instructions: 88processCOMMON

Download Yara Rule

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C312D20
GetStdHandle.KERNEL32 ref: 00007FF76C312D2B
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312D39

Part of subcall function 00007FF76C311B90: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C311BB4
Part of subcall function 00007FF76C311B90: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C311BD5

GetStdHandle.KERNEL32 ref: 00007FF76C312D5C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312D6A
GetStdHandle.KERNEL32 ref: 00007FF76C312D81
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312D8F
GetStdHandle.KERNEL32 ref: 00007FF76C312DA6
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312DB4
GetStdHandle.KERNEL32 ref: 00007FF76C312DD6
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312DE4
GetStdHandle.KERNEL32 ref: 00007FF76C312DFB
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312E09
GetStdHandle.KERNEL32 ref: 00007FF76C312E20
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312E2E
GetStdHandle.KERNEL32 ref: 00007FF76C312E5C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312E6A
GetStdHandle.KERNEL32 ref: 00007FF76C312E81
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312E8F
GetStdHandle.KERNEL32 ref: 00007FF76C312EA6
SetConsoleTextAttribute.KERNEL32 ref: 00007FF76C312EB4

Strings

cls, xrefs: 00007FF76C312D19
##########################################################, xrefs: 00007FF76C312D4B
##########################################################, xrefs: 00007FF76C312D95
Inserir Key: , xrefs: 00007FF76C312EBA
[ Selecione uma opcao: ], xrefs: 00007FF76C312D70
Status: %s, xrefs: 00007FF76C312E41

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: AttributeConsoleHandleText$__acrt_iob_func__stdio_common_vfprintfsystem
String ID: Inserir Key: $ Status: %s$##########################################################$##########################################################$[ Selecione uma opcao: ]$cls
API String ID: 2136955776-2655065097
Opcode ID: d1894e2e81ccde057fc62d3ef3cf9512dbb5fb357acd08f42121dc7579dbd44f
Instruction ID: 90f2c141cd7fbbc0545542ce4ab471abe3f0221e92dd9333b6af5e4e90b26792
Opcode Fuzzy Hash: d1894e2e81ccde057fc62d3ef3cf9512dbb5fb357acd08f42121dc7579dbd44f
Instruction Fuzzy Hash: 1A417D20A08947C6FA017772D829AB4B3649F95F67F94023CD52E46AF1DE2CA5898333

Function 00007FF76C377060 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377146
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3771EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377242
htonl.WS2_32 ref: 00007FF76C37726F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377281
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3772B0
htonl.WS2_32 ref: 00007FF76C3772C5
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3772F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377379
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377382
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37738B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3773B1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3773C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3773CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3773D4
memmove.VCRUNTIME140 ref: 00007FF76C3773EF
memmove.VCRUNTIME140 ref: 00007FF76C377403
memmove.VCRUNTIME140 ref: 00007FF76C377419
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377440
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377449
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C377452
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37745B

Strings

GSSAPI handshake failure (invalid security layer), xrefs: 00007FF76C377256
GSSAPI handshake failure (invalid security data), xrefs: 00007FF76C3771D7
GSSAPI handshake failure (empty security message), xrefs: 00007FF76C3771C7, 00007FF76C377468

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc$memmove$htonl
String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
API String ID: 3024061003-242323837
Opcode ID: 8a77d108d3d81cbf765f7fcfb8f3fceda42594ed8a172e8db7c841c8ad7d5d90
Instruction ID: 45a67339c17970cf3fe5fcd6d0f642302bcdaae5626ca45d070a6489e5bf0b50
Opcode Fuzzy Hash: 8a77d108d3d81cbf765f7fcfb8f3fceda42594ed8a172e8db7c841c8ad7d5d90
Instruction Fuzzy Hash: 8EC19171A08B42C6EB50EB66E441AADB7B0FB49B95F804039DE4E43B54DF3CD449CB61

Function 00007FF76C354950 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C354F91
memmove.VCRUNTIME140 ref: 00007FF76C354FAD

Strings

schannel: renegotiation failed, xrefs: 00007FF76C354F1E
schannel: an unrecoverable error occurred in a prior call, xrefs: 00007FF76C3549F5
schannel: remote party requests renegotiation, xrefs: 00007FF76C354D72
schannel: server indicated shutdown in a prior call, xrefs: 00007FF76C354A18
schannel: SSL/TLS connection renegotiated, xrefs: 00007FF76C354DEF
schannel: failed to read data from server: %s, xrefs: 00007FF76C354EE2
schannel: enough decrypted data is already available, xrefs: 00007FF76C3549D5
schannel: failed to decrypt data, need more data, xrefs: 00007FF76C354EBA
schannel: Curl_read_plain returned error %d, xrefs: 00007FF76C354CF1
schannel: can't renogotiate, an error is pending, xrefs: 00007FF76C354F12
schannel: renegotiating SSL/TLS connection, xrefs: 00007FF76C354DA8
schannel: unable to re-allocate memory, xrefs: 00007FF76C354A8D, 00007FF76C354EF6
schannel: can't renogotiate, encrypted data available, xrefs: 00007FF76C354F32
schannel: server closed the connection, xrefs: 00007FF76C354E24
schannel: server closed abruptly (missing close_notify), xrefs: 00007FF76C354F3E
schannel: Curl_read_plain returned CURLE_RECV_ERROR, xrefs: 00007FF76C354B1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove
String ID: schannel: Curl_read_plain returned CURLE_RECV_ERROR$schannel: Curl_read_plain returned error %d$schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: can't renogotiate, an error is pending$schannel: can't renogotiate, encrypted data available$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server closed abruptly (missing close_notify)$schannel: server closed the connection$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
API String ID: 2162964266-857957974
Opcode ID: 1d7c2344a95f1c6f2a349fae617218c31eb6dfd67b8cd673fe08b3da0b9f986d
Instruction ID: 458d6be9c50b2160c0979b72e2a3d9f85e77ad0c564ea7d4b50821d0265b3682
Opcode Fuzzy Hash: 1d7c2344a95f1c6f2a349fae617218c31eb6dfd67b8cd673fe08b3da0b9f986d
Instruction Fuzzy Hash: D502DF32A08B81C5EB64EB0BD444BA9BBA4FB44B96FD0513ADE4D877A0DF38D451C712

Function 00007FF76C36BE00 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF76C36BEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36BF30
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36C186
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C36C19D
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36C1B8
htons.WS2_32 ref: 00007FF76C36C217

Strings

AAAA, xrefs: 00007FF76C36BF56
DOH AAAA: , xrefs: 00007FF76C36C032
DOH: %s type %s for %s, xrefs: 00007FF76C36BF64
TTL: %u seconds, xrefs: 00007FF76C36BFC5
%s%02x%02x, xrefs: 00007FF76C36C07E
DOH Host name: %s, xrefs: 00007FF76C36BFB1
bad error code, xrefs: 00007FF76C36BF48
%s, xrefs: 00007FF76C36C0D3
CNAME: %s, xrefs: 00007FF76C36C113
DOH A: %u.%u.%u.%u, xrefs: 00007FF76C36BFFE
Could not DOH-resolve: %s, xrefs: 00007FF76C36BE56

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: calloc$_strdupfreehtonsmemset
String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
API String ID: 130798683-4053692942
Opcode ID: 788a240145cf897ad6ab0afcb193bec081d91315be595ad5a54b3b3c1ff8ea53
Instruction ID: 56ebd8c4f602175e0e1f67d12622c6ad88e0feb80b88bcb0923b1d000e4e6245
Opcode Fuzzy Hash: 788a240145cf897ad6ab0afcb193bec081d91315be595ad5a54b3b3c1ff8ea53
Instruction Fuzzy Hash: 3BE1C432A08682C6EB60AF23E5407BDB7A0FB48B85F85413ADA4D57754DF3CE544C762

Function 00007FF76C366EA0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 257stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C366F26
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C366F4C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C366F5D
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C366FCB
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C366FFC
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C36701C
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C36702E
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C367090
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C367101
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C367118
strchr.VCRUNTIME140(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C3671D3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C367247
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000,00000000,00007FF76C36665F), ref: 00007FF76C367250

Strings

base, xrefs: 00007FF76C367159
sub, xrefs: 00007FF76C367184
LDAP, xrefs: 00007FF76C366EE6
onetree, xrefs: 00007FF76C367146
subtree, xrefs: 00007FF76C367197
one, xrefs: 00007FF76C367133

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchr$free$_strdupcalloc
String ID: LDAP$base$one$onetree$sub$subtree
API String ID: 112326314-884163498
Opcode ID: c03d76c78a62b4c3c2ba51b0664dc36608633aa4495fc0907f3d7f15cd726f22
Instruction ID: 7f894b1a968446d4cf8d99a604c6a6c2e408eb869d9a9eb3a899382b717f3533
Opcode Fuzzy Hash: c03d76c78a62b4c3c2ba51b0664dc36608633aa4495fc0907f3d7f15cd726f22
Instruction Fuzzy Hash: 1EB1E322A09B82C2EA51BF179540A79B7A0FF4AB82FC54139DE4D57780EF3CE445C722

Function 00007FF76C365070 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 175stringCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF76C3650D1
memchr.VCRUNTIME140 ref: 00007FF76C365107
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C36518B
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C36521B

Strings

%s (%ld), xrefs: 00007FF76C36522B
requested, xrefs: 00007FF76C3651CA
invalid tsize -:%s:- value in OACK packet, xrefs: 00007FF76C3652F7
blksize, xrefs: 00007FF76C36516F
blksize is smaller than min supported, xrefs: 00007FF76C36529E
%s (%d), xrefs: 00007FF76C3652A5, 00007FF76C3652C8
%s (%ld), xrefs: 00007FF76C365282
tsize, xrefs: 00007FF76C3651FF
Malformed ACK packet, rejecting, xrefs: 00007FF76C36530A
got option=(%s) value=(%s), xrefs: 00007FF76C36514C
blksize is larger than max supported, xrefs: 00007FF76C3652C1
blksize parsed from OACK, xrefs: 00007FF76C3651C3
invalid blocksize value in OACK packet, xrefs: 00007FF76C3652DE
server requested blksize larger than allocated, xrefs: 00007FF76C365278
%s (%d) %s (%d), xrefs: 00007FF76C3651DD
tsize parsed from OACK, xrefs: 00007FF76C365224

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memchrstrtol
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 1626215102-895336422
Opcode ID: 049c3e20deb10b40dcfedbf3c704b7037e8846cd2ba8692fe0c3ac57ed0f1f9d
Instruction ID: 9cbd54054b38294d1a5fe3f4dd2585071660e1d244eb506a2c434b2acb1902fb
Opcode Fuzzy Hash: 049c3e20deb10b40dcfedbf3c704b7037e8846cd2ba8692fe0c3ac57ed0f1f9d
Instruction Fuzzy Hash: 2561F261B09686C1EA14EB17E940AB9B351AF45BD2FD14239ED2E5B2D6CE3CE105C322

Function 00007FF76C335D60 Relevance: 34.9, APIs: 6, Strings: 17, Instructions: 352COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C32F690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C339C90), ref: 00007FF76C32F6B7
Part of subcall function 00007FF76C32F690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C339C90), ref: 00007FF76C32F6C3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335FF4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335FFC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C336023
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33602C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3360B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3360B9

Strings

application/octet-stream, xrefs: 00007FF76C335E86
8bit, xrefs: 00007FF76C33623A
multipart/mixed, xrefs: 00007FF76C335E55
form-data, xrefs: 00007FF76C336266
; boundary=, xrefs: 00007FF76C3360D3
Content-Type: %s%s%s, xrefs: 00007FF76C3360DD
Content-Transfer-Encoding, xrefs: 00007FF76C336121
text/plain, xrefs: 00007FF76C335ECC
; filename=", xrefs: 00007FF76C336041
Content-Transfer-Encoding: %s, xrefs: 00007FF76C336241
Content-Disposition: %s%s%s%s%s%s%s, xrefs: 00007FF76C336079
multipart/, xrefs: 00007FF76C335F97
attachment, xrefs: 00007FF76C335FAB, 00007FF76C335FB2
Content-Type, xrefs: 00007FF76C335DE8
Content-Disposition, xrefs: 00007FF76C335F21
multipart/form-data, xrefs: 00007FF76C3361B7
; name=", xrefs: 00007FF76C33604F

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
API String ID: 1294909896-1595554923
Opcode ID: 314a10f2e5c8186c1d427718dbc50ec86cb0a5be25892002fca901ac904fcbc2
Instruction ID: 0ece8986220610e6d2468445499595847cd253c042b758af2385fb8b48e3cb13
Opcode Fuzzy Hash: 314a10f2e5c8186c1d427718dbc50ec86cb0a5be25892002fca901ac904fcbc2
Instruction Fuzzy Hash: 91E18222B096D2D5EA65AB13D540AB9B7E0FF05B86FC84439CE4D87781DF3CE8548362

Function 00007FF76C34D810 Relevance: 33.2, APIs: 6, Strings: 16, Instructions: 206COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34D987

Strings

Proxy-authorization, xrefs: 00007FF76C34D8F3
NTLM, xrefs: 00007FF76C34D86C
Authorization: Bearer %s, xrefs: 00007FF76C34D990
%s auth using %s with user '%s', xrefs: 00007FF76C34DB26
Authorization, xrefs: 00007FF76C34D9CA
Bearer, xrefs: 00007FF76C34D980
%s:%s, xrefs: 00007FF76C34DA19
CONNECT, xrefs: 00007FF76C34D81E
Basic, xrefs: 00007FF76C34DAE7
Proxy, xrefs: 00007FF76C34DB34
Server, xrefs: 00007FF76C34DB1C
Digest, xrefs: 00007FF76C34D88E
Proxy-, xrefs: 00007FF76C34DA96
Negotiate, xrefs: 00007FF76C34D84A
%sAuthorization: Basic %s, xrefs: 00007FF76C34DAA0
Authorization:, xrefs: 00007FF76C34D961

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$Authorization$Authorization:$Authorization: Bearer %s$Basic$Bearer$CONNECT$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
API String ID: 1294909896-115817326
Opcode ID: cb668218b851a7c89985f250c35be2df344c9f620ae442767e53e00dea676c27
Instruction ID: 4ca308b9a56a8d9ff37ff4df13800cca540f8eb096eee70575c4a4b068df8134
Opcode Fuzzy Hash: cb668218b851a7c89985f250c35be2df344c9f620ae442767e53e00dea676c27
Instruction Fuzzy Hash: 2691B422E0D692C1FB50AB17D950BB9B390EF44796F84803EDA5D4B794DF2CE449C722

Function 00007FF76C333980 Relevance: 31.8, APIs: 21, Instructions: 269stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C3348D0: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,?,00007FF76C33434E,?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019), ref: 00007FF76C3348F3
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C334949
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C334953
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C33495D
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C334967
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C334971
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C33497B
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C334985
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C33498F
Part of subcall function 00007FF76C3348D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C334998

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333A77
strchr.VCRUNTIME140 ref: 00007FF76C333A91
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333ABB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333AC8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333AF2
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333B06
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333B13
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333B2C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333B3A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333B48
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333B63
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333B7F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333B9B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333BB7
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333BD3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333BEF
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333C0B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333C23
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333CBB
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF76C333CF2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333D33

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup$_time64callocmallocqsortstrchrstrncmp
String ID:
API String ID: 1087521380-0
Opcode ID: 089a5a03bc5c3338f5f14f5c61e106f0461a9d0fa56a305af5125a8979fe0107
Instruction ID: d41daee46b77dfb3e41ebceb5255ea1ca20b17f60e8c5eac2c54b7b739f61bbf
Opcode Fuzzy Hash: 089a5a03bc5c3338f5f14f5c61e106f0461a9d0fa56a305af5125a8979fe0107
Instruction Fuzzy Hash: BDB1A461A0E7C2C5EA95BB27D550A78B7A0AF45B96F884138CE4D07781DF3CE4968322

Function 00007FF76C3675D0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 214stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3675E0
strstr.VCRUNTIME140 ref: 00007FF76C36760F
strchr.VCRUNTIME140 ref: 00007FF76C36763B
strrchr.VCRUNTIME140 ref: 00007FF76C367655
strchr.VCRUNTIME140 ref: 00007FF76C36766A
strrchr.VCRUNTIME140 ref: 00007FF76C3676CA

Strings

?, xrefs: 00007FF76C367648
., xrefs: 00007FF76C3676AA
/, xrefs: 00007FF76C367625
/, xrefs: 00007FF76C3676E3
/, xrefs: 00007FF76C36769E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchrstrrchr$_strdupstrstr
String ID: .$/$/$/$?
API String ID: 2325335452-1821401756
Opcode ID: 459753924c62641f8fb549a96d81a01b7a5a798043c7beb83318c9593b7683b2
Instruction ID: e4c77472f31497abee4fc94c7c0858d4c13203dc78582928c8a144b23d3f0044
Opcode Fuzzy Hash: 459753924c62641f8fb549a96d81a01b7a5a798043c7beb83318c9593b7683b2
Instruction Fuzzy Hash: 9D81C112A0C382C5FB656B239501B79FA91AF56796FCA4138C98D173C6EE3CE445C732

Function 00007FF76C33F0D0 Relevance: 30.1, APIs: 24, Instructions: 137COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F0EC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F102
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F116
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F123

Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FC1
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FD1
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FDF
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FED
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FFB
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339009
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339017
Part of subcall function 00007FF76C338FB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339025

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F15F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F173
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F1C6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F1DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F1EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F202
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F26A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F27E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F292
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F2A6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F30A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F34A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F35E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F372
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F386
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F39A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F3AE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F3C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F3D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33F3F8

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0e191e237b70b5de089bd44c49aaa087385d8131f2c93037b7c4796d17c08956
Instruction ID: 2feb778664535aed6873a8d4af5924b530a9c3856f3bb020f398f21fab8f18a3
Opcode Fuzzy Hash: 0e191e237b70b5de089bd44c49aaa087385d8131f2c93037b7c4796d17c08956
Instruction Fuzzy Hash: 0B91E676A09BC1D3E7499F21D9902A8B3A8FB48F59F040139EF9D47354DF34A6A98321

Function 00007FF76C347960 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 312stringCOMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C347A55
strchr.VCRUNTIME140 ref: 00007FF76C347AF5
memmove.VCRUNTIME140 ref: 00007FF76C347B25
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C347B51
strchr.VCRUNTIME140 ref: 00007FF76C347B9C
memmove.VCRUNTIME140 ref: 00007FF76C347BFB

Part of subcall function 00007FF76C334A80: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C334AC4

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C347D14

Strings

Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 00007FF76C347C8A
Added %s:%d:%s to DNS cache, xrefs: 00007FF76C347E0D
:%u, xrefs: 00007FF76C347A69, 00007FF76C347D28
Resolve address '%s' found illegal!, xrefs: 00007FF76C347C7B
@, xrefs: 00007FF76C347BE6
RESOLVE %s:%d is - old addresses discarded!, xrefs: 00007FF76C347D9B
RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 00007FF76C347E3E
%255[^:]:%d, xrefs: 00007FF76C3479E1
], xrefs: 00007FF76C347BD5
Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 00007FF76C3479F7

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmovestrchrtolower$__stdio_common_vsscanfstrtoul
String ID: %255[^:]:%d$:%u$@$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$RESOLVE %s:%d is - old addresses discarded!$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal!$]
API String ID: 2189764445-1753329177
Opcode ID: 54f609b40ce6f50ec157beb48a3f024865b6beca4a3427429f88ed561e560bf3
Instruction ID: fd48c141eb72aa94eb3458803bce0468734a3e116dfd43ea60ee2585d69b2410
Opcode Fuzzy Hash: 54f609b40ce6f50ec157beb48a3f024865b6beca4a3427429f88ed561e560bf3
Instruction Fuzzy Hash: FED1D422A18682C5EB10AB22D800BF9B760FB46799FC48239DA5D1B7C5DF3CD509C361

Function 00007FF76C35CD40 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 284stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35CD8D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C35CE7F
strchr.VCRUNTIME140 ref: 00007FF76C35CDC1

Part of subcall function 00007FF76C334A80: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C334AC4

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C35CFE7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35D1B1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C35D1D3

Part of subcall function 00007FF76C348270: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B3DF), ref: 00007FF76C3482AE

Strings

Couldn't interpret the 227-response, xrefs: 00007FF76C35CF2E
Can't resolve proxy host %s:%hu, xrefs: 00007FF76C35D093
Weirdly formatted EPSV reply, xrefs: 00007FF76C35CE9F
%u,%u,%u,%u,%u,%u, xrefs: 00007FF76C35CF0B
Connecting to %s (%s) port %d, xrefs: 00007FF76C35D18A
Illegal port number in EPSV reply, xrefs: 00007FF76C35CE3F
Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 00007FF76C35CFBB
Bad PASV/EPSV response: %03d, xrefs: 00007FF76C35D1FE
%c%c%c%u%c, xrefs: 00007FF76C35CDFB
Can't resolve new host %s:%hu, xrefs: 00007FF76C35D0FE
%u.%u.%u.%u, xrefs: 00007FF76C35CFF3

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree$__stdio_common_vsscanfstrchr
String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
API String ID: 3103143820-2414412286
Opcode ID: cebc4c8935ab1215365148924880485d93f75f34bc06cfdadf451f7eefc6623a
Instruction ID: 16ffb3e9d4f0f5f50163d07ea6fe6c1d3849a79b3e199adfb93b8c04be31b775
Opcode Fuzzy Hash: cebc4c8935ab1215365148924880485d93f75f34bc06cfdadf451f7eefc6623a
Instruction Fuzzy Hash: 50D1A722B08682D2EA58BB22E540AB9FBA0FF45786FD0003ADB4D47B55DF3CE555C712

Function 00007FF76C34F7D0 Relevance: 27.3, APIs: 1, Strings: 17, Instructions: 341COMMON

Download Yara Rule

Strings

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 00007FF76C34FD74
SOCKS4%s request granted., xrefs: 00007FF76C34FD96
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 00007FF76C34FD03
SOCKS4 reply has wrong version, version should be 0., xrefs: 00007FF76C34FC71
Failed to resolve "%s" for SOCKS4 connect., xrefs: 00007FF76C34FABB
Failed to send SOCKS4 connect request., xrefs: 00007FF76C34FB7D
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 00007FF76C34FD3D
SOCKS4 connection to %s not supported, xrefs: 00007FF76C34FA9C
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 00007FF76C34FCD6
SOCKS4 communication to %s:%d, xrefs: 00007FF76C34F8AF
SOCKS4: Failed receiving connect request ack: %s, xrefs: 00007FF76C34FC2A
SOCKS4%s: connecting to HTTP proxy %s port %d, xrefs: 00007FF76C34F896
[, xrefs: 00007FF76C34FD64
SOCKS4: too long host name, xrefs: 00007FF76C34FB96
SOCKS4 non-blocking resolve of %s, xrefs: 00007FF76C34F93B
SOCKS4 connect to IPv4 %s (locally resolved), xrefs: 00007FF76C34FA3A
Too long SOCKS proxy name, can't use!, xrefs: 00007FF76C34F997

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$SOCKS4 communication to %s:%d$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: Failed receiving connect request ack: %s$SOCKS4: too long host name$Too long SOCKS proxy name, can't use!$[
API String ID: 0-3760664348
Opcode ID: ffe0b0e7e9d5baa33c1f922b1d54f1c39b7d1a67fb1929564115e9779a9269e0
Instruction ID: 1b5a15ae5e631750a7f65a5377b04819ff2085a369cbb8bd81bd9ec2153658a2
Opcode Fuzzy Hash: ffe0b0e7e9d5baa33c1f922b1d54f1c39b7d1a67fb1929564115e9779a9269e0
Instruction Fuzzy Hash: 24E1F56290C6C1C9EB54EF16D944BB9B790FB4A785F88813ADA4D4B795CF3CE048C722

Function 00007FF76C32D920 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF76C32D9D6
OpenProcessToken.ADVAPI32 ref: 00007FF76C32D9EB
GetTokenInformation.ADVAPI32 ref: 00007FF76C32DA2E
GetLastError.KERNEL32 ref: 00007FF76C32DA34
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DA9D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DAD6
UnloadUserProfile.USERENV ref: 00007FF76C32DBC0
CloseHandle.KERNEL32 ref: 00007FF76C32DBD9
GetTokenInformation.ADVAPI32 ref: 00007FF76C32DC49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DC66
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DC96
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DCF8
memmove.VCRUNTIME140 ref: 00007FF76C32DD23
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DD65

Strings

none, xrefs: 00007FF76C32DAFD

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$Token$InformationProcess$CloseCurrentErrorHandleLastOpenProfileUnloadUsercallocmallocmemmove
String ID: none
API String ID: 3698963424-2140143823
Opcode ID: 952d9d2b3e7ddd6734957dbd48fe98856ba79dd73a982d36d3fc39ff0bd1b752
Instruction ID: a2425d04b5012db26470c960d6c3fc4b230031847a3699d2f08092d964202c13
Opcode Fuzzy Hash: 952d9d2b3e7ddd6734957dbd48fe98856ba79dd73a982d36d3fc39ff0bd1b752
Instruction Fuzzy Hash: 8CD15E22A05BC1CAEB60AF26D8407E873A0FF45B69F844639DA6D0BB95DF3CD554C321

Function 00007FF76C354570 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 241encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF76C354857
CertEnumCertificatesInStore.CRYPT32 ref: 00007FF76C3548C7
CertFreeCertificateContext.CRYPT32 ref: 00007FF76C354905
CertFreeCertificateContext.CRYPT32 ref: 00007FF76C354918

Strings

http/1.1, xrefs: 00007FF76C3546CB
schannel: ALPN, server accepted to use %.*s, xrefs: 00007FF76C3546B8
ALPN, server did not agree to a protocol, xrefs: 00007FF76C3546E5
schannel: failed to setup memory allocation, xrefs: 00007FF76C354621
schannel: failed to setup stream orientation, xrefs: 00007FF76C354640
schannel: failed to retrieve ALPN result, xrefs: 00007FF76C35468B
schannel: failed to store credential handle, xrefs: 00007FF76C3547BC
schannel: failed to setup sequence detection, xrefs: 00007FF76C3545CA
schannel: failed to retrieve remote cert context, xrefs: 00007FF76C354937
schannel: failed to setup confidentiality, xrefs: 00007FF76C354602
schannel: failed to setup replay detection, xrefs: 00007FF76C3545E6

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: Cert$CertificateCertificatesContextEnumFreeStore
String ID: ALPN, server did not agree to a protocol$http/1.1$schannel: ALPN, server accepted to use %.*s$schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle
API String ID: 2572311694-3353508759
Opcode ID: 0d90e1c2379848367334fa5f61495e5cd12c10ce09739530cd6b62b3d29912c2
Instruction ID: 7ebdf0d20cbf7356c5b5b0e8aacff7b08b38d1c404d3aaf8699c37777a5d5877
Opcode Fuzzy Hash: 0d90e1c2379848367334fa5f61495e5cd12c10ce09739530cd6b62b3d29912c2
Instruction Fuzzy Hash: 31B1E422A08A82C5EB24AB17D814BB9B7A0FF85B86FC44139DA4D47794DF3CD445CB22

Function 00007FF76C34AD90 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 218stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF76C34AE48
strchr.VCRUNTIME140 ref: 00007FF76C34AE5F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C34AEAB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34B077
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34B0C6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34B0CF

Strings

Connection:, xrefs: 00007FF76C34AFC1
Cookie:, xrefs: 00007FF76C34B01B
1.1, xrefs: 00007FF76C34ADAB
Content-Type:, xrefs: 00007FF76C34AF4F, 00007FF76C34AF75
Content-Length:, xrefs: 00007FF76C34AF9B
Transfer-Encoding:, xrefs: 00007FF76C34AFE8
Host:, xrefs: 00007FF76C34AF29
Authorization:, xrefs: 00007FF76C34B001
%s, xrefs: 00007FF76C34B05C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$strchr$_strdup
String ID: %s$1.1$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
API String ID: 1922034842-2519073162
Opcode ID: b632471b7bfe1b8db0ec65ac282cd283094596eff89572a7bbe89724531a34d2
Instruction ID: 17b24b43e67f9a8afba8eb5967c8539ee9a52793b940cee9c59040e328604f84
Opcode Fuzzy Hash: b632471b7bfe1b8db0ec65ac282cd283094596eff89572a7bbe89724531a34d2
Instruction Fuzzy Hash: 6291CC61A0D682C5FB61AA139D00BB9F790AF05B87FC48039DA5D4F695EF2DE5488332

Function 00007FF76C370E51 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C370E82
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3714FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371538

Strings

TRUE, xrefs: 00007FF76C370E74
Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337
FALSE, xrefs: 00007FF76C370E6D
-----END CERTIFICATE-----, xrefs: 00007FF76C371487
Cert, xrefs: 00007FF76C37150E
%s, xrefs: 00007FF76C371526
-----BEGIN CERTIFICATE-----, xrefs: 00007FF76C3713DC

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Signature: %s$%s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$FALSE$Signature$TRUE
API String ID: 111713529-3006446216
Opcode ID: 5e5fd73917bfed335e978ba5693303ace8c963d875601bf886e273a219d58a4f
Instruction ID: b14d2e86046e2dca9a4c25d9749098304d51de8950ab69a5cc943c3f59d1f2ea
Opcode Fuzzy Hash: 5e5fd73917bfed335e978ba5693303ace8c963d875601bf886e273a219d58a4f
Instruction Fuzzy Hash: 0A71E7A7E0D7C1C5FB11AB2690516B9BBA0EF4674AFD8407ACA8E03751DE2CD449C336

Function 00007FF76C36AEC0 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36AF82
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36AFBA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36AFCD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B001
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B00C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B0C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B0CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B0D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B1C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B1CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B1D5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B24B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B254
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36B25F

Part of subcall function 00007FF76C36B650: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C36D53A,?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36B660
Part of subcall function 00007FF76C36B650: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C36D53A,?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36B671
Part of subcall function 00007FF76C36B650: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C36D53A,?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36B683

Strings

WDigest, xrefs: 00007FF76C36AF6C, 00007FF76C36B084
DIGEST-MD5 handshake failure (empty challenge message), xrefs: 00007FF76C36B26C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: DIGEST-MD5 handshake failure (empty challenge message)$WDigest
API String ID: 2190258309-1086287758
Opcode ID: fe064cbe4e5935a4964878d0c04b49044c0648fa1a26e6cb31ad0e121d9d0226
Instruction ID: 406ac9acdfcdc551ab587983faf12c5f6868475d5b63b90034b5811aeb3d88b5
Opcode Fuzzy Hash: fe064cbe4e5935a4964878d0c04b49044c0648fa1a26e6cb31ad0e121d9d0226
Instruction Fuzzy Hash: 1DB17072A09B42C6EB50AB27E8806ADB7B0FB48B99F800039DE4D57B54DF3CD549CB51

Function 00007FF76C371C10 Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 179COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371D23

Strings

RSA Public Key, xrefs: 00007FF76C371D0F
rsa(e), xrefs: 00007FF76C371D5B
dhpublicnumber, xrefs: 00007FF76C371E46
rsa(n), xrefs: 00007FF76C371D30
dsa, xrefs: 00007FF76C371D85
dsa(pub_key), xrefs: 00007FF76C371E32
rsaEncryption, xrefs: 00007FF76C371C55
%lu, xrefs: 00007FF76C371CF8
dh(pub_key), xrefs: 00007FF76C371EC6
RSA Public Key (%lu bits), xrefs: 00007FF76C371CDE
dh(g), xrefs: 00007FF76C371EB0
dsa(g), xrefs: 00007FF76C371E1C
dsa(p), xrefs: 00007FF76C371DBD
dsa(q), xrefs: 00007FF76C371DEC
dh(p), xrefs: 00007FF76C371E7F

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: RSA Public Key (%lu bits)$%lu$RSA Public Key$dh(g)$dh(p)$dh(pub_key)$dhpublicnumber$dsa$dsa(g)$dsa(p)$dsa(pub_key)$dsa(q)$rsa(e)$rsa(n)$rsaEncryption
API String ID: 1294909896-1220118048
Opcode ID: c8939b9a31850f9bbc219c3703b908ed85a4c5248cfd8eadb0983f64d119b1ef
Instruction ID: 08b6b2207914d0428fa1bddbd4020066abd2ac97f441261923406aa12e130aae
Opcode Fuzzy Hash: c8939b9a31850f9bbc219c3703b908ed85a4c5248cfd8eadb0983f64d119b1ef
Instruction Fuzzy Hash: 0E719062A08B82C1EA25FB5391619F9B391FF8ABC5FC4403AED4D03789DE3CD505C662

Function 00007FF76C351C40 Relevance: 22.7, APIs: 15, Instructions: 160COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,00007FF76C351EF6), ref: 00007FF76C351C5B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C351C7B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C351C9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C351CA5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdupmalloc
String ID:
API String ID: 111713529-0
Opcode ID: 59445d0a83eb10703d2531457c3031a4930f1781522a2d573ceddfd4c256b715
Instruction ID: 2a387d7f23405006ed671ad828f4d36abd1febab132252e1a351ba6555d4eeb4
Opcode Fuzzy Hash: 59445d0a83eb10703d2531457c3031a4930f1781522a2d573ceddfd4c256b715
Instruction Fuzzy Hash: 16616B76A09B41C2EA65EF12E444969B7B4FF48B92B854039CF4E43750EF3CE898C751

Function 00007FF76C35AD60 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 279COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35AE80

Strings

ABOR, xrefs: 00007FF76C35AF7B
server did not report OK, got %d, xrefs: 00007FF76C35B0EE
partial download completed, closing connection, xrefs: 00007FF76C35B0B3
No data was received!, xrefs: 00007FF76C35B1BC
control connection looks dead, xrefs: 00007FF76C35B072
Failure sending ABOR command: %s, xrefs: 00007FF76C35AFA1
Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 00007FF76C35B156
Received only partial file: %I64d bytes, xrefs: 00007FF76C35B18E
Remembering we are in dir "%s", xrefs: 00007FF76C35AF18

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$No data was received!$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
API String ID: 1294909896-2312071747
Opcode ID: c6071a72ecdd265040bc78c05ad51c5bf2b018dc7c54eb9651d3a9928b24266d
Instruction ID: adfa86f96f073b926ba7ac97c8b74a80610544c141527a02152ffd335fdd2d14
Opcode Fuzzy Hash: c6071a72ecdd265040bc78c05ad51c5bf2b018dc7c54eb9651d3a9928b24266d
Instruction Fuzzy Hash: 97D1C461A0C686C5EA64BB329550BB9FA50FF45396FC00239DB6E0B6C2DF7CE4449372

Function 00007FF76C333F70 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 161fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333FDD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333FFD
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C334031
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C334052
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C334075
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C334086
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C3340A8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33415F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C334174

Strings

none, xrefs: 00007FF76C333FF2
Set-Cookie:, xrefs: 00007FF76C3340E6
ignoring failed cookie_init for %s, xrefs: 00007FF76C3340B2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
API String ID: 4109794434-4095489131
Opcode ID: c741b65d53c61d4e980e3ecfad5369e6e0788e9c97940574e1061d66af24bd58
Instruction ID: c0a2fe7013be2ade68c94d0e6fea34eca52470e60f10536a4dff1d24364a8bd0
Opcode Fuzzy Hash: c741b65d53c61d4e980e3ecfad5369e6e0788e9c97940574e1061d66af24bd58
Instruction Fuzzy Hash: 0061D721E0DBC2C1EA50AB23D505AB9BB94BF56B86FC84038DE8D07795DF3ED4059362

Function 00007FF76C329BF0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76C329C12
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329C1A
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329C39
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329C45
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C329C54
strrchr.VCRUNTIME140 ref: 00007FF76C329CA5
strrchr.VCRUNTIME140 ref: 00007FF76C329CC6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329CDF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329CEA
GetLastError.KERNEL32 ref: 00007FF76C329CF3
SetLastError.KERNEL32 ref: 00007FF76C329CFF

Strings

Unknown error %d (%#x), xrefs: 00007FF76C329C87

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_nerrstrerrorstrncpy
String ID: Unknown error %d (%#x)
API String ID: 4262108436-2414550090
Opcode ID: 7835c0da5a7f6f6b75ee3b1f093b2fc2dc03dd2039c79966addc4d66b7e5ec91
Instruction ID: 4dd1ac626ee16c37891bd92406a250d0256b1ca28afc72a24d942529d61597f8
Opcode Fuzzy Hash: 7835c0da5a7f6f6b75ee3b1f093b2fc2dc03dd2039c79966addc4d66b7e5ec91
Instruction Fuzzy Hash: 75318D61A08752C6FE157F23A815679F6A1AF86B86F88043DCE4E0B795DE3CE4018732

Function 00007FF76C36DB80 Relevance: 19.8, APIs: 8, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DBF5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DC16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DC31
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DC3F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DCC6
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DD15
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DD76
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36DEFC

Strings

CompleteAuthToken failed: %s, xrefs: 00007FF76C36DF57
InitializeSecurityContext failed: %s, xrefs: 00007FF76C36DF1A
SPNEGO handshake failure (empty challenge message), xrefs: 00007FF76C36DDC6
HTTP, xrefs: 00007FF76C36DB80
Negotiate, xrefs: 00007FF76C36DB84, 00007FF76C36DC8C, 00007FF76C36DD33

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$calloc$malloc
String ID: CompleteAuthToken failed: %s$HTTP$InitializeSecurityContext failed: %s$Negotiate$SPNEGO handshake failure (empty challenge message)
API String ID: 3103867982-1477229593
Opcode ID: 27d9c10037ddf4088466da6341d33baf144ae8f5d3b01d9b706f534e7aa47616
Instruction ID: 773f3080e964296f226a2cc1fcdffb16df529186ac381cb892e5fccb69c4541e
Opcode Fuzzy Hash: 27d9c10037ddf4088466da6341d33baf144ae8f5d3b01d9b706f534e7aa47616
Instruction Fuzzy Hash: A0C18A72A09B41C6EB10EF26E4406ACB7B4FB48B89F90003ADE4D97B58DF38D845C791

Function 00007FF76C36FA60 Relevance: 19.7, APIs: 5, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36FB13
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36FB79
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36FB9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36FBFC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36FC6C

Strings

TRUE, xrefs: 00007FF76C36FCD1
Issuer: %s, xrefs: 00007FF76C36FBEA
%2d Subject: %s, xrefs: 00007FF76C36FB64
Subject, xrefs: 00007FF76C36FB4A
Issuer, xrefs: 00007FF76C36FBD0
Version: %lu (0x%lx), xrefs: 00007FF76C36FC7E
%lx, xrefs: 00007FF76C36FC3C
Version, xrefs: 00007FF76C36FC57

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: Issuer: %s$ Version: %lu (0x%lx)$%2d Subject: %s$%lx$Issuer$Subject$TRUE$Version
API String ID: 2190258309-1457932261
Opcode ID: 487756b31ff12c1712ac9d65f99dc5b4cddb0488aa562ff7160057ed26db9bf7
Instruction ID: 5976e8c2355dda42d432291e1e833519e81fa5d35ec078acfbe6133bdd6f4e55
Opcode Fuzzy Hash: 487756b31ff12c1712ac9d65f99dc5b4cddb0488aa562ff7160057ed26db9bf7
Instruction Fuzzy Hash: 9B61B062A097C2C1EB11AB279458BF9B3A1BF49795F84053ACD1E17795DF3CE045C322

Function 00007FF76C3630B0 Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 151stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF76C36311B
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C363245

Part of subcall function 00007FF76C32F690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C339C90), ref: 00007FF76C32F6B7
Part of subcall function 00007FF76C32F690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C339C90), ref: 00007FF76C32F6C3

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3631FF

Part of subcall function 00007FF76C32F5F0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32F600

Strings

TTYPE, xrefs: 00007FF76C3631D5
NEW_ENV, xrefs: 00007FF76C363261
Unknown telnet option %s, xrefs: 00007FF76C36333D
XDISPLOC, xrefs: 00007FF76C36321B
USER,%s, xrefs: 00007FF76C363140
%hu%*[xX]%hu, xrefs: 00007FF76C3632C9
BINARY, xrefs: 00007FF76C3632EE
Syntax error in telnet option: %s, xrefs: 00007FF76C363356
%127[^= ]%*[ =]%255s, xrefs: 00007FF76C3631C0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freestrncpy$_strdupmemset
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 3826632026-748038847
Opcode ID: 5c4c5efeb709bc279ff3fef4cd355d0e0eb1053cf8fb5e78e2b6ebfcf8a075db
Instruction ID: 16ee4ce013dc4563f8967fd588e18c9511b70eefe3efc85e4a5ef0a65cedaa68
Opcode Fuzzy Hash: 5c4c5efeb709bc279ff3fef4cd355d0e0eb1053cf8fb5e78e2b6ebfcf8a075db
Instruction Fuzzy Hash: 30717B32A0CAC2D4EB61AF12D541BE9B3A0FF85785FC4403AEA8D57254EF38D545C762

Function 00007FF76C365933 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 291COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C365A33

Strings

%I64d, xrefs: 00007FF76C365AC6
%s%c%s%c, xrefs: 00007FF76C365A4A
blksize, xrefs: 00007FF76C365C08
TFTP file name too long, xrefs: 00007FF76C365A1F
TFTP buffer too small for options, xrefs: 00007FF76C365B2F, 00007FF76C365C78
tsize, xrefs: 00007FF76C365B42
timeout, xrefs: 00007FF76C365CF5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$timeout$tsize
API String ID: 1294909896-3837278924
Opcode ID: 31af0c23b1c83e95bb4df4e5cc642392c2e180e1a70c236c58b594a03b6466c0
Instruction ID: fc552e6ae084d9741426156f0ed7d143c7c518500f753138e818a983b5950f9d
Opcode Fuzzy Hash: 31af0c23b1c83e95bb4df4e5cc642392c2e180e1a70c236c58b594a03b6466c0
Instruction Fuzzy Hash: F2D1AF72A08A82C1EB11DF26D0807B9BBA1FB45B8AFC58136CA4E57786DF7CD505C321

Function 00007FF76C363BE0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 180networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF76C363DDC
WSAGetLastError.WS2_32 ref: 00007FF76C363DEE
send.WS2_32 ref: 00007FF76C363EE6
WSAGetLastError.WS2_32 ref: 00007FF76C363EF0

Strings

%c%s%c%s, xrefs: 00007FF76C363D80
%c%c%c%c, xrefs: 00007FF76C363CBD
%127[^,],%127s, xrefs: 00007FF76C363D48
#, xrefs: 00007FF76C363E5E
Sending data failed (%d), xrefs: 00007FF76C363DF4, 00007FF76C363EF6
%c%c, xrefs: 00007FF76C363DB8
%c%c%c%c%s%c%c, xrefs: 00007FF76C363EBF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastsend
String ID: #$%127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$Sending data failed (%d)
API String ID: 1802528911-931584821
Opcode ID: 98570612f845681cb8316dc2d0c57f7f06436b9f54ffb9af636fe21cdc89713c
Instruction ID: 84e16ab3900de025fef70d6d0402a76c11eec608626972e59b651e43e783c6af
Opcode Fuzzy Hash: 98570612f845681cb8316dc2d0c57f7f06436b9f54ffb9af636fe21cdc89713c
Instruction Fuzzy Hash: 5191AC22A08AC1D5F721AF26E405BEAB3B0FB847A9F840235EE5907A85DF3DD145C751

Function 00007FF76C365590 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF76C365708
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C365723
sendto.WS2_32 ref: 00007FF76C36578A
sendto.WS2_32 ref: 00007FF76C365841
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C365879

Strings

Received last DATA packet block %d again., xrefs: 00007FF76C3657D5
Received unexpected DATA packet block %d, expecting block %d, xrefs: 00007FF76C365881
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF76C365602
tftp_rx: internal error, xrefs: 00007FF76C3655DE

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: sendto$_time64
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 2327272419-1785996722
Opcode ID: a739396e22cd55185f4be898eb8fd48355b2566d1c1e031c5d5e86705a1defe6
Instruction ID: e4748b52ebc628f5b81150dc3abe2eb4e0d4c47724a551f3e2aa52f2ebd1cfd8
Opcode Fuzzy Hash: a739396e22cd55185f4be898eb8fd48355b2566d1c1e031c5d5e86705a1defe6
Instruction Fuzzy Hash: E4915C32608781C6D711DF2AD440BA9BBB0FB88F89F95813ADA4D4B769DF39D406C721

Function 00007FF76C33DD50 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DD8D
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DE0F
strchr.VCRUNTIME140 ref: 00007FF76C33DE8E
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C33DEBC
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DEDD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DEEF

Strings

Invalid IPv6 address format, xrefs: 00007FF76C33DE77
%25, xrefs: 00007FF76C33DE05
Please URL encode %% as %%25, see RFC 6874., xrefs: 00007FF76C33DE19
No valid port number in connect to host string (%s), xrefs: 00007FF76C33DF1B

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdup$freestrchrstrncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 2070079882-2404041592
Opcode ID: 0db6145b29768de6e00a555748d2aafb62e82f84911b03186957fec727471a82
Instruction ID: fb820b17dc1bbb20215c89b59502cafa0629f4ffcb341603a35b6ceda61034eb
Opcode Fuzzy Hash: 0db6145b29768de6e00a555748d2aafb62e82f84911b03186957fec727471a82
Instruction Fuzzy Hash: FF513621A0D6C2C5FB52BB27D860B75BBD1AF15B96FC84039DA4D0B2C5EE2CE445C322

Function 00007FF76C333D60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333D9E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C333DBE
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C333DF0
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C333E0D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333E2B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333E3C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C333E5C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76C32B980), ref: 00007FF76C333F0F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF76C32B980), ref: 00007FF76C333F25

Strings

none, xrefs: 00007FF76C333DB3
Set-Cookie:, xrefs: 00007FF76C333E96

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$none
API String ID: 4109794434-3629594122
Opcode ID: 017d048edd16c6ec0247f245313d718386d122e255efc9ac15ff4b89fa50d49c
Instruction ID: e73c6960482e7e7f6a3362f3e888a020c694c62bfe5729be836a508b9b23199a
Opcode Fuzzy Hash: 017d048edd16c6ec0247f245313d718386d122e255efc9ac15ff4b89fa50d49c
Instruction Fuzzy Hash: 1D518B22A0D7C2C1FA95A7139550A79F6A0AF45B86FC48438DE4E077D1DF3CE4478762

Function 00007FF76C344D60 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C3450F6

Strings

Unable to allocate trailing headers buffer !, xrefs: 00007FF76C344DD3
%zx%s, xrefs: 00007FF76C345017
Signaling end of chunked upload via terminating chunk., xrefs: 00007FF76C34508A
Read callback asked for PAUSE when not supported!, xrefs: 00007FF76C344F59
operation aborted by trailing headers callback, xrefs: 00007FF76C344EED
Signaling end of chunked upload after trailers., xrefs: 00007FF76C345140
operation aborted by callback, xrefs: 00007FF76C344ECD
Successfully compiled trailers., xrefs: 00007FF76C344E3A
read function returned funny value, xrefs: 00007FF76C344F9B
Moving trailers state machine from initialized to sending., xrefs: 00007FF76C344DA1

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove
String ID: %zx%s$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$Unable to allocate trailing headers buffer !$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 2162964266-1652449680
Opcode ID: 15b28ee0dc7afdc99876186d2639be1097c43ea825e2f286f394cd46f71f9380
Instruction ID: ed333513a6a56e6da2f11f546bf9525cda828138785ba82e7167652f1c2af33d
Opcode Fuzzy Hash: 15b28ee0dc7afdc99876186d2639be1097c43ea825e2f286f394cd46f71f9380
Instruction Fuzzy Hash: 6EA18336A08A82C1E750EF22D840BF9B350EF45B9AF848139DD5E4F295DE7CE449C362

Function 00007FF76C356D70 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 207COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356EA0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356EB6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356F19

Strings

Cannot APPEND with unknown input file size, xrefs: 00007FF76C357017
Cannot SELECT without a mailbox., xrefs: 00007FF76C356ECF
SELECT %s, xrefs: 00007FF76C356F05
Mime-Version: 1.0, xrefs: 00007FF76C356FC1
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_, xrefs: 00007FF76C356D88
Mime-Version, xrefs: 00007FF76C356FA6
APPEND %s (\Seen) {%I64d}, xrefs: 00007FF76C35704D
Cannot APPEND without a mailbox., xrefs: 00007FF76C356F44

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_$APPEND %s (\Seen) {%I64d}$Cannot APPEND with unknown input file size$Cannot APPEND without a mailbox.$Cannot SELECT without a mailbox.$Mime-Version$Mime-Version: 1.0$SELECT %s
API String ID: 1294909896-3146291949
Opcode ID: 29a20cc696259e2f022ba711c8fc5fc43b02f55b293fb6f7c1f8397749bff4f3
Instruction ID: a9c4b037430fdd41b988b0905cee203f96d9c7e1e5d5d14dcd6ce80c90ca0ab7
Opcode Fuzzy Hash: 29a20cc696259e2f022ba711c8fc5fc43b02f55b293fb6f7c1f8397749bff4f3
Instruction Fuzzy Hash: BB919221B09A82C5EA64AB23D590BB9B7E4EF45786FC4403DDB4E87785DF2CE4448362

Function 00007FF76C3209E0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C31FEB0: memmove.VCRUNTIME140 ref: 00007FF76C31FEE1

Part of subcall function 00007FF76C325AB0: memmove.VCRUNTIME140 ref: 00007FF76C325C6A

memmove.VCRUNTIME140 ref: 00007FF76C320AA3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320C07
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320C5A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320CAB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320CEA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320D39
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320D78
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320DF5

Strings

parse error, xrefs: 00007FF76C320A99, 00007FF76C320AB9
parse_error, xrefs: 00007FF76C320A41

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: parse error$parse_error
API String ID: 15630516-1820534363
Opcode ID: 8957c1c4e1c2b83c3f31169acd024aeb7252b41b26b3387584ab1cd50cd49b87
Instruction ID: f0c440b13fa2e92caed682ad38738db1ec670de96e108f6588edadd2893d5e94
Opcode Fuzzy Hash: 8957c1c4e1c2b83c3f31169acd024aeb7252b41b26b3387584ab1cd50cd49b87
Instruction Fuzzy Hash: 95C1C172A18B85C5EB00EB26D44576DB721FB857A8F804239EA6D07BE5DF7CE084C311

Function 00007FF76C33AED0 Relevance: 17.6, APIs: 14, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF4D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF7E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AF9A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AFB7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AFDA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33AFEE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B002
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B028
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B03C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B050
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B09F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B0AC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33B555), ref: 00007FF76C33B0D5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 478daf218b1f896e38bb4ca9f995d36e0b085d091a18a161c911cd5f318e8abe
Instruction ID: 3af50a38e48756302eb8420335a6b0490aa68eefb0e7111298c82df4a68c24d3
Opcode Fuzzy Hash: 478daf218b1f896e38bb4ca9f995d36e0b085d091a18a161c911cd5f318e8abe
Instruction Fuzzy Hash: 8B51EE75A09A81C1EB44BF22D8916FDB7A0EF88F96F884039DE0E4B755CE3994498371

Function 00007FF76C356A40 Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C355410: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF76C33D36F), ref: 00007FF76C35543E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356CDE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356CE8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356D43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356D4D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C356D5A

Strings

SECTION, xrefs: 00007FF76C356C58
UID, xrefs: 00007FF76C356BD6
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_, xrefs: 00007FF76C356A48
PARTIAL, xrefs: 00007FF76C356C96
MAILINDEX, xrefs: 00007FF76C356C17
UIDVALIDITY, xrefs: 00007FF76C356B95

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_$MAILINDEX$PARTIAL$SECTION$UID$UIDVALIDITY
API String ID: 2190258309-1670639106
Opcode ID: 02b77d5e6935b5c7a31a4f020e58492768025473db3337dfa4a92050bc84e8a5
Instruction ID: 1af256dcc8b1f89d437d54eefe56db65b05f791bd6d26e44eda079a9bf558d99
Opcode Fuzzy Hash: 02b77d5e6935b5c7a31a4f020e58492768025473db3337dfa4a92050bc84e8a5
Instruction Fuzzy Hash: FBA17362909A86C5EB50AF23D550BB8BFB0EB44785FC45039DB4E87B85DF38E495C322

Function 00007FF76C368581 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36848B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3684F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3684FF
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3685FD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C368666
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36867E

Part of subcall function 00007FF76C3675D0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3675E0

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3686A6
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3686BD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3686E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36872F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C368744

Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C36888C
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C368896
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688A0
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688AA
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688B4
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688BE
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688C8
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688D2
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688DC
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688E6
Part of subcall function 00007FF76C368880: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688F0

Strings

,, xrefs: 00007FF76C3685C4
:, xrefs: 00007FF76C3685A7

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$calloc$_strdup
String ID: ,$:
API String ID: 2460172880-4193410690
Opcode ID: 191a193e223222a0de7a5df7a0ca04a47fec74119bf7e16bd5ea21dbbb06f29f
Instruction ID: 2caa43d0d553f740228e30ad379b55984045660b79192f2243a5d907aaac3b17
Opcode Fuzzy Hash: 191a193e223222a0de7a5df7a0ca04a47fec74119bf7e16bd5ea21dbbb06f29f
Instruction Fuzzy Hash: FD51B452E0D686C2F721AB3795006B9B360BF5A789F859139CF8E21652EF2CF5C48353

Function 00007FF76C336890 Relevance: 16.6, APIs: 11, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF76C3368D7
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF76C3368E7
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3368FE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33697A
strrchr.VCRUNTIME140 ref: 00007FF76C336997
strrchr.VCRUNTIME140 ref: 00007FF76C3369A7
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3369D7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3369E3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3369F2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C336A03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C336A19

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdup$free$strrchr$_access_stat64
String ID:
API String ID: 2557200964-0
Opcode ID: 8415e43d844da1d1ae3a42dabc1986ed7e08fe7686cfa6c9b0dd07b624fc7d84
Instruction ID: ac03dbcfe561c7af666086abbbf45bc51c659a901b1bf873f1cba724c73e6e18
Opcode Fuzzy Hash: 8415e43d844da1d1ae3a42dabc1986ed7e08fe7686cfa6c9b0dd07b624fc7d84
Instruction Fuzzy Hash: 51415461709B42C9FA50AB13E490A75B2B0FF48B92F844138DE5E87791EF3CE4558721

Function 00007FF76C33BBC0 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF76C33BBF8
strchr.VCRUNTIME140 ref: 00007FF76C33BC1F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BCD4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BCFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BD1B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BD2C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BD35
memmove.VCRUNTIME140 ref: 00007FF76C33BD53
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BD67
memmove.VCRUNTIME140 ref: 00007FF76C33BD84
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BD99
memmove.VCRUNTIME140 ref: 00007FF76C33BDB1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33BDC6

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove$strchr
String ID:
API String ID: 666779114-0
Opcode ID: 37c2857792015e2703bb74e976d0383ffc375ac6723a0de92d407b196625c29f
Instruction ID: 1a018dde50b97184474a9cd259d303f74506d45685518f690098ce33ce065fc8
Opcode Fuzzy Hash: 37c2857792015e2703bb74e976d0383ffc375ac6723a0de92d407b196625c29f
Instruction Fuzzy Hash: E751A025B0ABC5C1EA65AF17E500A79F294BF84BC9F884538DE4E4B744EF3CE8058321

Function 00007FF76C33DAE0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB24
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB38
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB5C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DB69
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB92
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DB9F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DBD0
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DBDD

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF76C33DC69

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: 4d1e6b0f68293bb7fe892e01b5799d75cda67b82eb617e7538b18242f9299537
Instruction ID: f1e050d36a61e0a58e0cddbbc727b513b52c0fd79554d6160b39e35169f6cd4b
Opcode Fuzzy Hash: 4d1e6b0f68293bb7fe892e01b5799d75cda67b82eb617e7538b18242f9299537
Instruction Fuzzy Hash: 4C71C221A29BC2C6EB65AB26D454BA9B7A0FF84786F440039DB4D47390DF7DE854C322

Function 00007FF76C33DA88 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB24
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB38
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB5C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DB69
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DB92
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DB9F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33DBD0
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33DBDD

Strings

Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF76C33DC69

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup
String ID: Couldn't find host %s in the .netrc file; using defaults
API String ID: 2653869212-3983049644
Opcode ID: 7bf59007d463cf5a9d5fc79b1630f18c9d65b001c381e53cd09b4e649f9bc08c
Instruction ID: d85c5b7d70da50ca67ffe665e20c1a3157daf348f4d676d0cf492b5cfce73097
Opcode Fuzzy Hash: 7bf59007d463cf5a9d5fc79b1630f18c9d65b001c381e53cd09b4e649f9bc08c
Instruction Fuzzy Hash: 4551E462A19BC2C6E755AB26D4547ADB7B0FB84B86F454039CB4D43350DF7CE454C322

Function 00007FF76C35D920 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

NLST, xrefs: 00007FF76C35DA1B
%s%s%s, xrefs: 00007FF76C35DA45
Couldn't set desired mode, xrefs: 00007FF76C35D93E
LIST, xrefs: 00007FF76C35DA22
Got a %03d response code instead of the assumed 200, xrefs: 00007FF76C35D960

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
API String ID: 0-1262176364
Opcode ID: 2f331b1f740c486ac4bbee9f459dc41859cce29cd31bde03c17c654d2e876e61
Instruction ID: 00ce3d1319ffb71159bebdcd076ffdf62a7e3e95f2afb50c87cbb0de2c1ddad6
Opcode Fuzzy Hash: 2f331b1f740c486ac4bbee9f459dc41859cce29cd31bde03c17c654d2e876e61
Instruction Fuzzy Hash: 3141D426B0D682C5FB14BB17E6809BAF760AF44B92FC44039DB4E07651DF7CE9448762

Function 00007FF76C37081E Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C370852
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Strings

TRUE, xrefs: 00007FF76C370840
Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
FALSE, xrefs: 00007FF76C370847
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$FALSE$Public Key Algorithm$TRUE
API String ID: 2653869212-571364039
Opcode ID: 53394fd86cc2f81c5ef2061a62f0e4f3ca19e482debb28b2988e149469eb7063
Instruction ID: 141a31a31236fce0dbd434b1a704b8cc35b8f50a6c07559e5e15dffc0d0184c3
Opcode Fuzzy Hash: 53394fd86cc2f81c5ef2061a62f0e4f3ca19e482debb28b2988e149469eb7063
Instruction Fuzzy Hash: 4441BD66A087C2C4EB11AB639545AF9B760BB0A78AFC80439DE4E1B755DF3CE044C326

Function 00007FF76C329D30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF76C329D4C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329D54
FormatMessageA.KERNEL32 ref: 00007FF76C329D8E
strchr.VCRUNTIME140 ref: 00007FF76C329DA3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329DEC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329DF6
GetLastError.KERNEL32 ref: 00007FF76C329DFE
SetLastError.KERNEL32 ref: 00007FF76C329E0A

Strings

Unknown error %u (0x%08X), xrefs: 00007FF76C329DDA

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchr
String ID: Unknown error %u (0x%08X)
API String ID: 1897771742-1058733786
Opcode ID: e39e39cea46f1d575da9a0d4c5f6be07848d54757560fa3e54bbb459c6790418
Instruction ID: 0c1d97e9d4630a84f10ee325e27f79fc84df3da12e53ae25f2fe605cc6b91437
Opcode Fuzzy Hash: e39e39cea46f1d575da9a0d4c5f6be07848d54757560fa3e54bbb459c6790418
Instruction Fuzzy Hash: FA219332A0C782C6EB216F23A405A2AFAA0AF95BD6F844438CE4D07754CE3CE4408776

Function 00007FF76C360B40 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C360D98

Part of subcall function 00007FF76C33F7A0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,FFFFFFFF,00007FF76C34A9E5,?,?,00000000,00007FF76C34AD45), ref: 00007FF76C33F7B5
Part of subcall function 00007FF76C33F7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,FFFFFFFF,00007FF76C34A9E5,?,?,00000000,00007FF76C34AD45), ref: 00007FF76C33F7CB

memmove.VCRUNTIME140 ref: 00007FF76C360BB8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C360D09
memmove.VCRUNTIME140 ref: 00007FF76C360DD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C360DDE

Strings

Got an error writing an RTP packet, xrefs: 00007FF76C360CEB
Cannot pause RTP, xrefs: 00007FF76C360CDC
Failed writing RTP data, xrefs: 00007FF76C360CD3

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$memmove$realloc
String ID: Cannot pause RTP$Failed writing RTP data$Got an error writing an RTP packet
API String ID: 1952216613-1165944077
Opcode ID: e1aa8db3ee0169baacf5268ea3da9d393f745f783bc48944b6770cead240aa2e
Instruction ID: de557a23efb3680fbfb9f4089a9fd829b1e906d55f70fddba14c7989e4fb7b73
Opcode Fuzzy Hash: e1aa8db3ee0169baacf5268ea3da9d393f745f783bc48944b6770cead240aa2e
Instruction Fuzzy Hash: 8471AD22B09BC5C6EA58EB23D401BA9B7A4FB49B81F854139DE9D47750EF3CE460C311

Function 00007FF76C333115 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33315A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C33317A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3331CB

Part of subcall function 00007FF76C3349E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3349E6

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3332D1

Strings

Added, xrefs: 00007FF76C33356D
Replaced, xrefs: 00007FF76C333561
FALSE, xrefs: 00007FF76C3332AB
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF76C333577

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: 0604ac387c47867efe6ecd100851125aefa0580466ae69b23f0e88760cce4a05
Instruction ID: 2d7d2b8e1e166b5ef06e3de39f75665431ef81253478c5ea553ad6e987f442dc
Opcode Fuzzy Hash: 0604ac387c47867efe6ecd100851125aefa0580466ae69b23f0e88760cce4a05
Instruction Fuzzy Hash: 8191B22190D7C2C5FBB1AB13D544B79B7E0EF05756FC88139CA8E47691EE2CE4868322

Function 00007FF76C34B840 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C34B90C

Strings

Basic, xrefs: 00007FF76C34BA01
NTLM, xrefs: 00007FF76C34B93C
Authentication problem. Ignoring this., xrefs: 00007FF76C34BA4D
Ignoring duplicate digest auth header., xrefs: 00007FF76C34B9BD
Bearer, xrefs: 00007FF76C34BA28
Digest, xrefs: 00007FF76C34B9A4
Negotiate, xrefs: 00007FF76C34B8B6

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdup
String ID: Authentication problem. Ignoring this.$Basic$Bearer$Digest$Ignoring duplicate digest auth header.$NTLM$Negotiate
API String ID: 1169197092-907567932
Opcode ID: f200e0fbc4da2265812e5dff5ffd755b78f680c6d77b3d3a302b0ae15985897f
Instruction ID: 030e30609702225c394ef116b42819f765c6a80b93c63942e42e9b3f51467e9f
Opcode Fuzzy Hash: f200e0fbc4da2265812e5dff5ffd755b78f680c6d77b3d3a302b0ae15985897f
Instruction Fuzzy Hash: A871C57190C682C6FB14AA279941A7DF6D1AB0178AFC4C03CDA9A4E6D1DF2CE51D8732

Function 00007FF76C311E70 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C3156F0: memmove.VCRUNTIME140(?,?,?,?,?,?,?,00007FF76C31118E), ref: 00007FF76C3157DF
Part of subcall function 00007FF76C3156F0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C315803

Part of subcall function 00007FF76C3156F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF76C31118E), ref: 00007FF76C3157B9

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF76C3119C5), ref: 00007FF76C3120F7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF76C3119C5), ref: 00007FF76C3120FE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF76C3119C5), ref: 00007FF76C312105
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF76C3119C5), ref: 00007FF76C31210C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00000000,?,0000006E00000006,00000000,00000000,00000000,00007FF76C3119C5), ref: 00007FF76C312113

Strings

valorant tpm, xrefs: 00007FF76C311EC6
1.5, xrefs: 00007FF76C311EFD
9WIvTVJa9m, xrefs: 00007FF76C311EDD

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmemmove
String ID: 1.5$9WIvTVJa9m$valorant tpm
API String ID: 1322690092-3997688753
Opcode ID: c11c69f48ffd987e91e4297476de64ab12b0176dac25a9b557b445d78c8f973a
Instruction ID: 9380f5c4b7f24943ee9cabb0c5bdc438081327fa4062284930761aa91787379a
Opcode Fuzzy Hash: c11c69f48ffd987e91e4297476de64ab12b0176dac25a9b557b445d78c8f973a
Instruction Fuzzy Hash: 2971A572A08785C8EA01EB16E458B7DB361FB12BC6FC14139DA4D07AA1DF7DD490C366

Function 00007FF76C33DF50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33E02C
strchr.VCRUNTIME140 ref: 00007FF76C33E060
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C33E080
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33E104

Strings

%s%s%s, xrefs: 00007FF76C33DFEF
Connecting to port: %d, xrefs: 00007FF76C33E120
Connecting to hostname: %s, xrefs: 00007FF76C33E0DB
anonymous, xrefs: 00007FF76C33DF60

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$strchrstrtol
String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d$anonymous
API String ID: 137861075-1224060940
Opcode ID: 590598b28f8c1fbaf7895b767723792dd2f80375b8d066322f6f576a8c5a7c0e
Instruction ID: d1ace7c62d3c0333ff1b26515ee4ab8f0a28f4fd3bf8b54b078968b5db76cec2
Opcode Fuzzy Hash: 590598b28f8c1fbaf7895b767723792dd2f80375b8d066322f6f576a8c5a7c0e
Instruction Fuzzy Hash: CA51D622A09BC2D0EB31AB17E840BA9B7A0FB45B9AF844139DE9D07794CF3DD545C352

Function 00007FF76C359A30 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 135stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C359AEF
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C359B34
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C359BF0

Strings

HELP, xrefs: 00007FF76C359C25
SMTPUTF8, xrefs: 00007FF76C359A9D, 00007FF76C359BA5
%s %s%s, xrefs: 00007FF76C359AB9
VRFY %s%s%s%s, xrefs: 00007FF76C359BBE
EXPN, xrefs: 00007FF76C359A77

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfreestrpbrk
String ID: SMTPUTF8$%s %s%s$EXPN$HELP$VRFY %s%s%s%s
API String ID: 1812939018-2300960079
Opcode ID: d85e068c52626e2becebf8ba538184e34bf1e3aa1de3e62cbfebed318853bf19
Instruction ID: b635f99a4f0af3cd7c03839e12c8cfc05d8e8f0a3244e34f41ebd484eed2e0bb
Opcode Fuzzy Hash: d85e068c52626e2becebf8ba538184e34bf1e3aa1de3e62cbfebed318853bf19
Instruction Fuzzy Hash: B151B262E1DB81C1EB51EB16E440BB9BBA0EB86B85FC44139DB4E07791DF2CE545C322

Function 00007FF76C35F701 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140 ref: 00007FF76C35F713
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C35F72E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C35F75A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35F77F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35F85C

Strings

Wildcard - Parsing started, xrefs: 00007FF76C35F7F7

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdup$callocfreestrrchr
String ID: Wildcard - Parsing started
API String ID: 2641349667-2274641867
Opcode ID: ca505822f849fdc0b9fabbad51af24541adc8441d8566da4c1303b5dd021b71c
Instruction ID: 60826740abda2bf85d08558d5be59480ce58b5cf12bf405bb28a226778e24e58
Opcode Fuzzy Hash: ca505822f849fdc0b9fabbad51af24541adc8441d8566da4c1303b5dd021b71c
Instruction Fuzzy Hash: F3515032A09B42C5EB55EF12E4405B8BBA5FB88B86FC54039CB4E47354EF38E445C361

Function 00007FF76C36FCEC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C36FD13
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
FALSE, xrefs: 00007FF76C36FD08
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup
String ID: Serial Number: %s$ Signature Algorithm: %s$FALSE$Serial Number$Signature Algorithm
API String ID: 2653869212-3672398475
Opcode ID: b19e4c9eb90a2fb6c6239b2f4bb1b50117ad651abad7024177c18b6a8718cb4d
Instruction ID: e71e0cd86c74394a2b74937c767e21391dfce160ef6b35f2f2f3b8fe8c5b6676
Opcode Fuzzy Hash: b19e4c9eb90a2fb6c6239b2f4bb1b50117ad651abad7024177c18b6a8718cb4d
Instruction Fuzzy Hash: 2341B066A097C2C4EB11AB679445AF9B7A0BF4A78AFC80439CE0E17755DF3CE044C326

Function 00007FF76C333600 Relevance: 13.8, APIs: 11, Instructions: 52COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C33362D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C333657
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C333661
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C33366B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C333675
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C33367F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C333689
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C333693
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C33369D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3336A6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C3342C9,?,?,00000000,00007FF76C33B019,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3336C1

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3afa285faba232c223ab18476255f4c04fa1794b148b09435039080cc4694a75
Instruction ID: f09713adc869ca6698ca40dc47e6aabac1704e11cbea2ba1c6f52db556cc018c
Opcode Fuzzy Hash: 3afa285faba232c223ab18476255f4c04fa1794b148b09435039080cc4694a75
Instruction Fuzzy Hash: 8A21FC7AA09A41C2D790AF12E895568B770FF88FA2F444075DE4F43724DE3CD8898751

Function 00007FF76C368880 Relevance: 13.8, APIs: 11, Instructions: 29COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C36888C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C368896
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688A0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688AA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688B4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688BE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688C8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688D2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688DC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688E6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3678B2,?,?,00000000,00007FF76C33F58B,?,?,00000000,00007FF76C33AFD3,?,?,00000000,00007FF76C33B555), ref: 00007FF76C3688F0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f256fccd3fbba7d3d475af8563feb0cf41aa9f7cc68f0edff93953a7cebf999b
Instruction ID: 1c28e8d08df1d903849b2a4a06922d72a51b83cc0c40ea8ec53e5940dff6f90d
Opcode Fuzzy Hash: f256fccd3fbba7d3d475af8563feb0cf41aa9f7cc68f0edff93953a7cebf999b
Instruction Fuzzy Hash: 1201E76AA19901C2D744AF26D8954687770FF8CF66B401075CE0F82324EE28DC9DC791

Function 00007FF76C367C70 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C367DC5
memmove.VCRUNTIME140 ref: 00007FF76C367DE2

Strings

https, xrefs: 00007FF76C367D00
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF76C367FB2
file://%s%s%s, xrefs: 00007FF76C367CBE
file, xrefs: 00007FF76C367C8B
%%25%s], xrefs: 00007FF76C367DF2
%ld, xrefs: 00007FF76C367D2E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: mallocmemmove
String ID: %%25%s]$%ld$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 2759278013-1832275178
Opcode ID: f83ba9c6c0a59426b62aa210c43bf338795b64d1c3cf7cf804955902c77166d7
Instruction ID: 5aec222ded9b6d8cdc27fb9731d5f0db528fd9fde84cd15fa9fd380cdbe09a28
Opcode Fuzzy Hash: f83ba9c6c0a59426b62aa210c43bf338795b64d1c3cf7cf804955902c77166d7
Instruction Fuzzy Hash: 7AA18E62A09B82C4EB65AF13E500BA9B3A4FB45B85FD54139DE4D137A4DF3CE814C322

Function 00007FF76C373750 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 211COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C3737F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C373809
memmove.VCRUNTIME140 ref: 00007FF76C373949
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3739A4
memmove.VCRUNTIME140 ref: 00007FF76C3739C1

Strings

cached response data too big to handle, xrefs: 00007FF76C373A41
response reading failed, xrefs: 00007FF76C3739E1
8, xrefs: 00007FF76C3739F3
Excessive server response line length received, %zd bytes. Stripping, xrefs: 00007FF76C373921

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$freemalloc
String ID: 8$Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed
API String ID: 1763039611-1003742340
Opcode ID: 4b3eaf214663c0e15994a5d7d670ef4aa194f5f58535bc580583f53b3a9ff4c4
Instruction ID: 4ba6347c342b41787338d319887f6a72d529e743f8c1d0ed6c6aed43babe9bbf
Opcode Fuzzy Hash: 4b3eaf214663c0e15994a5d7d670ef4aa194f5f58535bc580583f53b3a9ff4c4
Instruction Fuzzy Hash: 2481E47260CB81D1DA94AB17D046BA9B7A0FB4AB81F84443ADF8E47741DF3CD4A0C365

Function 00007FF76C370B9C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 174COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370BDF
memmove.VCRUNTIME140 ref: 00007FF76C370C05
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370CD8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Strings

Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 1934541353-2901970132
Opcode ID: 3605ade58dd182b879f0f08e3f744ac8765769d641ba167dfb9487f9b7e14367
Instruction ID: 030f4f190da9db4fe39ebe7c59f4d02695c4eeeca06d750c423d5663c8a5938d
Opcode Fuzzy Hash: 3605ade58dd182b879f0f08e3f744ac8765769d641ba167dfb9487f9b7e14367
Instruction Fuzzy Hash: 1F611561A097C2C5EB18BB2385169F8B791AF06796F88453DCA5F0B7C5DE2CE0448336

Function 00007FF76C370026 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 169COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37005F
memmove.VCRUNTIME140 ref: 00007FF76C37008A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1934541353-517259162
Opcode ID: f8484b79bede0465543583ba1237f2788175fa362c04aae621cdef81670d914c
Instruction ID: 4111fbd79f0eb1541acd20af876423891281d462bf29c01adf96245da616cdbf
Opcode Fuzzy Hash: f8484b79bede0465543583ba1237f2788175fa362c04aae621cdef81670d914c
Instruction Fuzzy Hash: 50613665E093C2C5FB18A723855AAF9B7A1AF06796F84413DCA0F07B85DE3DE0448336

Function 00007FF76C36A0D0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF76C34D878), ref: 00007FF76C36A260
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF76C34D878), ref: 00007FF76C36A297
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF76C34D878), ref: 00007FF76C36A2BE

Strings

NTLM, xrefs: 00007FF76C36A0D6
Proxy-, xrefs: 00007FF76C36A26E, 00007FF76C36A31A
HTTP, xrefs: 00007FF76C36A0E6
%sAuthorization: NTLM %s, xrefs: 00007FF76C36A278, 00007FF76C36A324

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1294909896-3948863929
Opcode ID: 3471edee3426cbe981f74471daa6985c5f6dafc7be6e636632d0d46a76f0ca45
Instruction ID: 39d7daa5d808b6e1fbeafeb06570db94f88c795f00310622fc688759d62905a9
Opcode Fuzzy Hash: 3471edee3426cbe981f74471daa6985c5f6dafc7be6e636632d0d46a76f0ca45
Instruction Fuzzy Hash: 59619D32A09B85C5EBA0EF07E448BAAB7A4FB44B85F91003ADA4D47754DF3CD545C712

Function 00007FF76C3169E0 Relevance: 13.6, APIs: 9, Instructions: 131COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF76C316A45
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF76C316A65
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF76C316A75
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF76C316ABC
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF76C316AE9
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF76C316B0A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF76C316B50
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF76C316B57
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF76C316B64

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 4121003011-0
Opcode ID: d55efdaead8d4f964f3329cd71a1c3c9bc3c5ae0c5aa83b81490cba9b08d0f96
Instruction ID: 1736144b774ec62d90e70a9fa3ab5b4e9d34f4017c35d0510a12a9737483263c
Opcode Fuzzy Hash: d55efdaead8d4f964f3329cd71a1c3c9bc3c5ae0c5aa83b81490cba9b08d0f96
Instruction Fuzzy Hash: 72516D32608A41C6EB21AF5BD494A38FBB0EB85F96B55C539CE4E87B60CE3DD4428311

Function 00007FF76C360EA0 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C334A80: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C334AC4

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C360FBD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C361015
memmove.VCRUNTIME140 ref: 00007FF76C36103A

Strings

Unable to read the CSeq header: [%s], xrefs: 00007FF76C360F12
CSeq:, xrefs: 00007FF76C360EBD
Got a blank Session ID, xrefs: 00007FF76C360F67
Session:, xrefs: 00007FF76C360F2E
Got RTSP Session ID Line [%s], but wanted ID [%s], xrefs: 00007FF76C360FCE
: %ld, xrefs: 00007FF76C360EE1

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: __stdio_common_vsscanfmallocmemmovestrncmp
String ID: : %ld$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Unable to read the CSeq header: [%s]
API String ID: 4288564248-1168109407
Opcode ID: 3210e0860e4ed88976e58978891a773554cf488ac705ca43d078d8d6cafbe205
Instruction ID: 11d889b80c6bcdfb9b0a2ca69b048a0964cc66a73860b224ae8cb23c84cb5e19
Opcode Fuzzy Hash: 3210e0860e4ed88976e58978891a773554cf488ac705ca43d078d8d6cafbe205
Instruction Fuzzy Hash: 5A41DB61A086C2C1EB50AB239640AB9B7B0EF457C6FC44139EA5D5B3C5DF2CE405C736

Function 00007FF76C35F923 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF76C35F9A7

Part of subcall function 00007FF76C35FF50: strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF76C35FF86
Part of subcall function 00007FF76C35FF50: _open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF76C35FFDB

Strings

failed to resume file:// transfer, xrefs: 00007FF76C35FD06
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s, xrefs: 00007FF76C35FB0B
Content-Length: %I64d, xrefs: 00007FF76C35FA03
Can't get the size of file., xrefs: 00007FF76C35FB89
Accept-ranges: bytes, xrefs: 00007FF76C35FA3E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _fstat64_openstrchr
String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s$failed to resume file:// transfer
API String ID: 3410096895-1509146019
Opcode ID: d9d7867e8ccf4e272d4c4b119c60ecfd43a34f53d57c01d8327b6aa61e3e4333
Instruction ID: 97add5ef755cf64d443c9e6b15dff2e679125c766d8cbff7952d0ced368c1338
Opcode Fuzzy Hash: d9d7867e8ccf4e272d4c4b119c60ecfd43a34f53d57c01d8327b6aa61e3e4333
Instruction Fuzzy Hash: 4EB19431A08782C5EA21BB23A510BBAB791FF487C6FD44039DE4D47759EE3CE4058762

Function 00007FF76C374E70 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 252stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C374F08
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C374F64
strchr.VCRUNTIME140 ref: 00007FF76C37514C
strchr.VCRUNTIME140 ref: 00007FF76C3751BA

Strings

0123456789-, xrefs: 00007FF76C3751B3
<DIR>, xrefs: 00007FF76C375090
APM0123456789:, xrefs: 00007FF76C375145

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchr$mallocrealloc
String ID: 0123456789-$<DIR>$APM0123456789:
API String ID: 359134164-4291660576
Opcode ID: 804a13a2bd57bd790e79ecebc12e878e8b6444001c93cce5a5cb3f15121d3ee2
Instruction ID: e81083ed855a0a9f512b5321d8109e5230440c0923c2a257e5b9bd16d3e3d2dc
Opcode Fuzzy Hash: 804a13a2bd57bd790e79ecebc12e878e8b6444001c93cce5a5cb3f15121d3ee2
Instruction Fuzzy Hash: A9B18F36A09745C6EB68AF26D051779B7A0FB06B5AF94403DCA4E03394CF38E444C7B6

Function 00007FF76C346700 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34675A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34685E
WSAIoctl.WS2_32 ref: 00007FF76C3469B7
setsockopt.WS2_32 ref: 00007FF76C3469DF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C346AD6

Strings

Failed to alloc scratch buffer!, xrefs: 00007FF76C346870
We are completely uploaded and fine, xrefs: 00007FF76C346A4A

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: malloc$Ioctlsetsockopt
String ID: Failed to alloc scratch buffer!$We are completely uploaded and fine
API String ID: 3352517165-607151321
Opcode ID: 4da8ea7b6e38b7bea43f957f2dfb2ab707105471132a78fb99ab60b79481d29f
Instruction ID: 3f8d03824407624240bd072aea1ba4abb8749aa96357e5fce47e46afb024a6bb
Opcode Fuzzy Hash: 4da8ea7b6e38b7bea43f957f2dfb2ab707105471132a78fb99ab60b79481d29f
Instruction Fuzzy Hash: CFB1A632A08BC1C5EB65AF26D8447F877B0EB44B99F488139CE4D4A785DF3C9499C721

Function 00007FF76C326AF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C326C88

Part of subcall function 00007FF76C319180: memmove.VCRUNTIME140(?,?,?,?,?,?,00007FF76C31FE98), ref: 00007FF76C319273
Part of subcall function 00007FF76C319180: memmove.VCRUNTIME140(?,?,?,?,?,?,00007FF76C31FE98), ref: 00007FF76C319281

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C326D1C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C326D5B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C326DA9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C326DF7

Strings

at line , xrefs: 00007FF76C326C10
, column , xrefs: 00007FF76C326C7E, 00007FF76C326CA0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: at line $, column
API String ID: 15630516-191570568
Opcode ID: 5e4d8d85a8d54d54532ebc7b1e5869757041f05c7f486f1e3ba87bc0a8d4ea7e
Instruction ID: 3ca84aba10d4317854875500debaae116eefb5178ec2ec63aa5dfe0c7e9d87b9
Opcode Fuzzy Hash: 5e4d8d85a8d54d54532ebc7b1e5869757041f05c7f486f1e3ba87bc0a8d4ea7e
Instruction Fuzzy Hash: 5F91AD62F18B8589FB00EBB6D0017EC7771EB45B98F80422ADA5C17A9ADF3CD046C361

Function 00007FF76C372A05 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372A48
memmove.VCRUNTIME140 ref: 00007FF76C372A6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372B3F
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Strings

TRUE, xrefs: 00007FF76C372B5D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freeisupper$mallocmemmove
String ID: TRUE
API String ID: 2733518094-3412697401
Opcode ID: f2018e842f5031247ae58c59ff1c54d847c529beee07d2226cbc78392c24967b
Instruction ID: f90770176d167e7b863d840ae641ef047557a0289ffb46046f5130a2d12a6476
Opcode Fuzzy Hash: f2018e842f5031247ae58c59ff1c54d847c529beee07d2226cbc78392c24967b
Instruction Fuzzy Hash: AF518A11E0C693C5FF19AA27425E778BB92EB177A2F84423DC65F066C1DE2E9041C33A

Function 00007FF76C35FF50 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF76C35FF86
_open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF76C35FFDB
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF76C36004C
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF76C360059
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF76C36016B

Strings

Can't open %s for writing, xrefs: 00007FF76C35FFEB
Can't get the size of %s, xrefs: 00007FF76C360062

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _close$_fstat64_openstrchr
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 423814720-3544860555
Opcode ID: ba70c184324fb380c2274616c21f2951f4d9364325d0ff2c2947b8fa208ef5e7
Instruction ID: f1b9a9e6866a6a1b04e3cb98f8547f659d0b8a080a0a14491b19dd348f9ef1f6
Opcode Fuzzy Hash: ba70c184324fb380c2274616c21f2951f4d9364325d0ff2c2947b8fa208ef5e7
Instruction Fuzzy Hash: 6851C921B08A82C2EA54AB27D801BFDB391BF85BD5F85813DDE4E57391DE3CE4458326

Function 00007FF76C363A30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF76C363A9C
htons.WS2_32 ref: 00007FF76C363AB2
send.WS2_32 ref: 00007FF76C363B58
WSAGetLastError.WS2_32 ref: 00007FF76C363B6C
send.WS2_32 ref: 00007FF76C363BAE
WSAGetLastError.WS2_32 ref: 00007FF76C363BB8

Strings

Sending data failed (%d), xrefs: 00007FF76C363B72, 00007FF76C363BBE

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLasthtonssend
String ID: Sending data failed (%d)
API String ID: 2027122571-2319402659
Opcode ID: 971336197add8dea3a6e41dd1de948a17abbced9218e037f20148f5db3cb34f3
Instruction ID: ce57a21b6d39c77a4cd07b76fb66323342cd0840bcadf2c8f5d5d5fce167c5db
Opcode Fuzzy Hash: 971336197add8dea3a6e41dd1de948a17abbced9218e037f20148f5db3cb34f3
Instruction Fuzzy Hash: 0641BD32608A86C0E7006F77D414AA8B720FB55F8AF844636EB9917798CF7CE005C322

Function 00007FF76C36FDBE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C36FDC1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 111713529-517259162
Opcode ID: 4e4574fd784bfdf734f25b284c174d0d41fadfb325ff7ce69e49df849e7243d1
Instruction ID: 806319110cd4de06b76df75a9cdda983ca5f2276ad9cd2f8ecc07a08a91e6765
Opcode Fuzzy Hash: 4e4574fd784bfdf734f25b284c174d0d41fadfb325ff7ce69e49df849e7243d1
Instruction Fuzzy Hash: F831BE66E097C2C4FA00AB6794559F9B7A06F4678AFC8043DCE0E17756DE3CE0048336

Function 00007FF76C370A0D Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 173COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Strings

Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF76C370B41
Expire Date: %s, xrefs: 00007FF76C370D37
GMT, xrefs: 00007FF76C370ACE
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Expire Date$Public Key Algorithm
API String ID: 1294909896-3805148269
Opcode ID: dddf6fcedf62ebd13ab9d4630b91c60f29e39eeeec8e2356d479b4a9fbe108a7
Instruction ID: 32097244bd327bd2aacfd33dff3045a50917cdedb6f798c19a192db30d302c67
Opcode Fuzzy Hash: dddf6fcedf62ebd13ab9d4630b91c60f29e39eeeec8e2356d479b4a9fbe108a7
Instruction Fuzzy Hash: 8671EC72A097C2C4EB50AB2695059F9B7A1BB06786FC4443ADA8E17B84DF3DE104C336

Function 00007FF76C36FEAD Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF76C36FFD1
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
GMT, xrefs: 00007FF76C36FF5E
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Serial Number$Signature Algorithm
API String ID: 1294909896-599393795
Opcode ID: 6fa430d6cdd12601f7fc54e33da1bca16401ca5aae213aea72113c6be35d4e9e
Instruction ID: 0cb221dac2a0a24ebbdd2dc9e201d9af08d828a5f31387075f2baa14cf3ed011
Opcode Fuzzy Hash: 6fa430d6cdd12601f7fc54e33da1bca16401ca5aae213aea72113c6be35d4e9e
Instruction Fuzzy Hash: 3961B262A097C2C4EB10AB2795549F8F7A0AB06786FC4443DDA4E17B55DF3CE545C322

Function 00007FF76C370944 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 130COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Strings

Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
GMT, xrefs: 00007FF76C3709A6
Expire Date, xrefs: 00007FF76C370D1D
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF76C3709F9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$Expire Date$GMT$Public Key Algorithm
API String ID: 1294909896-1642401773
Opcode ID: 71836d0c5b4c893e36aec097646d4504248d8facce54a8b88e2725fb6a8f6396
Instruction ID: 3aa5c13c595de1204902b438d9adc5c5f341b157571476a8ead154401eb6eeca
Opcode Fuzzy Hash: 71836d0c5b4c893e36aec097646d4504248d8facce54a8b88e2725fb6a8f6396
Instruction Fuzzy Hash: B851BD62A09BC2C4EB10AB62D5419F9F7A1BB46B86FC80439DA4E1B755DF3CE104C336

Function 00007FF76C338E00 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C338E46
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C338E72
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C338E9E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdup
String ID:
API String ID: 1169197092-0
Opcode ID: 0dcf26cef58ed434e5489d037f5e3efd57c7930541e7d7f213b6419931548259
Instruction ID: 4fc207a3c8a8ef14ce5f5ffb9b1354cdb13ac1518d16082efa94e872ce64f090
Opcode Fuzzy Hash: 0dcf26cef58ed434e5489d037f5e3efd57c7930541e7d7f213b6419931548259
Instruction Fuzzy Hash: 02516F26A1AB80C2EB95DF56F040528B7B4FF48B85B48117AEF9D43B44EF38D8E18711

Function 00007FF76C36FDE7 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261
GMT, xrefs: 00007FF76C36FE46
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF76C36FE99

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Serial Number$Signature Algorithm
API String ID: 1294909896-3876350232
Opcode ID: 0cea19f0728d0b9a80d7c0eb0302881a578b6c5b734276fdf301f3f9d6a046a1
Instruction ID: aab82c356ff0df1f8df94f7394be628e16d2bf8722b3195e73b800c06ce13e45
Opcode Fuzzy Hash: 0cea19f0728d0b9a80d7c0eb0302881a578b6c5b734276fdf301f3f9d6a046a1
Instruction Fuzzy Hash: 5B51B565A097C1C4EB10AB6394419F9F7A1AB46B86FC8003DCA4E17756DF3CE544C376

Function 00007FF76C32D6E0 Relevance: 12.1, APIs: 8, Instructions: 117COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF76C32D854,?,?,?,?,?,?,00000000,00007FF76C32DCAD), ref: 00007FF76C32D760
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FF76C32DCAD), ref: 00007FF76C32D7B0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 6c6b1d87d7b96f9c37bd5a0b2ad56376e2ab98a7df9225afbc54f3dbbf3f16b7
Instruction ID: 5360dd9159272aa36d28e0989ab1fa48a683525866561fbcc74948a900a1fdc0
Opcode Fuzzy Hash: 6c6b1d87d7b96f9c37bd5a0b2ad56376e2ab98a7df9225afbc54f3dbbf3f16b7
Instruction Fuzzy Hash: A3419A66A08642C5EF10AF2BE445A7DB3A1AF89B96F94403DDE4D0B791DF3CE440C662

Function 00007FF76C370BA4 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370BDF
memmove.VCRUNTIME140 ref: 00007FF76C370C05
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Strings

Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 1934541353-2901970132
Opcode ID: 59689c72c398520cceb71ddbe514866db61d7b748caaaeca86e30acf2a38e0f6
Instruction ID: 0c89af9691c3d739ee04cb81c418227767e78fd111bfc9004741f3539d61495c
Opcode Fuzzy Hash: 59689c72c398520cceb71ddbe514866db61d7b748caaaeca86e30acf2a38e0f6
Instruction Fuzzy Hash: E541D165A087C2C4EB15BB6395119F8B7A1BF0A78AFC80539DD0E1BB95DE3CE1048336

Function 00007FF76C35EB46 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35EB6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35EC25
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35EC31
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35EC68
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35ECDC

Strings

SYST, xrefs: 00007FF76C35EC06
Entry path is '%s', xrefs: 00007FF76C35EC3E, 00007FF76C35EC75
Failed to figure out path, xrefs: 00007FF76C35ECE2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: Entry path is '%s'$Failed to figure out path$SYST
API String ID: 2190258309-1780565354
Opcode ID: 30a322698a9d09478b754f702a82bd86244d7fb4837aa4ad5e8932c45f6b731e
Instruction ID: 7acca10425ada6e7919a2481b9effa0c59d720aee750604b53eaf9e7a802d7c5
Opcode Fuzzy Hash: 30a322698a9d09478b754f702a82bd86244d7fb4837aa4ad5e8932c45f6b731e
Instruction Fuzzy Hash: 37418161E0D7C2C1EB61BB26E450AF8BBA0BB45786FD04079CB8E03795DE3CE4558362

Function 00007FF76C355CC0 Relevance: 11.3, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355D8C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355D9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355DA8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355DB6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355DC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355DD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355DE0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355DEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C355DFC

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 76e4ced6efe5993853b689da704464f040d55abe684b7370d22794f6957231d4
Instruction ID: 642cd2a402c59227d0572bb601aabd4a55ff2cfbaf2aa2f6c4d517e7f24054c4
Opcode Fuzzy Hash: 76e4ced6efe5993853b689da704464f040d55abe684b7370d22794f6957231d4
Instruction Fuzzy Hash: FE418F36908B42C2E761AF22D440678BBE4FB48B55F844539DA4E93314DF38E894C792

Function 00007FF76C3337D0 Relevance: 11.3, APIs: 9, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33384A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333854
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33385E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333868
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333872
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33387C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333886
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333890
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333899

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8158889cb29fd38473596d94e225671dce0e76901f8fc4407870a4919f581520
Instruction ID: 4b3db65265de804f5f6c145e5437f742612f692e8a7a380c7d0ad54e59c73320
Opcode Fuzzy Hash: 8158889cb29fd38473596d94e225671dce0e76901f8fc4407870a4919f581520
Instruction Fuzzy Hash: 53314D36A09A41C2D750AF12E840569B7B0FB88FE5F484035DE4E47B58DF3CD88AC751

Function 00007FF76C3336F0 Relevance: 11.3, APIs: 9, Instructions: 52COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333737
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333741
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33374B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333755
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33375F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333769
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333773
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33377D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C333786

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 550e382d495c99fc32b2c98eafc5e0ca5608ca31e3ed4da35b8a7b9c0454bc5e
Instruction ID: 6fc0df5423ff6c0d78e591e1f33bd7eea4634e792def450dbcce225df82bd74b
Opcode Fuzzy Hash: 550e382d495c99fc32b2c98eafc5e0ca5608ca31e3ed4da35b8a7b9c0454bc5e
Instruction Fuzzy Hash: 4B21307AA09A41C2D750AF22E844469B7B4FF88FA5F440035DE8E43728DF3CD889CB51

Function 00007FF76C314E00 Relevance: 10.7, APIs: 7, Instructions: 180COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C314EB2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: b085a21d5389157d7061ce8cc78af9b0672339c5200693612f92dbb5c630c96a
Instruction ID: c87126f28384bd897ecde067e736ec7aea2d770c303c6244caa623808887bc43
Opcode Fuzzy Hash: b085a21d5389157d7061ce8cc78af9b0672339c5200693612f92dbb5c630c96a
Instruction Fuzzy Hash: 9E818932B14A41CDEB01DFA6D4806AC77B0FB48B69F84123ADA1E53B98DF38D494C361

Function 00007FF76C322850 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF76C322914
memmove.VCRUNTIME140 ref: 00007FF76C322991
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C322A1E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C322A5D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C322AAE

Strings

signature, xrefs: 00007FF76C32290D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcmpmemmove
String ID: signature
API String ID: 2239884541-2928148801
Opcode ID: 72458893b83f609d9a8682c1ae0190f1711e869a3893d19b75e7d545dcc2098d
Instruction ID: baa25deb92904e27394e6bc0f8450729a14eccb98d87e5c8de30b6bf9a18a750
Opcode Fuzzy Hash: 72458893b83f609d9a8682c1ae0190f1711e869a3893d19b75e7d545dcc2098d
Instruction Fuzzy Hash: F761E362F24A41C9FF10EBB6D9447AC7372AB057A9F800239DE2D26AD9DE3C9045C325

Function 00007FF76C355020 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3550BE
memmove.VCRUNTIME140 ref: 00007FF76C355156
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35528C

Strings

select/poll on SSL socket, errno: %d, xrefs: 00007FF76C355234
schannel: timed out sending data (bytes sent: %zd), xrefs: 00007FF76C355254

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemallocmemmove
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 2537350866-3891197721
Opcode ID: 19f4af89ea3a163fc73a4692305ffa0db9f14222e287f541bf38973cd1b63144
Instruction ID: 8172bd8482b36db77a6d7c66917af3edc811ffe0b010f749a24ceb2e8144d529
Opcode Fuzzy Hash: 19f4af89ea3a163fc73a4692305ffa0db9f14222e287f541bf38973cd1b63144
Instruction Fuzzy Hash: 7E71AD72B09B41CAEB10DBA6D440AAD77B1BB48BA9F804239DF2D477C4EE38E405C750

Function 00007FF76C350C90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF76C33488A,?,?,?,?,?,?,?,00007FF76C334657), ref: 00007FF76C350CA1
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF76C350E43
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF76C350E60

Strings

TRUE, xrefs: 00007FF76C350DCC
0123456789ABCDEF, xrefs: 00007FF76C350E52, 00007FF76C350E59
0123456789abcdef, xrefs: 00007FF76C350E32, 00007FF76C350E3C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchr$_errno
String ID: 0123456789ABCDEF$0123456789abcdef$TRUE
API String ID: 2644425738-1191287149
Opcode ID: 3b573b260ddd7ca5a8817779604e515f03929ca240b76e371b5a1f31363573ab
Instruction ID: 09b71a645079cd070041dda8f005fda9c9c92d9fad719b82ce54ade491393e15
Opcode Fuzzy Hash: 3b573b260ddd7ca5a8817779604e515f03929ca240b76e371b5a1f31363573ab
Instruction Fuzzy Hash: E8513552B0D7C6C1EE21AB169640ABAFA90EF55B8DFD84139DB4D47344EE3EE441C322

Function 00007FF76C3330DC Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3330E2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3332D1

Strings

Added, xrefs: 00007FF76C33356D
Replaced, xrefs: 00007FF76C333561
FALSE, xrefs: 00007FF76C3332AB
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF76C333577

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: bab21091afe017e8973dd3309c6b02328d3587dad2db310ce13ef567e396e3a7
Instruction ID: c3a359e0b2651622ad37f2b6fefe0db3cecb0ceca6de0a3ee4e6769e612ad6cf
Opcode Fuzzy Hash: bab21091afe017e8973dd3309c6b02328d3587dad2db310ce13ef567e396e3a7
Instruction Fuzzy Hash: F261626190D7C2C5FBB1AB13D544B79B7A0EF05756F88813ACA8E47691DF2CE4468322

Function 00007FF76C37287A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Strings

TRUE, xrefs: 00007FF76C372B5D
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF76C3729A1
GMT, xrefs: 00007FF76C37292E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: isupper$free
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
API String ID: 573759493-910067264
Opcode ID: c7214adef2910220f718c2d4d9852b648ad839830488b95bca1a4c9ba923e21f
Instruction ID: 87d80553f51dfcfb3bf6724f70c99ff675f2b118bfad5fd5c9bf1a46485865b6
Opcode Fuzzy Hash: c7214adef2910220f718c2d4d9852b648ad839830488b95bca1a4c9ba923e21f
Instruction Fuzzy Hash: 0161F421E0C6D7C4EB11AF26960AA79FBA5EB07782FC44039C58D46A94CF3ED541C73A

Function 00007FF76C359650 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35969A
memmove.VCRUNTIME140 ref: 00007FF76C3597B1
memmove.VCRUNTIME140 ref: 00007FF76C359822
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35984E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C359860

Strings

Failed to alloc scratch buffer!, xrefs: 00007FF76C3596B0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freememmove$malloc
String ID: Failed to alloc scratch buffer!
API String ID: 531908557-1446904845
Opcode ID: d695b4d04139a3570055bfdf4ca63a6ecd44feb537e5054aa7e59ff4ebd879f7
Instruction ID: f723a80bea43c2df9eb936877107125f415749bd1af0766bb855a0d03962ca15
Opcode Fuzzy Hash: d695b4d04139a3570055bfdf4ca63a6ecd44feb537e5054aa7e59ff4ebd879f7
Instruction Fuzzy Hash: 7E51CFA2A087C0CAE621DF26E500AEABBA4FB09785F840139DF8D07751DF3CE165C311

Function 00007FF76C35C790 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 146stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF76C35C853

Strings

, xrefs: 00007FF76C35C7F7
bytes, xrefs: 00007FF76C35C849
Maxdownload = %I64d, xrefs: 00007FF76C35C8EC, 00007FF76C35C98B
Getting file with size: %I64d, xrefs: 00007FF76C35C905
RETR response: %03d, xrefs: 00007FF76C35C7E8
Data conn was not available immediately, xrefs: 00007FF76C35C947

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strstr
String ID: $ bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
API String ID: 1392478783-2096918210
Opcode ID: 123b2d35c3ea4ac656270c1ed99f737452bda4ffd71de9e555080de5036ada98
Instruction ID: e57c23c3bc1c3d7669e6b33940ce0a8cf984227e6e9e567f802d0ead5b5f856b
Opcode Fuzzy Hash: 123b2d35c3ea4ac656270c1ed99f737452bda4ffd71de9e555080de5036ada98
Instruction Fuzzy Hash: 24510762A08786C2FA24B726B444AB8F690EF49369FC44239DF5D026D1DF7CD4868712

Function 00007FF76C37101B Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C

Strings

Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF76C37113F
GMT, xrefs: 00007FF76C3710CE

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Signature
API String ID: 2190258309-3231818857
Opcode ID: 9367be8770f101fd28b0e4e688c7a0aa615af9804f2b8475d161bcc8592d60f6
Instruction ID: 2bd08e221329463d87a639eb1c2bc73c1ad69fd2be0948790517108dfca8402a
Opcode Fuzzy Hash: 9367be8770f101fd28b0e4e688c7a0aa615af9804f2b8475d161bcc8592d60f6
Instruction Fuzzy Hash: 8F51E372A1C7C2C5EA119B22A459AF9F7A4FB46792FC4003ACA8D03B54CF3CD105C725

Function 00007FF76C35C560 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 144networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF76C35C706

Part of subcall function 00007FF76C373750: memmove.VCRUNTIME140 ref: 00007FF76C3737F8
Part of subcall function 00007FF76C373750: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C373809

Strings

FTP response aborted due to select/poll error: %d, xrefs: 00007FF76C35C714
QUOT string not accepted: %s, xrefs: 00007FF76C35C72F
We got a 421 - timeout!, xrefs: 00007FF76C35C745
FTP response timeout, xrefs: 00007FF76C35C773
*, xrefs: 00007FF76C35C6D4

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastfreememmove
String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout!
API String ID: 1540152464-2335292235
Opcode ID: 7bd36aaeb32bbb67d860a0046e63ca6d6d446e533c6632c40ca3cd37de852fe5
Instruction ID: 4921a5eecd67fc3a4b9580e3205c80243032fea933849d30196a2e9b226f15c2
Opcode Fuzzy Hash: 7bd36aaeb32bbb67d860a0046e63ca6d6d446e533c6632c40ca3cd37de852fe5
Instruction Fuzzy Hash: 4E510821B08683C5FB64BA17A500BB9B790AF4978AFC85139DF4D872D5EF2CE545C322

Function 00007FF76C369D80 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF76C34D856), ref: 00007FF76C369EDD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,Negotiate,?,00007FF76C34D856), ref: 00007FF76C369EF3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369F05

Strings

Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 00007FF76C369E31
%sAuthorization: Negotiate %s, xrefs: 00007FF76C369EBE
Proxy-, xrefs: 00007FF76C369EAD
Negotiate, xrefs: 00007FF76C369D86, 00007FF76C369E62

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 1294909896-1255959952
Opcode ID: 4dc1b605df474de0ff6f147fd77f147bfe006571b0e01af67f719ab21d3ae2b7
Instruction ID: 8a5af23854d71845a5a612f3f4ae2d6043a289ba3fd2ced02a1b25814516c847
Opcode Fuzzy Hash: 4dc1b605df474de0ff6f147fd77f147bfe006571b0e01af67f719ab21d3ae2b7
Instruction Fuzzy Hash: C151BD22A0C742D2FB11EF23D480ABCBB90EB40B96F860039DA4D57681DF39E455C362

Function 00007FF76C365E90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C365EA8
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C366011

Strings

gfff, xrefs: 00007FF76C365F88
Connection time-out, xrefs: 00007FF76C365ECB
set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 00007FF76C365FEC
gfff, xrefs: 00007FF76C365F1C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
API String ID: 1670930206-870032562
Opcode ID: e2a123b1e21a331dc6722c7a1f716035e36cfdaf94d9580f5ff64b73ca5f2fca
Instruction ID: 0d14557ae78b0988e31fa3e4e6264fb4ae697e2755e6b593ec1d02f57c4890a9
Opcode Fuzzy Hash: e2a123b1e21a331dc6722c7a1f716035e36cfdaf94d9580f5ff64b73ca5f2fca
Instruction Fuzzy Hash: 05411872B14615C6DB20DF2BE000968B7B0FB98F88F915035EE0C8B785DE39E541CB41

Function 00007FF76C3456F0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 106COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C34583A

Strings

necessary data rewind wasn't possible, xrefs: 00007FF76C345845
seek callback returned error %d, xrefs: 00007FF76C34578E
Cannot rewind mime/post data, xrefs: 00007FF76C345870
the ioctl callback returned %d, xrefs: 00007FF76C3457E5
ioctl callback returned error %d, xrefs: 00007FF76C3457FF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: fseek
String ID: Cannot rewind mime/post data$ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
API String ID: 623662203-959247533
Opcode ID: b9165f8a2ea9ace5ef2b69f4e2bb295e2a4c0164fe58ca27e075647b17577575
Instruction ID: ac9289defa58b3b9815307e937664c80142806db9830c69ee7e0781a55e4ca02
Opcode Fuzzy Hash: b9165f8a2ea9ace5ef2b69f4e2bb295e2a4c0164fe58ca27e075647b17577575
Instruction Fuzzy Hash: F541C472F14682C1EB54AB2BD840BB87391EF88B85F885039DD0E4F39ADE3DD4848761

Function 00007FF76C370860 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Strings

%s%lx, xrefs: 00007FF76C3708BD
Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$%s%lx$Expire Date$Public Key Algorithm
API String ID: 1294909896-3155708153
Opcode ID: c4ebdc808cf4486b95878a08a45e668fffcafed25245ce7b2ce85abbd950441c
Instruction ID: cbc2d1dac1d57fbb06c4f50be81e2174207aa17651d77fef45453120598520bb
Opcode Fuzzy Hash: c4ebdc808cf4486b95878a08a45e668fffcafed25245ce7b2ce85abbd950441c
Instruction Fuzzy Hash: A841B162A097C2C4EF11AB6795519F8B7A1AF0A78AFC44439DE4E1B746DE3CE0048336

Function 00007FF76C370F5E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C

Strings

Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337
GMT, xrefs: 00007FF76C370FB4
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF76C370FF4

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Signature
API String ID: 2190258309-3662781045
Opcode ID: 43a396351ca0d7fdc4e3b95c2e661a6cd862c9d7fd046da0c36266a74565a95a
Instruction ID: 3bd151d726e32727031c38433914a6b55815a1f921e78cfae2ab14240a533e8f
Opcode Fuzzy Hash: 43a396351ca0d7fdc4e3b95c2e661a6cd862c9d7fd046da0c36266a74565a95a
Instruction Fuzzy Hash: B441C662A08BC6C1EB10AF26E5415E9F3A0FB45B86FC4003ADA8E17B55DF3CD545C725

Function 00007FF76C36FD21 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

%s%lx, xrefs: 00007FF76C36FD76
Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%s%lx$Serial Number$Signature Algorithm
API String ID: 1294909896-659367561
Opcode ID: f18a14ee928358fa0cb2869a8fadee714043e3fbdd4f12c2765b12ca5e103c30
Instruction ID: ece1cb72c62b15c0a4a41f7fcb098993741506b33be9cd2236e1c51a27d4d7f5
Opcode Fuzzy Hash: f18a14ee928358fa0cb2869a8fadee714043e3fbdd4f12c2765b12ca5e103c30
Instruction Fuzzy Hash: 6F41C266A097C2C4FE10AB6794559F8B7A1AF0A786FC8443DDE0E17786DE3DE0048376

Function 00007FF76C37002E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37005F
memmove.VCRUNTIME140 ref: 00007FF76C37008A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1934541353-517259162
Opcode ID: 7af7ca7af1a94e10101c55b0918b96677e46a0c651d45d35524257b5d56ba445
Instruction ID: a11c210daf912e66cbd68cf2f6311a030e3326ce80f7fd6d6e887ffdc8a5f538
Opcode Fuzzy Hash: 7af7ca7af1a94e10101c55b0918b96677e46a0c651d45d35524257b5d56ba445
Instruction Fuzzy Hash: 8141BE65A097C2C4EA04AB279945AF9B7A1AF06789FC8443DCD0E17B55DE3CE4048322

Function 00007FF76C372A0D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372A48
memmove.VCRUNTIME140 ref: 00007FF76C372A6D
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Strings

TRUE, xrefs: 00007FF76C372B5D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: isupper$freemallocmemmove
String ID: TRUE
API String ID: 3395529846-3412697401
Opcode ID: 89bb67e2fa85eab9a323bf84b29d2c736cc5bdde2a7b84e55d5725973ec3671d
Instruction ID: 30c140d1ae75015056591be40ac331b997ece4f9929b2cc9967642e35d826310
Opcode Fuzzy Hash: 89bb67e2fa85eab9a323bf84b29d2c736cc5bdde2a7b84e55d5725973ec3671d
Instruction Fuzzy Hash: D4314B11E0D683C4FB11EF27465A778FB91AF17B92F840639C94D06AD0CE2E9541C33A

Function 00007FF76C369680 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C3552D0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33A419,?,?,?,?,00007FF76C3397BB), ref: 00007FF76C3552F8
Part of subcall function 00007FF76C3552D0: GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF76C33A419,?,?,?,?,00007FF76C3397BB), ref: 00007FF76C35531E
Part of subcall function 00007FF76C3552D0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33A419,?,?,?,?,00007FF76C3397BB), ref: 00007FF76C35533F
Part of subcall function 00007FF76C3552D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33A419,?,?,?,?,00007FF76C3397BB), ref: 00007FF76C355350

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36971F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369768
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C369771

Strings

%s%s.netrc, xrefs: 00007FF76C3696DF
HOME, xrefs: 00007FF76C3696B9
%s%s_netrc, xrefs: 00007FF76C369734

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$realloc$EnvironmentVariable
String ID: %s%s.netrc$%s%s_netrc$HOME
API String ID: 4174189579-3384076093
Opcode ID: 821c03bee568abfad257e0ebcc113629796dd71169c6ce4d644d803328a4df23
Instruction ID: 068f3a7a548f6fb3ede3034836538e31516c74e1551dfd4da4c346f5e1a893ff
Opcode Fuzzy Hash: 821c03bee568abfad257e0ebcc113629796dd71169c6ce4d644d803328a4df23
Instruction Fuzzy Hash: B931A425A0DB42C1EA10EF13B8009AAF2A0BF89BD1F844439ED4D57B65EF3CE445C721

Function 00007FF76C357CC6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C334A80: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C334AC4

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C357D04
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C357D16

Strings

Mailbox UIDVALIDITY has changed, xrefs: 00007FF76C357D4E
OK [UIDVALIDITY %19[0123456789]], xrefs: 00007FF76C357CE8
Select failed, xrefs: 00007FF76C357DA8

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: __stdio_common_vsscanf_strdupfree
String ID: Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
API String ID: 860312144-3309259123
Opcode ID: a2d323184a620d5ac99e5a66bead614ab2b44fe312228ca63b6c42eb8a7baccb
Instruction ID: 4e36b4f3185d686714a4d7b2b426dbdc33ba83147c87dd65696bd0e684148938
Opcode Fuzzy Hash: a2d323184a620d5ac99e5a66bead614ab2b44fe312228ca63b6c42eb8a7baccb
Instruction Fuzzy Hash: 8431C422E1D683C1EA64BB22D4509BDB7A4BF46792FC0803ACB0E47351DF2CE8418363

Function 00007FF76C370F35 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C370F38
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: Signature: %s$Signature
API String ID: 1941130848-1663925961
Opcode ID: 2bc44f96e5429c55cc5d8378b140c09216dd3961b4df2d5ef5365f046f7f721c
Instruction ID: 56f8faef2084e24b2f2aa6d53299412b9d52c50c8d4d4a07bf9dab65695e3818
Opcode Fuzzy Hash: 2bc44f96e5429c55cc5d8378b140c09216dd3961b4df2d5ef5365f046f7f721c
Instruction Fuzzy Hash: 4D219566A09B82C1EA50AB17E454AF9B3A0FF85786F840039DE4E07B15EF3CD045C761

Function 00007FF76C33F5A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF76C33C91C), ref: 00007FF76C33F5D5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF76C33C91C), ref: 00007FF76C33F601
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF76C33C91C), ref: 00007FF76C33F609
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF76C33C91C), ref: 00007FF76C33F62B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF76C33C91C), ref: 00007FF76C33F642

Strings

Invalid zoneid: %s; %s, xrefs: 00007FF76C33F614

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_errnostrerrorstrtoul
String ID: Invalid zoneid: %s; %s
API String ID: 439826447-2159854051
Opcode ID: a2ab55075de5d604c2124ce5bfb01723dda2de752500e89b77a4d47c41a9f329
Instruction ID: 7f9ee274b1684a2c3362b00a7e1898a6b6d7b714d0a1b00a9995bc309e22c702
Opcode Fuzzy Hash: a2ab55075de5d604c2124ce5bfb01723dda2de752500e89b77a4d47c41a9f329
Instruction Fuzzy Hash: 57118671A0D682C2EB40BB23D484979B370EF8AB5AFD41079CA1D47764DF2DD885CB25

Function 00007FF76C338FB0 Relevance: 10.0, APIs: 8, Instructions: 33COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FC1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FD1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FDF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FED
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C338FFB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339009
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339017
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C33C7B6,?,?,?,00007FF76C33B4CC), ref: 00007FF76C339025

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1b01f0ddf9ed4b32c5f6c452b99db915678b5605d610269cae537ccdd869ba64
Instruction ID: 3912a6395c31080f13bdab9f5c368cc59bbbcc85de467325bbf40997034de1c9
Opcode Fuzzy Hash: 1b01f0ddf9ed4b32c5f6c452b99db915678b5605d610269cae537ccdd869ba64
Instruction Fuzzy Hash: E601B37A909B01C2D740AF22E5C547CB7B4FB8CFAA7501169CE4E82718DF38C8A9C691

Function 00007FF76C334710 Relevance: 10.0, APIs: 8, Instructions: 23COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33471D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C334727
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C334731
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33473B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C334745
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33474F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C334759
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C334763

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 260d9d5bd8500dc735d4b1faf18f31f3a708321caf4e88f6ee8a4cb233e49b2c
Instruction ID: 5e5c29119a299cb7c6a0290c43897b51fbec6058778c9cb88f3269babb8a22ca
Opcode Fuzzy Hash: 260d9d5bd8500dc735d4b1faf18f31f3a708321caf4e88f6ee8a4cb233e49b2c
Instruction Fuzzy Hash: 0DF0E4AAA19901C2D754AF22E8964687770EF8CF66B541075CD0F86324DE28DC9DC691

Function 00007FF76C325AB0 Relevance: 9.3, APIs: 6, Instructions: 297COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C325C6A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C325DB4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C325E02

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID:
API String ID: 15630516-0
Opcode ID: 7de62e8389a854ce84078b892ad35dea7722f3f670a58b18e7fe7dcb174bbfc9
Instruction ID: a604a74d5daaa296c4909d686c5a5211c97909ba028fb431c66c0068ad94582b
Opcode Fuzzy Hash: 7de62e8389a854ce84078b892ad35dea7722f3f670a58b18e7fe7dcb174bbfc9
Instruction Fuzzy Hash: E0C1DC22B18B85C9EB00EB76E005BAC7361EB457A9F804639CE6C17BD9DF3CA149C351

Function 00007FF76C33C080 Relevance: 9.2, APIs: 6, Instructions: 161COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF76C33C8FB), ref: 00007FF76C33C097
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF76C33C8FB), ref: 00007FF76C33C0C8

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 717f05cdf9e9d4c4f0213cddd8f43669994a6f7344e1dade5958438c6ba25a5c
Instruction ID: 52430985bb0b4226267aa00c86b0e4c9cc696008fecf1c574107b401552014f4
Opcode Fuzzy Hash: 717f05cdf9e9d4c4f0213cddd8f43669994a6f7344e1dade5958438c6ba25a5c
Instruction Fuzzy Hash: 7591BC22609BC1CAD7459F35D4403E977A0FB55B29F480339CBAC4B386DF29A1A4C722

Function 00007FF76C34AAA0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AB38
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AB41
memmove.VCRUNTIME140 ref: 00007FF76C34AB5C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34ACBC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34ACC5

Strings

1.1, xrefs: 00007FF76C34AAAF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$memmove
String ID: 1.1
API String ID: 1534225298-2150719395
Opcode ID: 959f939ed03b0bf3ca2435c93e8abd47972af75f8d378dfeeca0ce4ecd85709e
Instruction ID: 5f7dfb0d19df808dc89e1fd15ad0e57467c4e2f1190d3a19af2ff3d5b7a37cfc
Opcode Fuzzy Hash: 959f939ed03b0bf3ca2435c93e8abd47972af75f8d378dfeeca0ce4ecd85709e
Instruction Fuzzy Hash: 51515172609B85C6DA64AF22E9407A9B3A0FB48B85F848039DF9E4B754DF3CE458C351

Function 00007FF76C3279F8 Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 3ab395ba763f8578196c79e80dade60c8ed1f1b9827b41d12def1c7f130fb81a
Instruction ID: e2b02d1d657c96479339a1f4d8224ab38eed61a5feecc2990b1ac8ed95e00be9
Opcode Fuzzy Hash: 3ab395ba763f8578196c79e80dade60c8ed1f1b9827b41d12def1c7f130fb81a
Instruction Fuzzy Hash: 6751C13260CA41C2EB24AF26D544A3CB771FB4AB99F904139DA5D07798CF3CD991C762

Function 00007FF76C37062C Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37066F
memmove.VCRUNTIME140 ref: 00007FF76C370695
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370768
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3707D9

Strings

Start Date, xrefs: 00007FF76C3707AD
Start Date: %s, xrefs: 00007FF76C3707C7

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove
String ID: Start Date: %s$Start Date
API String ID: 1934541353-2389359183
Opcode ID: 7ebb995824df8fea988f07f8694780a2802e1c5847b1986652ee6504fe404bf1
Instruction ID: fea7233034cdf9fdd6776a826ef0f1ead10fa1856acddf5353a4ff6c36d1b39b
Opcode Fuzzy Hash: 7ebb995824df8fea988f07f8694780a2802e1c5847b1986652ee6504fe404bf1
Instruction Fuzzy Hash: 46414B65A092C285FF196A178126AB8BB91EB067D2F88423DC65F07BD1DD2DE0458336

Function 00007FF76C342750 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF76C342835
VerSetConditionMask.KERNEL32 ref: 00007FF76C342844
VerSetConditionMask.KERNEL32 ref: 00007FF76C342856
VerSetConditionMask.KERNEL32 ref: 00007FF76C342868
VerSetConditionMask.KERNEL32 ref: 00007FF76C34287E
VerifyVersionInfoA.KERNEL32 ref: 00007FF76C342891

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 22175fd1defc111390bc6bdaf9514f45174fca0fac8b88ff1ba54a625aad6c09
Instruction ID: 4e9f6637206b709038bbad32d545872ca945aad84c2103a5c3ac2fd23af62822
Opcode Fuzzy Hash: 22175fd1defc111390bc6bdaf9514f45174fca0fac8b88ff1ba54a625aad6c09
Instruction Fuzzy Hash: 3D41D932E1C681C6F2309B12A918BBAF7A0FBD5305F419239E9C947A55DE3DE4848B61

Function 00007FF76C370B5F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Strings

Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 1294909896-2901970132
Opcode ID: 7959a5aadf351fc599b60655f7abd453df872177e391c1db5b59f9cf3e1debd1
Instruction ID: cc3a182c8676e8c11c6f6857f0cde1c56c0d1554c6ccc6e24f847937607dce40
Opcode Fuzzy Hash: 7959a5aadf351fc599b60655f7abd453df872177e391c1db5b59f9cf3e1debd1
Instruction Fuzzy Hash: 3B41D276A087C2C4EB10AB6395419F8B761BB0A789F880539DE0E1B785DE38E104C322

Function 00007FF76C36FFEF Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: 4a41f6acd76e062062b561a667d8840f26a051c7ca6ae1ed28f070a8d075619d
Instruction ID: 9fcfff1a0ed02ffc8fa5a98ac78448b66969197f4e41ada2b3ed26f67a37671e
Opcode Fuzzy Hash: 4a41f6acd76e062062b561a667d8840f26a051c7ca6ae1ed28f070a8d075619d
Instruction Fuzzy Hash: 1841B266A087C2C4EB05AB6399459F8B7A1BF0A7C9F880439DE0E17B45DF3CE1448322

Function 00007FF76C376AA0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C376B49
memmove.VCRUNTIME140 ref: 00007FF76C376B65
memmove.VCRUNTIME140 ref: 00007FF76C376B7C
memmove.VCRUNTIME140 ref: 00007FF76C376B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C376BCA

Strings

PLAIN, xrefs: 00007FF76C376AAB

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$freemalloc
String ID: PLAIN
API String ID: 1763039611-4000620671
Opcode ID: 6dc8157ccad2dc8929c256cd425644d8ce6e3def0de36ef4f5d686c67f1d4dfb
Instruction ID: 0e9831c1e8c0d9a405b218c17c526315a84791d431a683bd8c52115568cb350f
Opcode Fuzzy Hash: 6dc8157ccad2dc8929c256cd425644d8ce6e3def0de36ef4f5d686c67f1d4dfb
Instruction Fuzzy Hash: 0A310566A08B85C2EB109F13E0516AAB7A0FB46BE4F848235DE9D477D5DE3CD009C325

Function 00007FF76C358CC1 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C358D46
memmove.VCRUNTIME140 ref: 00007FF76C358D61
strchr.VCRUNTIME140 ref: 00007FF76C358D7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C358D8E

Strings

Got unexpected pop3-server response, xrefs: 00007FF76C358CE1
CAPA, xrefs: 00007FF76C358DA4

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: callocfreememmovestrchr
String ID: CAPA$Got unexpected pop3-server response
API String ID: 1098749377-1591402739
Opcode ID: 33b148d5745447b0d8d78de658e8a5e2b359c6d3444230c2b1fb9f1e81348ab8
Instruction ID: a323efccbc525d12a48578fbb4556ef8d64a50b0e7e6d2f84e53f50ab2698287
Opcode Fuzzy Hash: 33b148d5745447b0d8d78de658e8a5e2b359c6d3444230c2b1fb9f1e81348ab8
Instruction Fuzzy Hash: 7631E5A1B29382C2EA55AB16D541AB9BAD0BF05356FC0053ECB1E03391DF3CE465C323

Function 00007FF76C370926 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C371A50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371A9C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemalloc
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3061335427-2901970132
Opcode ID: d0ce76544df53b1345fc274c3eed98608ca80b74762089145830b65eb514314d
Instruction ID: eae78232d5ac4c94ad9df437118def27730f3d494c540d5bb9a7ff60662c6aeb
Opcode Fuzzy Hash: d0ce76544df53b1345fc274c3eed98608ca80b74762089145830b65eb514314d
Instruction Fuzzy Hash: 7D31BF66A087C2C4EB10AB6395519F9B7A1BF0A78AFC40439DE4E1B745DE3CE1048336

Function 00007FF76C370E90 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C

Strings

%s%lx, xrefs: 00007FF76C370EED
Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%s%lx$Signature
API String ID: 2190258309-1406629954
Opcode ID: efb2fd936c664b1e5a89b42bb94741dd3d2f1ea6d767a3669055881584c0214a
Instruction ID: 6569bc0d17d9281513b4018db77826d727be6953d93ab2890574c35948ff26ba
Opcode Fuzzy Hash: efb2fd936c664b1e5a89b42bb94741dd3d2f1ea6d767a3669055881584c0214a
Instruction Fuzzy Hash: 8F310772B09782C5EA10AB27D444ABDB7A0EF4AB86F840039CE4E07B51EF2DD004C725

Function 00007FF76C3708F3 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C373560: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C373595

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370D49
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370E12

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Public Key Algorithm, xrefs: 00007FF76C370DC8
Public Key Algorithm: %s, xrefs: 00007FF76C370DE2
Expire Date: %s, xrefs: 00007FF76C370D37
Expire Date, xrefs: 00007FF76C370D1D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemalloc
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3061335427-2901970132
Opcode ID: a75a58af8390352268c59e444a5725fb53b56978b17e4639fc9a44337c5125cf
Instruction ID: 3ec3a8ca8557c5ece2a573d83ed1f3c83e89e0fe74a4fcd9f1995cdd5f731ba6
Opcode Fuzzy Hash: a75a58af8390352268c59e444a5725fb53b56978b17e4639fc9a44337c5125cf
Instruction Fuzzy Hash: C931BF62A087C2C4EB10AB6395519F9B7A1BF0A78AFC40439DE4E1B745DE3CE1048336

Function 00007FF76C36FD91 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: 96b8b39280216bc7e49da5c2682eb81cc3755c75f24c05926fa60aad9c968743
Instruction ID: d1dec4db597e80fae1b37a9f17214b5b579aff2ecbbbee8264a88c79417d2435
Opcode Fuzzy Hash: 96b8b39280216bc7e49da5c2682eb81cc3755c75f24c05926fa60aad9c968743
Instruction Fuzzy Hash: EE319F66E09782C4FA04AB6794519F9B7A0AF0678AFC8043DDE0E17746DE3CE0448376

Function 00007FF76C361060 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C361071
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3610DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3610EF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupcallocfree
String ID:
API String ID: 1236595397-0
Opcode ID: 1ff196ba7fdc5d3c429b43f3d41e087cb2f43d765aa006f9fd55f687526fc464
Instruction ID: 1978a229662ea564162168a9636748f4a706a34bcb97e2deede06ddd6d8f8135
Opcode Fuzzy Hash: 1ff196ba7fdc5d3c429b43f3d41e087cb2f43d765aa006f9fd55f687526fc464
Instruction Fuzzy Hash: A431F632A09B85C2EB40DB27E4507B9B7B0EB85B86F980034CE4D47794EF3DD4958761

Function 00007FF76C36FDCF Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C371A50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371A9C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: cfdbe63e3a201a0ae6543db2c7649534b537b244e5a3e55b57553da5eb835166
Instruction ID: 24a9ca6cb4e4d02d5d6288e1f5d82fb057087cf71870751323d02212d0e49748
Opcode Fuzzy Hash: cfdbe63e3a201a0ae6543db2c7649534b537b244e5a3e55b57553da5eb835166
Instruction Fuzzy Hash: 22319E66A097C2C4FA00AB6794519F9B7A0AF4678AFC8143DDE0E1B756DE3CE0048336

Function 00007FF76C36FDA9 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C373560: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C373595

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3701CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C370273

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Serial Number: %s, xrefs: 00007FF76C3701BC
Signature Algorithm, xrefs: 00007FF76C370247
Serial Number, xrefs: 00007FF76C3701A2
Signature Algorithm: %s, xrefs: 00007FF76C370261

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemalloc
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3061335427-517259162
Opcode ID: 2f88f6ac6fb0dbbbd7ef05d3e395aa095ae106e73e0270b92a9c70a296006898
Instruction ID: 44507551bd506ff1e4e54c32b04f989aa46e1ee2a486604a779182208b59dad1
Opcode Fuzzy Hash: 2f88f6ac6fb0dbbbd7ef05d3e395aa095ae106e73e0270b92a9c70a296006898
Instruction Fuzzy Hash: 5F31AF66E097C2C4FA00AB6794519F9B7A0AF4678AFC8043DDE0E17756DE3CE0048336

Function 00007FF76C35ECF3 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35ED0F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35ED8B

Strings

OS/400, xrefs: 00007FF76C35ED59
SITE NAMEFMT 1, xrefs: 00007FF76C35ED6C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemalloc
String ID: OS/400$SITE NAMEFMT 1
API String ID: 3061335427-2049154998
Opcode ID: 44b493ea91cc46c49121282076d4c0f03c30a5d4938f419ccf81dddd750b3199
Instruction ID: 7f7fe02699d78f44a1aa9bc4c057d6e6b4e608ffb0155f90f5de19f1cd6edee9
Opcode Fuzzy Hash: 44b493ea91cc46c49121282076d4c0f03c30a5d4938f419ccf81dddd750b3199
Instruction Fuzzy Hash: 3E31B621A0D7C2C5F7B1AB169450BB8BBA0AF49755FC04039CB4E57785DE3CE446C762

Function 00007FF76C334FD0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF76C335003
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF76C335017
CloseHandle.KERNEL32 ref: 00007FF76C335024
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF76C335046
closesocket.WS2_32 ref: 00007FF76C335064
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF76C33507D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: 103ec17979e39e692f6a3f8bfb2c87fc702194c30aec75c122ade078270b38de
Instruction ID: ff9c813e5b0fc6895bb26f9c1ed24726c60ea24e1d5c7f6f49b7539e4fc9add0
Opcode Fuzzy Hash: 103ec17979e39e692f6a3f8bfb2c87fc702194c30aec75c122ade078270b38de
Instruction Fuzzy Hash: 22215E36608A81C6E710AF13E184669B370FB89B92F844139DF8E47B50DF3EE4A5C761

Function 00007FF76C3330FD Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C350A80: strchr.VCRUNTIME140 ref: 00007FF76C350AB6

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3332D1

Strings

Added, xrefs: 00007FF76C33356D
Replaced, xrefs: 00007FF76C333561
FALSE, xrefs: 00007FF76C3332AB
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF76C333577

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupstrchr
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 3727083984-2292467869
Opcode ID: 135187ddad837442bc8959368bbf545a73b984fe343396fc0b74932c26ffbea7
Instruction ID: 165454ea6675bf3e06fa1afba8d770cc64041bf2da312bfbfc7a55e8601ba703
Opcode Fuzzy Hash: 135187ddad837442bc8959368bbf545a73b984fe343396fc0b74932c26ffbea7
Instruction Fuzzy Hash: 9361736190D7C2C5FBB1AB13D544B79B7A0EF04756FC8813ADA8E47691DF2CE4468322

Function 00007FF76C32DDA0 Relevance: 8.9, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C32DE69
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DEA8
memmove.VCRUNTIME140 ref: 00007FF76C32DEDA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DF0C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DF17
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32DF92
memmove.VCRUNTIME140 ref: 00007FF76C32DFB5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$freemalloc
String ID:
API String ID: 1763039611-0
Opcode ID: cbe8d038c8a23e681688dc7d5298c8700c4b898a2117aa2d41c7926bc355fe7e
Instruction ID: aeb5ef17cbfb541b9006d1d501dea0ad79c1e2c9ec6d432001cc9122f9155484
Opcode Fuzzy Hash: cbe8d038c8a23e681688dc7d5298c8700c4b898a2117aa2d41c7926bc355fe7e
Instruction Fuzzy Hash: C7611212D18BC586E7119F35D9016FDA320FBA9788F81A325EE8D16A57EF68E2D4C310

Function 00007FF76C34B530 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34B73D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C34B755

Strings

The requested URL returned error: %d, xrefs: 00007FF76C34B6DE
Forcing HTTP/1.1 for NTLM, xrefs: 00007FF76C34B5F9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree
String ID: Forcing HTTP/1.1 for NTLM$The requested URL returned error: %d
API String ID: 1865132094-1204028548
Opcode ID: bcec1632d8ce36f2d7a0de9d4853c655a121aa47ca6f190dad5e23601d973a36
Instruction ID: 1fc231cb8c410f484a1ccdf56512811b8a554934a88be662af25cf3b9d541da1
Opcode Fuzzy Hash: bcec1632d8ce36f2d7a0de9d4853c655a121aa47ca6f190dad5e23601d973a36
Instruction Fuzzy Hash: 1D51CB31A0CE82C1FB64AB268940BBDB791EF4574EF884039DE4D4E695CF2DE4548732

Function 00007FF76C318980 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?, && timeout /t 5",?,000000F8,?,-00000001,00007FF76C322585), ref: 00007FF76C318A87
memmove.VCRUNTIME140(?,?, && timeout /t 5",?,000000F8,?,-00000001,00007FF76C322585), ref: 00007FF76C318A9A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?, && timeout /t 5",?,000000F8,?,-00000001,00007FF76C322585), ref: 00007FF76C318B05

Part of subcall function 00007FF76C3784F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3157CA,?,?,?,?,?,?,?,00007FF76C31118E), ref: 00007FF76C37850A

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C318B12

Strings

&& timeout /t 5", xrefs: 00007FF76C318991

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: && timeout /t 5"
API String ID: 2075926362-934313417
Opcode ID: 43a413b19f113c986ae00824d90ef142ef84dc5726d1f0351a2c5912f8b815ed
Instruction ID: 970e1710a97af7feb9a404f370010b2ac02508d178368beb5e9f7f2c0f6f3b77
Opcode Fuzzy Hash: 43a413b19f113c986ae00824d90ef142ef84dc5726d1f0351a2c5912f8b815ed
Instruction Fuzzy Hash: FD41CC62609B85C9DA25EF22E40457AB3A0FB48BD5F94863ADEAD03B85CF3CD140C216

Function 00007FF76C327A3B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C327EEA
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF76C327F10
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C327F19

Part of subcall function 00007FF76C318980: memmove.VCRUNTIME140(?,?, && timeout /t 5",?,000000F8,?,-00000001,00007FF76C322585), ref: 00007FF76C318A9A

Strings

invalid number; expected '+', '-', or digit after exponent, xrefs: 00007FF76C327EA5
invalid number; expected digit after '.', xrefs: 00007FF76C327CB6

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _errno$memmovestrtoull
String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '.'
API String ID: 3546919614-808606891
Opcode ID: a1d58a205df8ea0fc39009f3d58b5456453d4418ac12cb8100ef427df41276df
Instruction ID: 3e9860d12aa8440e11e5d1552e8d2babdbf16a1a0383c2d08c7f3cb977e466ef
Opcode Fuzzy Hash: a1d58a205df8ea0fc39009f3d58b5456453d4418ac12cb8100ef427df41276df
Instruction Fuzzy Hash: 9851B122908641C6EB28AF26E440A3CB3A0FB46B59F940639DA5D073D8DF3CE841C772

Function 00007FF76C3727B8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Strings

GMT, xrefs: 00007FF76C372814
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF76C372866

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: isupper$free
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 573759493-632690687
Opcode ID: 41cf194390283f80654d9e811d9f585b02866320e4f76d58a215eaa146bf9e74
Instruction ID: 64f3b993fa83744cb731332963a3823736a87f6f55a73cc13013341d19842bab
Opcode Fuzzy Hash: 41cf194390283f80654d9e811d9f585b02866320e4f76d58a215eaa146bf9e74
Instruction Fuzzy Hash: 1341F921D0DAC6C5FB11DF26964AA78FBA1EB02B42FC44139C68E12685CF3DD541C33A

Function 00007FF76C31FEB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C31FEE1
memmove.VCRUNTIME140 ref: 00007FF76C31FFA6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31FFFA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C320001

Part of subcall function 00007FF76C3784F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3157CA,?,?,?,?,?,?,?,00007FF76C31118E), ref: 00007FF76C37850A

Strings

start cmd /C "color b && title Error && echo , xrefs: 00007FF76C31FEB2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: start cmd /C "color b && title Error && echo
API String ID: 2075926362-15786077
Opcode ID: b7b3d8668d7c040fba411c8e603331d884d89abbffa77f14f0d7d40d3fa98e19
Instruction ID: e80da07ec58e6c1df5f443ba0a5f53fb19c11076eb7c7389ae60d3d634f8f478
Opcode Fuzzy Hash: b7b3d8668d7c040fba411c8e603331d884d89abbffa77f14f0d7d40d3fa98e19
Instruction Fuzzy Hash: 1531F722B05686C8FE16EB179504678B2419B06FF5F980639DE2D07BD5DE7CE082C326

Function 00007FF76C319020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C3190FE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C31913B
memmove.VCRUNTIME140 ref: 00007FF76C319145
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C319172

Strings

&& timeout /t 5", xrefs: 00007FF76C319024

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: && timeout /t 5"
API String ID: 2016347663-934313417
Opcode ID: 7e6a421d6232408313209df97fc7d0e832a6f2192df059c584efc99da77120af
Instruction ID: 71a91ccc2dbb99fd7165dfc4407d924ec2ee051ec62016f98ba35e6d4641cb72
Opcode Fuzzy Hash: 7e6a421d6232408313209df97fc7d0e832a6f2192df059c584efc99da77120af
Instruction Fuzzy Hash: 52310321709781CCEE15AF1799046A8B351AB09BE1F880739DF6D07BD5CE3CE091C326

Function 00007FF76C35FDA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C355410: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF76C33D36F), ref: 00007FF76C35543E

_open.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C35FE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35FEAB
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C35FEC2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35FEDB

Strings

Couldn't open file %s, xrefs: 00007FF76C35FE89

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_close_openmalloc
String ID: Couldn't open file %s
API String ID: 3412525164-447283422
Opcode ID: 16067cbcc0111e809fd86af3b503726b5bab42d1a3ac7f3519d7580c131806f0
Instruction ID: fe19a1db13efdb59d02cb6dc345396390c35e4fc7ea436fc4b7097a196b56f75
Opcode Fuzzy Hash: 16067cbcc0111e809fd86af3b503726b5bab42d1a3ac7f3519d7580c131806f0
Instruction Fuzzy Hash: BF41C222A08A81C1EB149F26E40067AFBA1FB49B99F844139DB9D47785DF3CE4418712

Function 00007FF76C33FCE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C33FD5E

Part of subcall function 00007FF76C329BF0: GetLastError.KERNEL32 ref: 00007FF76C329C12
Part of subcall function 00007FF76C329BF0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C329C1A

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33FD7C
recv.WS2_32 ref: 00007FF76C33FDA7
WSAGetLastError.WS2_32 ref: 00007FF76C33FDB9

Strings

Recv failure: %s, xrefs: 00007FF76C33FDE5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLast$_errnofreememmoverecv
String ID: Recv failure: %s
API String ID: 209274916-4276829032
Opcode ID: a78407a8b934f3a00432b862932e7ce1a91fbacb64c95f620fbab4905c9d13c5
Instruction ID: 3c7e6846e4161e9e378b0ca63aa032e678cea0bf169f6a3e0fd4dabadabfeb45
Opcode Fuzzy Hash: a78407a8b934f3a00432b862932e7ce1a91fbacb64c95f620fbab4905c9d13c5
Instruction Fuzzy Hash: 3631BD72A05B81C1EB11AF12E885AAAB3A0BB58BDAF804139DE1D07388DE3CD565C351

Function 00007FF76C342EC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C342F49
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C342FDF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C343007

Strings

identity, xrefs: 00007FF76C342F03, 00007FF76C342F73, 00007FF76C342FD8
Unrecognized content encoding type. libcurl understands %s content encodings., xrefs: 00007FF76C342FF5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: Unrecognized content encoding type. libcurl understands %s content encodings.$identity
API String ID: 3985033223-1703240927
Opcode ID: 43b105938bbe1afea60731f8c3265c8eeec9abcad497d3cf9d11d24f4fe7bae9
Instruction ID: 08a295f46fbf9894f2e32a9eb439e2282c53b31a9025a15bc6049ac172faf915
Opcode Fuzzy Hash: 43b105938bbe1afea60731f8c3265c8eeec9abcad497d3cf9d11d24f4fe7bae9
Instruction Fuzzy Hash: 8641E231A0AA82C1EB41AB02DA44778F7A0AF44BD5FC58239CE1D9B7D4DF2DE4468321

Function 00007FF76C345BA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C345C95
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C345CF4

Strings

Connection died, tried %d times before giving up, xrefs: 00007FF76C345C58
REFUSED_STREAM, retrying a fresh connect, xrefs: 00007FF76C345C2B
Connection died, retrying a fresh connect, xrefs: 00007FF76C345C7F

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree
String ID: Connection died, retrying a fresh connect$Connection died, tried %d times before giving up$REFUSED_STREAM, retrying a fresh connect
API String ID: 1865132094-195851662
Opcode ID: 129133361ddcbb05e5fd9370c9f06ba04fbccc03db41721f9e5084d6b1078048
Instruction ID: f6dd2c6f6bbc8769bd7653e3242adfc5e0f45aa66f61fa73fb50a1cea8fe6d30
Opcode Fuzzy Hash: 129133361ddcbb05e5fd9370c9f06ba04fbccc03db41721f9e5084d6b1078048
Instruction Fuzzy Hash: E741B332F18A82C1EB55EB26E4447A9B7A0EB84B89F888035DB4D4B795CF3CD494C712

Function 00007FF76C3726A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3726D0
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Strings

FALSE, xrefs: 00007FF76C3726C5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: isupper$_strdupfree
String ID: FALSE
API String ID: 3359907120-3701058176
Opcode ID: 7764bb6831e2eaa97326a71e8e30827daf489382d19c39de26f14aff11951569
Instruction ID: 0fd680c63ad6e5d5c4521c432cbc39e1382325bf5df1e781bf264d79b089255e
Opcode Fuzzy Hash: 7764bb6831e2eaa97326a71e8e30827daf489382d19c39de26f14aff11951569
Instruction Fuzzy Hash: 56314C22E0D597C5FB12EF27961AB38FB909B03766FC40679C99A055C0CE2DD581C33A

Function 00007FF76C371F50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C371F7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372446

Strings

TRUE, xrefs: 00007FF76C371F6B
%s: %s, xrefs: 00007FF76C372431
FALSE, xrefs: 00007FF76C371F72

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree
String ID: %s: %s$FALSE$TRUE
API String ID: 1865132094-3430445539
Opcode ID: a6d7f1661c1feeff80e5064c4ce2b60c652a1103aa2eff225b398e4cdcefcb12
Instruction ID: b17a27f44620462d48aa012ecd341edf3e520163dcf146d9545ba74d652bbdaf
Opcode Fuzzy Hash: a6d7f1661c1feeff80e5064c4ce2b60c652a1103aa2eff225b398e4cdcefcb12
Instruction Fuzzy Hash: FB0184A6A0C782C1EA61AB57E945BF5B390BB46B82FC44039CE4E03351DF2CD185C336

Function 00007FF76C331D58 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C331EA8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C331EEF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C331F1A

Part of subcall function 00007FF76C330C60: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C330CAE
Part of subcall function 00007FF76C330C60: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C330CC5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C331F4F

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF76C331296

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Resolving timed out after %I64d milliseconds
API String ID: 1294909896-3343404259
Opcode ID: e1f46f550dfdcdcdb2de335d8caeb3610cd3dadedfb56dba1dd394773ee2ca03
Instruction ID: 8c1ea544133deaaaaaccb52c7c8286e74c5fdaba96e7c9ccc90b8cfe0aa18229
Opcode Fuzzy Hash: e1f46f550dfdcdcdb2de335d8caeb3610cd3dadedfb56dba1dd394773ee2ca03
Instruction Fuzzy Hash: 60D1C531A08686C5FB64AF27D544BF9B361EF44B8AF844139CE0D4B69ADF3DD44483A2

Function 00007FF76C36D580 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C36D4E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36D506
Part of subcall function 00007FF76C36D4E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36D527
Part of subcall function 00007FF76C36D4E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36D542
Part of subcall function 00007FF76C36D4E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36D550
Part of subcall function 00007FF76C36D4E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369F75,?,?,?,00007FF76C33B3FA), ref: 00007FF76C36D562

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C36D606

Strings

NTLM, xrefs: 00007FF76C36D5BE, 00007FF76C36D670
HTTP, xrefs: 00007FF76C36D58A

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: HTTP$NTLM
API String ID: 2190258309-4188377180
Opcode ID: 130ac42098961743247599a56bb6e9502eb2ce61e4b1216574272b91c42ea7da
Instruction ID: ceff294318a82f43b5d9cc9465e81d7d3bcc1830e2e949acf5296a5ffc49b373
Opcode Fuzzy Hash: 130ac42098961743247599a56bb6e9502eb2ce61e4b1216574272b91c42ea7da
Instruction Fuzzy Hash: 24616C36609B81C2EB609F17E440A6AB3A4FB88B85F944039DE8D43B58EF3CD454CB52

Function 00007FF76C35ADCB Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35AE80

Strings

ABOR, xrefs: 00007FF76C35AF7B
control connection looks dead, xrefs: 00007FF76C35B072
Failure sending ABOR command: %s, xrefs: 00007FF76C35AFA1
Remembering we are in dir "%s", xrefs: 00007FF76C35AF18

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: ABOR$Failure sending ABOR command: %s$Remembering we are in dir "%s"$control connection looks dead
API String ID: 1294909896-1891748601
Opcode ID: 31461b1feb7cbf637afcf20a2aaa98fffb8e89ade3f5c141d23370641694dd4e
Instruction ID: aeb6f7799a4d250ca6dcdc17752d8f2362722c7a17da6fb9f552deaa462dd6e8
Opcode Fuzzy Hash: 31461b1feb7cbf637afcf20a2aaa98fffb8e89ade3f5c141d23370641694dd4e
Instruction Fuzzy Hash: 1D519262A0C6C2C6E664B7369450BB9FA50EF41366FC00239DB6E0B6C2DF7CE4459372

Function 00007FF76C372F85 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372FC8
memmove.VCRUNTIME140 ref: 00007FF76C372FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3730BB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37310F

Strings

TRUE, xrefs: 00007FF76C373119

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove
String ID: TRUE
API String ID: 1934541353-3412697401
Opcode ID: fbe6dabc12e5a791c19b722c8e6ae0017cda973ba5d9082353760d4feb85bc08
Instruction ID: c4fa7353a6eebe31d946823b6054c08f4c5e7f2c149b08c4e43f922951e43451
Opcode Fuzzy Hash: fbe6dabc12e5a791c19b722c8e6ae0017cda973ba5d9082353760d4feb85bc08
Instruction Fuzzy Hash: A041AB61F09A92C5FB499A1785197B4BB92EB027F1F844639CA6F433C1DD2DD086C336

Function 00007FF76C376830 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF76C3767F0), ref: 00007FF76C37689F

Part of subcall function 00007FF76C350C90: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF76C33488A,?,?,?,?,?,?,?,00007FF76C334657), ref: 00007FF76C350CA1

Part of subcall function 00007FF76C350C90: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF76C350E43
Part of subcall function 00007FF76C350C90: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF76C350E60

strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF76C3767F0), ref: 00007FF76C37690E
strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF76C3767F0), ref: 00007FF76C376928
strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF76C3767F0), ref: 00007FF76C37695E

Strings

xn--, xrefs: 00007FF76C376945

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strchr$_errno
String ID: xn--
API String ID: 2644425738-2826155999
Opcode ID: ab96790c3fc4ca84c96659126e3f5302aa64baacbd0cf19053438b5ee3ccc87b
Instruction ID: c8b5851468d77159ffae520b158b703b721818af07e5bd8c8d0e4054509fdbcb
Opcode Fuzzy Hash: ab96790c3fc4ca84c96659126e3f5302aa64baacbd0cf19053438b5ee3ccc87b
Instruction Fuzzy Hash: 4941B461B0D68285FA54B6238526B79B2A15F47B81F848138DE4EC77C1EE2DE4058736

Function 00007FF76C344A60 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF76C344B08
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C344B88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C344C32

Strings

allocate connect buffer!, xrefs: 00007FF76C344BAF
CONNECT phase completed!, xrefs: 00007FF76C344C73

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: callocfreememset
String ID: CONNECT phase completed!$allocate connect buffer!
API String ID: 3505321882-591125384
Opcode ID: 68d514f7b86cdb551b7cf433abbe7efe2060765152c071c8cb0d38a077bfa434
Instruction ID: d6377e24bc2d17cb33c10341651c559706a2b9002d95306db327c67ee89e0977
Opcode Fuzzy Hash: 68d514f7b86cdb551b7cf433abbe7efe2060765152c071c8cb0d38a077bfa434
Instruction Fuzzy Hash: 4B518732B086C2D2E759AF16D9447B9B390FB8478AF488039CB5D0B291DF78E969C315

Function 00007FF76C3577E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C350B30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C350B51

memmove.VCRUNTIME140 ref: 00007FF76C357951
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35795F

Strings

Failed to parse FETCH response., xrefs: 00007FF76C35783E
Written %zu bytes, %I64u bytes are left for transfer, xrefs: 00007FF76C35791D
Found %I64d bytes to download, xrefs: 00007FF76C3578B2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _errnofreememmove
String ID: Failed to parse FETCH response.$Found %I64d bytes to download$Written %zu bytes, %I64u bytes are left for transfer
API String ID: 3569933452-4268564757
Opcode ID: b76e1b4a5518ac13d23085a089d378f1201aeba4be3151cabb2d5fcf983a087a
Instruction ID: 7b468d90d05282c527df46cdb6c9fc8d13d5d715e606f648199634bdd32edb65
Opcode Fuzzy Hash: b76e1b4a5518ac13d23085a089d378f1201aeba4be3151cabb2d5fcf983a087a
Instruction Fuzzy Hash: F551C062A1CBC2C2EB14AB26D440AB9FB60FB46795FC48039DB9D07A55DF7CE005C762

Function 00007FF76C316830 Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF76C31688C
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF76C3168BE
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF76C3168F9
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF76C31695C
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF76C316998

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1457788575-0
Opcode ID: 6893421deeca5781e2c1d6a5238aa063ebb165829b01111c5705bc7182232999
Instruction ID: ec366517526ea20b6e49aaf76b6ff27986d2d734baed03a63fe47211ee9a21d1
Opcode Fuzzy Hash: 6893421deeca5781e2c1d6a5238aa063ebb165829b01111c5705bc7182232999
Instruction Fuzzy Hash: 3541A332608A81C6DB21DF5AE580A3DBBB0FB84B96F548139CE9E87B60CF39D451C711

Function 00007FF76C351F20 Relevance: 7.6, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33EED0), ref: 00007FF76C351F55
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33EED0), ref: 00007FF76C351F6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33EED0), ref: 00007FF76C351F7F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33EED0), ref: 00007FF76C351FAC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C33EED0), ref: 00007FF76C351FB5
memmove.VCRUNTIME140(?,?,?,00007FF76C33EED0), ref: 00007FF76C351FE9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$calloc$memmove
String ID:
API String ID: 1476394334-0
Opcode ID: 64c6fdbff8a11b2532f15ed745b50853e0830a626b0b8bd0508148e4ab3add04
Instruction ID: d42a65eb1eace95ab13543bebfc91fbcc3432c4cbe05b4b094e2126135f3fec0
Opcode Fuzzy Hash: 64c6fdbff8a11b2532f15ed745b50853e0830a626b0b8bd0508148e4ab3add04
Instruction Fuzzy Hash: BC21AEB1A0DB82C6E760AF23D410639BAA0FB48BE1F844238DB9E57794EF3DD4548751

Function 00007FF76C370634 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37066F
memmove.VCRUNTIME140 ref: 00007FF76C370695
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3707D9

Strings

Start Date, xrefs: 00007FF76C3707AD
Start Date: %s, xrefs: 00007FF76C3707C7

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemallocmemmove
String ID: Start Date: %s$Start Date
API String ID: 2537350866-2389359183
Opcode ID: 645e973068f8d14e3c442d7c646b7d6f97955d556b955e8b6d6482bd4041ae52
Instruction ID: ca7a63832e60fe46be07717e96d9385e4a13957872cda98d879a61253cf2de53
Opcode Fuzzy Hash: 645e973068f8d14e3c442d7c646b7d6f97955d556b955e8b6d6482bd4041ae52
Instruction Fuzzy Hash: 7D210665A093C2C0EE15AB178611AF8B792AF16BD6F884539C90E07BD1DE3DA5448332

Function 00007FF76C370F08 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C

Strings

Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: 9126df0b5afe5ef941f56d6fbd578ce692d75b24dec8e5cc34924407e27a8d6a
Instruction ID: c65ccbd1c063f1f0a6e7c3c49c93629c29b6319e8e0285a7f24b459b79807d08
Opcode Fuzzy Hash: 9126df0b5afe5ef941f56d6fbd578ce692d75b24dec8e5cc34924407e27a8d6a
Instruction Fuzzy Hash: A221B262A09B86C5FA50AB17E450AFEB3A0FF85B86F840039DE4E07B55EE3CD045C765

Function 00007FF76C370F46 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C371A50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371A9C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: a4642c6a8c0f623f89d5f45499ed7478b5b89596c4b31a3bdf23ea40a6a4a95f
Instruction ID: 47dde8d06f44838f675f71e5f5e147a0dad0836570f049a289ee5fab738e1245
Opcode Fuzzy Hash: a4642c6a8c0f623f89d5f45499ed7478b5b89596c4b31a3bdf23ea40a6a4a95f
Instruction Fuzzy Hash: FB218376A08B82C5EA50AB17E454AEAB3A0FF85786F84003ADE4E07B15EF3CD045C765

Function 00007FF76C370F20 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C373560: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C373595

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371349
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C371389
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37139C

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

Signature, xrefs: 00007FF76C37131F
Signature: %s, xrefs: 00007FF76C371337

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: malloc$free
String ID: Signature: %s$Signature
API String ID: 1480856625-1663925961
Opcode ID: a04aec94a01de67136a3c8488be706026768e4ad02e76b0738e893e1c58f3096
Instruction ID: 2ac9d0528afc1cd49aac41c16429777477c80adc62a34d50b62a71bacc781edb
Opcode Fuzzy Hash: a04aec94a01de67136a3c8488be706026768e4ad02e76b0738e893e1c58f3096
Instruction Fuzzy Hash: 74218366A08B82C5EA50EB17E454AEAB3A0FF85786F84003ADE4E07B15EF3CD045C765

Function 00007FF76C334B60 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF76C335003
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF76C335017
CloseHandle.KERNEL32 ref: 00007FF76C335024
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF76C335046
closesocket.WS2_32 ref: 00007FF76C335064
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF76C33507D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: b7c469b9c50272ed13fe7d360d03cd1159581588343cfb076c67ffe656983371
Instruction ID: 4bbcb581841cdd47507c2bb5c48de76b091c561c1fabdb9331c8b970e2b2081b
Opcode Fuzzy Hash: b7c469b9c50272ed13fe7d360d03cd1159581588343cfb076c67ffe656983371
Instruction Fuzzy Hash: E8114C36A08A81C7E710AF13E544669B770FB89B92F444139DF8E07B44CF3EE4A58761

Function 00007FF76C34EB20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00007FF76C34EE72

Strings

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 00007FF76C34EE05
** Resuming transfer from byte position %I64d, xrefs: 00007FF76C34EBA8
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00007FF76C34EBBB

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: fflush
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 497872470-664487449
Opcode ID: 1cd5326ffe5c89d474f7394fe99d3e6f104ab3c010b3591c91a5573f86731d3e
Instruction ID: 8256e4eedcc921fa26e3215600c1925348f0198b2c8fb16cbd4fab876226cde1
Opcode Fuzzy Hash: 1cd5326ffe5c89d474f7394fe99d3e6f104ab3c010b3591c91a5573f86731d3e
Instruction Fuzzy Hash: 1891B422606B86C5DA60EB06E544BAAF364FB84BC0F825036DE4D4BB95FF3CD445D781

Function 00007FF76C35BB40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C373750: memmove.VCRUNTIME140 ref: 00007FF76C3737F8
Part of subcall function 00007FF76C373750: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C373809

WSAGetLastError.WS2_32 ref: 00007FF76C35BCAA

Strings

FTP response aborted due to select/poll error: %d, xrefs: 00007FF76C35BCB8
We got a 421 - timeout!, xrefs: 00007FF76C35BCCE
FTP response timeout, xrefs: 00007FF76C35BCF7

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastfreememmove
String ID: FTP response aborted due to select/poll error: %d$FTP response timeout$We got a 421 - timeout!
API String ID: 1540152464-2064316097
Opcode ID: 23cf9610105657980b2ae86206a27269685fc60679ebbc9f262ad753cd3d57d1
Instruction ID: 49d686563c678f0a79b8c8e8023745c45cdf4b53e2012e516615e07d47ba99d7
Opcode Fuzzy Hash: 23cf9610105657980b2ae86206a27269685fc60679ebbc9f262ad753cd3d57d1
Instruction Fuzzy Hash: 5141C521A08A82C5F760BF279400BB9B7A4FB49799FC48139DF5D8B385EE3CE4458752

Function 00007FF76C3207F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C31FEB0: memmove.VCRUNTIME140 ref: 00007FF76C31FEE1

Part of subcall function 00007FF76C325AB0: memmove.VCRUNTIME140 ref: 00007FF76C325C6A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C3208CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C320921
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF76C32099F

Strings

out_of_range, xrefs: 00007FF76C32083C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: out_of_range
API String ID: 15630516-3053435996
Opcode ID: 2ab4a17d05f9163cc9de7fb43529338f15fca0f13a97be7f78d8d893a7ce780d
Instruction ID: 6faf0de63d04d464b5eb30a099596b661bcd4900702efd379f0633edf6a9269a
Opcode Fuzzy Hash: 2ab4a17d05f9163cc9de7fb43529338f15fca0f13a97be7f78d8d893a7ce780d
Instruction Fuzzy Hash: EF51C572A08BC5C5EE10AB26E44176EB361FB857A5F904239D6AD03BE9DF3CE084C751

Function 00007FF76C372C45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372C6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37310F

Strings

TRUE, xrefs: 00007FF76C373119
FALSE, xrefs: 00007FF76C372C60

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree
String ID: FALSE$TRUE
API String ID: 1865132094-1412513891
Opcode ID: 7a0ac71498421370ad996f4cff490362927955eaa5c88f67c1dfb3f62a368794
Instruction ID: ece3f29c0433ed0e4401ddd13b8364c76b16f97265222883bc2b2832811edb76
Opcode Fuzzy Hash: 7a0ac71498421370ad996f4cff490362927955eaa5c88f67c1dfb3f62a368794
Instruction Fuzzy Hash: 454126A1F09246C4FF05AA17991A6B8F791AB067A6F84453ADE4D0B3C0DE2DE540833A

Function 00007FF76C364DD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99networkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C364E11
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF76C364E50
WSAGetLastError.WS2_32 ref: 00007FF76C364EA8

Strings

TFTP response timeout, xrefs: 00007FF76C364E6A

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _time64$ErrorLast
String ID: TFTP response timeout
API String ID: 3339832089-3820788777
Opcode ID: 6927f1a4163830692c329c6e32629500f2de2583b1f017f14199414e138124f1
Instruction ID: 57fad1668021601136997f138d47ccbac665ddd71c668e851bdee393131a9d55
Opcode Fuzzy Hash: 6927f1a4163830692c329c6e32629500f2de2583b1f017f14199414e138124f1
Instruction Fuzzy Hash: 7341E832A08681C5E760EF27D410BB9B790EB49BA5F818239DE1D577C9DF3CD4018762

Function 00007FF76C3726DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Strings

%s%lx, xrefs: 00007FF76C372748

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: isupper$free
String ID: %s%lx
API String ID: 573759493-530121141
Opcode ID: d527ada8ade7ecfa56ba3b172719db392c12cc6823c2fb702e40bff02885ca90
Instruction ID: a8cac76b155ebd14a9b17bb7bda45ffe4c9d198b477b330926a25fa2fdab7e1c
Opcode Fuzzy Hash: d527ada8ade7ecfa56ba3b172719db392c12cc6823c2fb702e40bff02885ca90
Instruction Fuzzy Hash: 4C311311E0D597C5FB12AF27865AB78FFA19B03B42FC44539C58A06A81DE2EE541C33A

Function 00007FF76C3729BF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Strings

TRUE, xrefs: 00007FF76C372B5D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: isupper$free
String ID: TRUE
API String ID: 573759493-3412697401
Opcode ID: 6e949270edc3d642e131fa7b48bd87022cb680dfd3fcf7aff53e0eec1f037c97
Instruction ID: dad52764f6ec66d3a9ba4ae0d4fe6cc581c5599ce1c49f3949603f9175a070be
Opcode Fuzzy Hash: 6e949270edc3d642e131fa7b48bd87022cb680dfd3fcf7aff53e0eec1f037c97
Instruction Fuzzy Hash: A4311722E0C587C9FB01DF268659778BFA1AB07B95F844235CA9A46AC5CE2DD141C336

Function 00007FF76C33FA50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB75
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB90

Strings

..., xrefs: 00007FF76C33FAF8
..., xrefs: 00007FF76C33FAE2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: fwrite
String ID: ...$...
API String ID: 3559309478-2253869979
Opcode ID: cc5e1ffe1e98b91176a8b3f95d00f8597a6303a62665e83198dbe035b19a601a
Instruction ID: 6957a9066d1275bd1ea4da157a2dbf08f2816c4823cf6bb7031315f2af7fe278
Opcode Fuzzy Hash: cc5e1ffe1e98b91176a8b3f95d00f8597a6303a62665e83198dbe035b19a601a
Instruction Fuzzy Hash: AC31E461A09AC5C1EB60EB12E414BF9B3A1FB88785FC04235CA5E03790CF3DD015C791

Function 00007FF76C35B920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF76C35B972
accept.WS2_32 ref: 00007FF76C35B991

Part of subcall function 00007FF76C34E020: ioctlsocket.WS2_32 ref: 00007FF76C34E039

Strings

Connection accepted from server, xrefs: 00007FF76C35B9BF
Error accept()ing server connect, xrefs: 00007FF76C35B9AE

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: acceptgetsocknameioctlsocket
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 36920154-2331703088
Opcode ID: 7b736428fac4d0e5b68c1d54877851a7311014b4d4fad642fbef5f5e413bece9
Instruction ID: 1e63a28258d4ed5cb4f4b337192583b32f3a425f90b171d20dba509e35dcdaaf
Opcode Fuzzy Hash: 7b736428fac4d0e5b68c1d54877851a7311014b4d4fad642fbef5f5e413bece9
Instruction Fuzzy Hash: B63194216086C1C5E654EB22E444BAAB3A0FB48BA9FC41239DE6D4B7C5DF3DE1058762

Function 00007FF76C32BC43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32BCD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32BCEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32BD0B

Strings

:, xrefs: 00007FF76C32BCC6

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: 9d55a18ca533cc488087d91a8685ca0e891cf53c3e7487a43f84847c9b4c94d2
Instruction ID: f729d2c46ce35cd65052f7cebc944363fbcdc53653e7fa94f8369442b001de8a
Opcode Fuzzy Hash: 9d55a18ca533cc488087d91a8685ca0e891cf53c3e7487a43f84847c9b4c94d2
Instruction Fuzzy Hash: 7921AE32A09B85C6EE61AF06E5407A9B3A0FB44BA5F888139CF9D47384EF3CD4048761

Function 00007FF76C32BDC8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C32BCD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32BCEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32BD0B

Strings

:, xrefs: 00007FF76C32BCC6

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: 674244ef9c0535a9a8747cbeff99938d769fccc67fed606d4fbde66a7aa8ecb3
Instruction ID: 581a8abe8fabbfcc817c90d652010509c5a03ed2633b8837bc5634a38d842c2a
Opcode Fuzzy Hash: 674244ef9c0535a9a8747cbeff99938d769fccc67fed606d4fbde66a7aa8ecb3
Instruction Fuzzy Hash: 38118E32A09B85C1EE61AF06E5407A9B3A0EB44BA5F88413ACF9D47394EF3CE4548761

Function 00007FF76C363820 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF76C36385D
WSAGetLastError.WS2_32 ref: 00007FF76C363867

Strings

Sending data failed (%d), xrefs: 00007FF76C36386D
SENT, xrefs: 00007FF76C363882

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: fe1ce7282310f26c10f005fc81da213437cf0d7eb6fe1701960341f3b47a97fd
Instruction ID: 26a8d04d35591de9efb0feb9e4a224acff709b2cf9c87f8274103e668a1850bf
Opcode Fuzzy Hash: fe1ce7282310f26c10f005fc81da213437cf0d7eb6fe1701960341f3b47a97fd
Instruction Fuzzy Hash: 6E01DE22708A92C1DB10AB2BE801859BB70EB99FC8B896139DB5D47B11CE38D505C391

Function 00007FF76C31D660 Relevance: 6.4, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF76C31D6E9
memmove.VCRUNTIME140 ref: 00007FF76C31D72C
memmove.VCRUNTIME140 ref: 00007FF76C31D744
memmove.VCRUNTIME140 ref: 00007FF76C31D7C6
memmove.VCRUNTIME140 ref: 00007FF76C31D7E0

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 802905112179594054f2c2b4ba1fd08375f3ca45d5e0ca94aeb3242eb6ac0d64
Instruction ID: cdc284d1598d44e90c797a5cfa17bcacf1d606fb6958678a84d028b92bdb7495
Opcode Fuzzy Hash: 802905112179594054f2c2b4ba1fd08375f3ca45d5e0ca94aeb3242eb6ac0d64
Instruction Fuzzy Hash: 0B41E132604B81D6EB12AF2AE5445A9B321F726BD0F944635CF6C07B82DF38E1E0C391

Function 00007FF76C379C80 Relevance: 6.4, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF76C379CB4
_CxxThrowException.VCRUNTIME140 ref: 00007FF76C379CE2
_CxxThrowException.VCRUNTIME140 ref: 00007FF76C379D12
_CxxThrowException.VCRUNTIME140 ref: 00007FF76C379D54
_CxxThrowException.VCRUNTIME140 ref: 00007FF76C379D8A

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 72819c585e659784e5d9a33e7a21a9f5d1a9cbe1d1279d8ce48f8406621303d6
Instruction ID: dc991969c3d7532e7177eed4271f56afcb9f2663ae4a15343a106300659f18eb
Opcode Fuzzy Hash: 72819c585e659784e5d9a33e7a21a9f5d1a9cbe1d1279d8ce48f8406621303d6
Instruction Fuzzy Hash: CB215EA6A14B80C9D718FE73D8524E97362FB8DBD8F44953AFE4D47B4ACE28D4404790

Function 00007FF76C34A930 Relevance: 6.3, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C34AD45), ref: 00007FF76C34A968
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C34AD45), ref: 00007FF76C34A971
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C34AD45), ref: 00007FF76C34A9EA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C34AD45), ref: 00007FF76C34A9FB
memmove.VCRUNTIME140(?,?,00000000,00007FF76C34AD45), ref: 00007FF76C34AA24

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$mallocmemmove
String ID:
API String ID: 1934541353-0
Opcode ID: 9cabeaae55df19c09b5fc046ef442e1caae62a35f39ea22151b81ffcd051e7f2
Instruction ID: ccb433a2ffa7b4048245f40088b2787ddb5d6a52258893abd83e7c313290ae54
Opcode Fuzzy Hash: 9cabeaae55df19c09b5fc046ef442e1caae62a35f39ea22151b81ffcd051e7f2
Instruction Fuzzy Hash: 8A31A422A09B85C1EB50AF13E940769B3A0EB09FE5F848239DE6E4B7C5DF3CD4548712

Function 00007FF76C33188B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF76C331296

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID:
String ID: Resolving timed out after %I64d milliseconds
API String ID: 0-3343404259
Opcode ID: d4bd8f961c01d8f6c9ad39bc338a75a696d2099a47638f2714563e293faed805
Instruction ID: 7dc6b2f3e5d86a3b0e1e4bac137d4d1c14429845ca1f1742be9babca70695ccc
Opcode Fuzzy Hash: d4bd8f961c01d8f6c9ad39bc338a75a696d2099a47638f2714563e293faed805
Instruction Fuzzy Hash: 18B1B931A08686C5F764AE27D454BBDB3A0EF41B4AF944139CD0E4B296DF3DE444C3A2

Function 00007FF76C372DFF Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37310F

Strings

TRUE, xrefs: 00007FF76C373119
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF76C372F21
GMT, xrefs: 00007FF76C372EAE

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
API String ID: 1294909896-910067264
Opcode ID: 1008ff672a7a3c620490f3befc03e7857a942f8444ee8cb399f12ff33b302598
Instruction ID: 1cede5235fd0d3a4449fb48cab7d69ad7e2033fd1c12530fde97d7217da09d1e
Opcode Fuzzy Hash: 1008ff672a7a3c620490f3befc03e7857a942f8444ee8cb399f12ff33b302598
Instruction Fuzzy Hash: B7511962B0C696C4EB119B17A6099B9FBA5FB02796FC4403ADA4D03B54DF3DD441C336

Function 00007FF76C372110 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372446

Strings

%s: %s, xrefs: 00007FF76C372431
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF76C37223A
GMT, xrefs: 00007FF76C3721CE

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %s: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s
API String ID: 1294909896-2632828617
Opcode ID: 05d40c5e7b8570f2c8cac0e9a813d49927c0426b82e49adf5c7aee4e9bb0e51c
Instruction ID: 8d75175f305b7dcc3df2e64a5c9fbf1b8f5c075d7fa25985d95231a1244a04f7
Opcode Fuzzy Hash: 05d40c5e7b8570f2c8cac0e9a813d49927c0426b82e49adf5c7aee4e9bb0e51c
Instruction Fuzzy Hash: 2741C461A0C6D2C5EA219B12A609BB9F7A0FB06B92F844039CB4D03754CF3DE545C776

Function 00007FF76C3165A0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,7FFFFFFFFFFFFFFF,00000000,00007FF76C3160F0), ref: 00007FF76C316684
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,7FFFFFFFFFFFFFFF,00000000,00007FF76C3160F0), ref: 00007FF76C3166C2
memmove.VCRUNTIME140 ref: 00007FF76C3166CC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C316705

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 57b51a8c635622f8d9f7d5f01c3f3ab2648edfd40d090a1e59034f0fec72160a
Instruction ID: 3cd980c959336cb854ff5205784446d833ef8556f3ff28d4a1f70674a40f0eeb
Opcode Fuzzy Hash: 57b51a8c635622f8d9f7d5f01c3f3ab2648edfd40d090a1e59034f0fec72160a
Instruction Fuzzy Hash: 35410132B09B81C8EE11AB67A144A6CF3A1EB45BD5F984239CE5D47B95CE7CD041C321

Function 00007FF76C373A80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00007FF76C355D6B), ref: 00007FF76C373ADE

Strings

%s, xrefs: 00007FF76C373AB4

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: 99c5245ea1296ffde5abc40f34589e1d0eb5484a2dc5c5139945c2da538ee967
Instruction ID: 3f2ac689889cb3619c6a8bd141b64bbea93f3b12bbb5d65346b772eebe6eeb78
Opcode Fuzzy Hash: 99c5245ea1296ffde5abc40f34589e1d0eb5484a2dc5c5139945c2da538ee967
Instruction Fuzzy Hash: E4419332A18B85C2DA90EB16F4415AAF7A0FB85BA1F540139DF9E07BA1DF3CE495C310

Function 00007FF76C373EC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00007FF76C3575B0,?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?), ref: 00007FF76C373F13
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C373F9C

Strings

%s, xrefs: 00007FF76C373EE5

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: 7ed0b569015fbb09826a0379e959182ce879e00e491ffc2fb4531db0d787b82a
Instruction ID: 67ad4cc4dfdf49daaedf03370f638a1502260d142c8b7076c5276026458a365f
Opcode Fuzzy Hash: 7ed0b569015fbb09826a0379e959182ce879e00e491ffc2fb4531db0d787b82a
Instruction Fuzzy Hash: 39418432A08B45C2EA51AB27B5415AAF3A0FB45BD1F444138DF8E47BA1DF3CE0858715

Function 00007FF76C372D45 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37310F

Strings

TRUE, xrefs: 00007FF76C373119
GMT, xrefs: 00007FF76C372D99
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF76C372DEB

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$TRUE
API String ID: 1294909896-918878739
Opcode ID: 85f46235454a9c6a6c81e661cab0dc356034a704c2ec8f7efb83ff05e8c0a442
Instruction ID: f7fb892af0d4de2c384e6f0c433946200a85d27fe84412802b312b096eef1297
Opcode Fuzzy Hash: 85f46235454a9c6a6c81e661cab0dc356034a704c2ec8f7efb83ff05e8c0a442
Instruction Fuzzy Hash: 7E31F162A09B85C4EB519B23DA056A8F7A2FB46B92FC4403ACA4D07784DF3DE541C325

Function 00007FF76C3155B0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF76C31118E), ref: 00007FF76C315621
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF76C31118E), ref: 00007FF76C31568B

Part of subcall function 00007FF76C3784F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C3157CA,?,?,?,?,?,?,?,00007FF76C31118E), ref: 00007FF76C37850A

memmove.VCRUNTIME140(?,?,?,00007FF76C31118E), ref: 00007FF76C3156B3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF76C3156E1

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 3d5303f46380ffb3e770df0726efbd6f4cc7112fe6a177eb2947a5462595e725
Instruction ID: d89ff79d1e9893dd784daab37f4cb323ff4e12d77eff2bba65564736bd54b22b
Opcode Fuzzy Hash: 3d5303f46380ffb3e770df0726efbd6f4cc7112fe6a177eb2947a5462595e725
Instruction Fuzzy Hash: E8316D31A09782C9EA15AF22A440779B360EB14BA5F981738DB7D07FD1CF3CD0528352

Function 00007FF76C35F55D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35F594

Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB75
Part of subcall function 00007FF76C33FA50: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF76C33FB90

Strings

Wildcard - "%s" skipped by user, xrefs: 00007FF76C35F5FD
Wildcard - START of "%s", xrefs: 00007FF76C35F59D
%s%s, xrefs: 00007FF76C35F564

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: fwrite$free
String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
API String ID: 3468156532-1133524294
Opcode ID: e136dbf9f441ac8e451b338ded0dfd5f1dd260cb128f691fda4e896475c89939
Instruction ID: 60666f20b85070f5eeec7deab84541870f52c1df8f0aa22a70a354b8bb0b50f8
Opcode Fuzzy Hash: e136dbf9f441ac8e451b338ded0dfd5f1dd260cb128f691fda4e896475c89939
Instruction Fuzzy Hash: 6E414236A08A82C5E710EF27D4409ADB7A0EB48B86FC9413ACF4E4B395DF39D444C762

Function 00007FF76C372055 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372446

Strings

%s: %s, xrefs: 00007FF76C372431
GMT, xrefs: 00007FF76C3720A9
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF76C3720F9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: %s: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 1294909896-1153420294
Opcode ID: fa8fed30186aba6a4e1af7be4f59decd1c9c566d7eccbb58121c3f13c3b8ce00
Instruction ID: a993e1704ffb29ed6faa1954116447ae008b28d28d65f5f9fae94e586fb3c49b
Opcode Fuzzy Hash: fa8fed30186aba6a4e1af7be4f59decd1c9c566d7eccbb58121c3f13c3b8ce00
Instruction Fuzzy Hash: 0C31C362A08B81C4EB60AB52E649AE9F390FB46B82FD40039CA4D03255CF7DD645C736

Function 00007FF76C372F8D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372FC8
memmove.VCRUNTIME140 ref: 00007FF76C372FEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37310F

Strings

TRUE, xrefs: 00007FF76C373119

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: freemallocmemmove
String ID: TRUE
API String ID: 2537350866-3412697401
Opcode ID: 2d4bb351302d831bfebcd9c632c6d04f713925cca0e941be01b971f6ff58826f
Instruction ID: a91ebcb78b034efd5b02a58b95fddf2fd2081772a2751f137af329e54d47a4fc
Opcode Fuzzy Hash: 2d4bb351302d831bfebcd9c632c6d04f713925cca0e941be01b971f6ff58826f
Instruction Fuzzy Hash: E4214765B09B42C4EF45DA1796097B4B792AB06BF1F84413ACD1E037C4DE3DD0818335

Function 00007FF76C37278A Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372791
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B83
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372BFE

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: isupper$_strdupfree
String ID:
API String ID: 3359907120-0
Opcode ID: fc4fc429732e00a44db8fe2e5d174b6341ba560f848fdfd93ac567f87e273a55
Instruction ID: cab1f6fa7b3f9403bb59644c91faae648d86f2d42f9ada40d5beabeb9d74c3b9
Opcode Fuzzy Hash: fc4fc429732e00a44db8fe2e5d174b6341ba560f848fdfd93ac567f87e273a55
Instruction Fuzzy Hash: 4A21E011E0D5D7C5FB12EF27865AB38FFA19B13B42F880579C58A45A81CE2ED541C33A

Function 00007FF76C32E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 54stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF76C32E2B8), ref: 00007FF76C32E405
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF76C32E2B8), ref: 00007FF76C32E41F

Strings

I32, xrefs: 00007FF76C32E3F5
I64, xrefs: 00007FF76C32E415

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: b1fd929e1ea02ce3b4e574b7c926a0cbc35f4da2a7fe06a434e72a59128ba437
Instruction ID: 7883b8713e195fba66c61e668010e24b552dbd795039bf47a1b08181faf946db
Opcode Fuzzy Hash: b1fd929e1ea02ce3b4e574b7c926a0cbc35f4da2a7fe06a434e72a59128ba437
Instruction Fuzzy Hash: 1221C632A086A3C5EF616B32D451EB9B7949B05F4BF894538CA5A46284DE2CE90487B2

Function 00007FF76C35B840 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35B85D
strstr.VCRUNTIME140 ref: 00007FF76C35B89C
strstr.VCRUNTIME140 ref: 00007FF76C35B8B4

Strings

;type=, xrefs: 00007FF76C35B88F, 00007FF76C35B8AD

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: strstr$calloc
String ID: ;type=
API String ID: 3224321581-3507045495
Opcode ID: f68a191c9b8f20b82da7e8e041d4e816902b3fd0c790a73ad980d8742af74313
Instruction ID: 3060d2121486a821722d2986a5dbc102bc48ecc1af5c453fd328d32aec72fd1d
Opcode Fuzzy Hash: f68a191c9b8f20b82da7e8e041d4e816902b3fd0c790a73ad980d8742af74313
Instruction Fuzzy Hash: 3521FB31A087C1C1E7559B26E4407A97BA0FB44798F885239DBAD4B7C5DF3CE491C321

Function 00007FF76C376570 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF76C3765AD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3765BD
WideCharToMultiByte.KERNEL32 ref: 00007FF76C3765EC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3765F9

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: c1d6b819950136bb12358642d9b14dbf1d8b50b5778c953896405999a56a868f
Instruction ID: 5065406fa42454a6022a135ced0d3a8646aefd79ddeec9bbbecab3daa3ec79c8
Opcode Fuzzy Hash: c1d6b819950136bb12358642d9b14dbf1d8b50b5778c953896405999a56a868f
Instruction Fuzzy Hash: 78118E31B09B46C6E710AF62B955929B7B0EB88BC1B884038DB4A97B14DF38E5018765

Function 00007FF76C34ACF0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AD4A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AD6A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C34AD73

Strings

Proxy-Connection: Keep-Alive, xrefs: 00007FF76C34AD00

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID: Proxy-Connection: Keep-Alive
API String ID: 1294909896-2835282938
Opcode ID: 376a8986730c62dd9a4c920ab9db2ce35aa2abf6bbf9b22cd592376a19957654
Instruction ID: 639b0190a1c3d4ddb0f1c56fa1f2f8cfcb565a526cc96085a30b48192df0ab28
Opcode Fuzzy Hash: 376a8986730c62dd9a4c920ab9db2ce35aa2abf6bbf9b22cd592376a19957654
Instruction Fuzzy Hash: C3010862F09700C2FA156B56A8507A9B6909F48BF3F448238CE6D0B3D0DF3C88898750

Function 00007FF76C3767A0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3767C6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C3767D7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C376806

Part of subcall function 00007FF76C376830: strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF76C3767F0), ref: 00007FF76C37689F

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3767FD

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree$strchr
String ID:
API String ID: 1739957132-0
Opcode ID: a0101cdfa49fb209d86112a1354245424091e60fc42ac384daf90f3d044b54de
Instruction ID: 0b022bace9743f78b5d0683035029ed7fbdc88d9b2e0b226c96264f5ff0820bb
Opcode Fuzzy Hash: a0101cdfa49fb209d86112a1354245424091e60fc42ac384daf90f3d044b54de
Instruction Fuzzy Hash: 1A01B951F0E78182FF59AB1761A5438B2B06F49BC1F88447DDD0E83744EF1CD8958726

Function 00007FF76C335090 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,00007FF76C335042,?,?,?,00000000), ref: 00007FF76C3350A1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335042,?,?,?,00000000), ref: 00007FF76C3350AA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C335042,?,?,?,00000000), ref: 00007FF76C3350B4
closesocket.WS2_32 ref: 00007FF76C3350D2

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$CriticalDeleteSectionclosesocket
String ID:
API String ID: 3086658127-0
Opcode ID: e6065c34bd9fd7665f1a29da9260240fc75fadae23c59dc187488d4a932b61f2
Instruction ID: 489fc13fed05d30c0827fca3083f79ea267cbd40a7f399024c479886ebd24a32
Opcode Fuzzy Hash: e6065c34bd9fd7665f1a29da9260240fc75fadae23c59dc187488d4a932b61f2
Instruction Fuzzy Hash: 23010C12D19A82C3EB44EF32C9605787360FFE9F29B416329DE6E011A5AF68A5D48311

Function 00007FF76C367AEF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C367BE5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C367C47

Strings

%ld, xrefs: 00007FF76C367B1C

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree
String ID: %ld
API String ID: 1865132094-1112595699
Opcode ID: 57a3f8d6c35ad66ff5f26708f499374c9b3277a3990a07a39963c7f585c7f855
Instruction ID: 737f625a4e2e360a710f1df333130f512b9cd6b2492786ce70ad3d31d3012f8f
Opcode Fuzzy Hash: 57a3f8d6c35ad66ff5f26708f499374c9b3277a3990a07a39963c7f585c7f855
Instruction Fuzzy Hash: A231C822A0DA42C1FA75EB639050BBAB790AF45746FD60039DA4D17785EF3CE444C732

Function 00007FF76C343030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C3430A9
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C343142

Strings

identity, xrefs: 00007FF76C343064, 00007FF76C3430D3, 00007FF76C34313B

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupmalloc
String ID: identity
API String ID: 3515966317-1788209604
Opcode ID: e66af6c4f9ade603a49866f33157afbd46f7a3ea0939318be889fcbbf3a58f28
Instruction ID: 00f8991cfb3bbc4681ca502afccfc8abb8ac5acba89dc3f5f0a2daa502f4c2ac
Opcode Fuzzy Hash: e66af6c4f9ade603a49866f33157afbd46f7a3ea0939318be889fcbbf3a58f28
Instruction Fuzzy Hash: 6C31E761E0AA86C1FB81AB16D940775F7A0AF44BE6F898238CE1D473D4EF2CD4458321

Function 00007FF76C32E000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32E020
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C32E07B

Strings

, xrefs: 00007FF76C32E033

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: mallocrealloc
String ID:
API String ID: 948496778-3916222277
Opcode ID: e94f5cdb75c950c2740f760a2f91d4e0736702ef94c0651a508f7944ff44a452
Instruction ID: 812f5a4becc2b3667f67b7642f4c58f8e2d0c076b23489d573dced7f00bada2d
Opcode Fuzzy Hash: e94f5cdb75c950c2740f760a2f91d4e0736702ef94c0651a508f7944ff44a452
Instruction Fuzzy Hash: F311AF72609B81C1DB549F27E1402A9B7A0FB08FD5F848139DA5E07788EF3CD891C391

Function 00007FF76C340F70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FF76C340FEF
setsockopt.WS2_32 ref: 00007FF76C34101E

Strings

@, xrefs: 00007FF76C340F7F

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: getsockoptsetsockopt
String ID: @
API String ID: 194641219-2726393805
Opcode ID: a8f8a15b25916064966fa32856a7fd5acc42e338f16d970676a69efc016cda55
Instruction ID: 5951f7dce40d0c4cb28a36a967936998d25ff61a1cdaddf7a7c5e86ff4973681
Opcode Fuzzy Hash: a8f8a15b25916064966fa32856a7fd5acc42e338f16d970676a69efc016cda55
Instruction Fuzzy Hash: B1118271A0C182C6F760EF12E805AA6F7A0FB8534AF944038DB484BA94DBBDD599CB11

Function 00007FF76C372D18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C372D1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C37310F

Strings

TRUE, xrefs: 00007FF76C373119

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfree
String ID: TRUE
API String ID: 1865132094-3412697401
Opcode ID: 213a7e9061b6b9024912f3341fdbacb041f930a0680c4625f7bae1a8d067af90
Instruction ID: 1c8f6587cdeecb6178898d78dcedcf2091185f8f23fd01012dbb4712e3db70ab
Opcode Fuzzy Hash: 213a7e9061b6b9024912f3341fdbacb041f930a0680c4625f7bae1a8d067af90
Instruction Fuzzy Hash: C601F9A6F0E645C4FB029B13D9156B8B761BB06BE6F84443ACE0E07390DE3DD4818335

Function 00007FF76C372028 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF76C37202F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C372446

Part of subcall function 00007FF76C33A1A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C33A1F2

Strings

%s: %s, xrefs: 00007FF76C372431

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: %s: %s
API String ID: 3985033223-1451338302
Opcode ID: 3dc5c5f85b59fb888ab8b0b5595986c5c5bba1adc293ac1f03581c6924fb86e2
Instruction ID: 97259309cafe973786b5652394ce27f31299102449df27db14ba83c9c4a205ce
Opcode Fuzzy Hash: 3dc5c5f85b59fb888ab8b0b5595986c5c5bba1adc293ac1f03581c6924fb86e2
Instruction Fuzzy Hash: 95F04F91A0D681C2EA61AB13F905FF5B360AF45BD2F884439CE4E073529E3CD5898726

Function 00007FF76C335B60 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF76C32F690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C339C90), ref: 00007FF76C32F6B7
Part of subcall function 00007FF76C32F690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C339C90), ref: 00007FF76C32F6C3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335B96
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335BA6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C335BB4
memset.VCRUNTIME140 ref: 00007FF76C335BEF

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: e53b978167ceb9468db9350c7236f2eeb9b758ee64c9a7439acd5f3c50bf64fe
Instruction ID: 5d4de00212d2c9e0eb1410e0f7b825337318fb868f7a350e42673e5b3746242a
Opcode Fuzzy Hash: e53b978167ceb9468db9350c7236f2eeb9b758ee64c9a7439acd5f3c50bf64fe
Instruction Fuzzy Hash: 4C211A32E18B91E3E704DB22D6906A8B360FB99750F519229EB8D43A11DF74F1F5C340

Function 00007FF76C374060 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C356023), ref: 00007FF76C376FF6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C356023), ref: 00007FF76C377015
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C356023), ref: 00007FF76C37702F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF76C356023), ref: 00007FF76C37703D

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2b2ba1a3e79af3b65418d18d4aa77cbdbf5ce9e38100f5acbc1927a1a1e45bb9
Instruction ID: 93183393e134789c4a5f7231725425d93abea4be7504893004898accdfa856f5
Opcode Fuzzy Hash: 2b2ba1a3e79af3b65418d18d4aa77cbdbf5ce9e38100f5acbc1927a1a1e45bb9
Instruction Fuzzy Hash: D1115E36A09A01C1EB50AF26E49067CB3B4EF84F95F544039CA0E42764DF3CD894C762

Function 00007FF76C35BF90 Relevance: 5.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35BFC8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35BFEE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35C00A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF76C35C01E

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8952ac6fd4e53bbabe20cb384a18410bb6eaa72cb7eb8d9e19d29fa112ef5033
Instruction ID: 44f8f60e7a8b11285c7d748cec67206d0aa0ba0b70f0ee9c674c0d4cf9e32f27
Opcode Fuzzy Hash: 8952ac6fd4e53bbabe20cb384a18410bb6eaa72cb7eb8d9e19d29fa112ef5033
Instruction Fuzzy Hash: 82110036609B45C5D7809F26E580668B7A4FB48F59F884039DF8E57718CF34E899C750

Function 00007FF76C36DA90 Relevance: 5.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369B8E,?,?,?,00007FF76C33B402), ref: 00007FF76C36DAB6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369B8E,?,?,?,00007FF76C33B402), ref: 00007FF76C36DAD7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369B8E,?,?,?,00007FF76C33B402), ref: 00007FF76C36DAF2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF76C369B8E,?,?,?,00007FF76C33B402), ref: 00007FF76C36DB00

Memory Dump Source

Source File: 00000000.00000002.1382816137.00007FF76C311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76C310000, based on PE: true

Associated: 00000000.00000002.1382792826.00007FF76C310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382879549.00007FF76C37B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382912218.00007FF76C396000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1382928311.00007FF76C398000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff76c310000_tpmbypassprivatestore.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 60de26c849afc63f796b88f3f6179a90b259070c00f3c6a51290a8a63c5b7bbb
Instruction ID: 5ccffb8330a532af998e6488a6d0fbaca47fd4e9a434972ca96339ebdf0ca6a8
Opcode Fuzzy Hash: 60de26c849afc63f796b88f3f6179a90b259070c00f3c6a51290a8a63c5b7bbb
Instruction Fuzzy Hash: 7711A576A09B41C2DB44AF2AE89142CB7B4FF98F99754006ACA4E43768CF38D895C791

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tpmbypassprivatestore.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
tpmbypassprivatestore.exe

Function 00007FF76C313790 Relevance: 191.7, APIs: 96, Strings: 13, Instructions: 916
processsleepstringCOMMON

Function 00007FF76C322B00 Relevance: 58.7, APIs: 21, Strings: 12, Instructions: 908
windowthreadCOMMON

Function 00007FF76C3428D0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191
libraryloadernetworkCOMMON

Function 00007FF76C341C20 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357
networkCOMMON

Function 00007FF76C325740 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 215
COMMON

Function 00007FF76C329400 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134
COMMON

Function 00007FF76C3425B0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128
librarystringloaderCOMMON

Function 00007FF76C34DDF0 Relevance: 22.6, APIs: 15, Instructions: 127
networkCOMMON

Function 00007FF76C3408E0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337
COMMON

Function 00007FF76C353DE0 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415
encryptionCOMMON

Function 00007FF76C353000 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348
libraryloaderCOMMON

Function 00007FF76C335210 Relevance: 28.7, APIs: 19, Instructions: 165
COMMON