Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Analysis ID:	1501355
MD5:	0b1d213e54d820dd3fefa386aa3e1f43
SHA1:	12e6ac4bed321f1a44e6d71338502e3dae943466
SHA256:	0e7ff3739925d9952c557cd8c3454c181549953975cc6241e95a638c52c33dcd
Tags:	exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Excessive usage of taskkill to terminate processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe" MD5: 0B1D213E54D820DD3FEFA386AA3E1F43)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7344 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7372 cmdline: taskkill /f /im HTTPDebuggerUI.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7424 cmdline: taskkill /f /im HTTPDebuggerSvc.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7488 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7504 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7520 cmdline: taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7552 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7568 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7692 cmdline: taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7720 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7736 cmdline: taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7764 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7780 cmdline: taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7812 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7828 cmdline: taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7868 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7968 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7996 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8012 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 8056 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 8084 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8100 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 8136 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8152 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 8168 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 1836 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 1196 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7244 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7388 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 3232 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7452 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7492 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7528 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7568 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7696 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7756 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

taskkill.exe (PID: 7728 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7772 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 6472 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7844 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.101.104.92/as.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52D8ED strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,_strdup,CertOpenStore,GetLastError,free,free,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,malloc,fread,fclose,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,calloc,CertFreeCertificateContext,fclose,free,CertFreeCertificateContext,free,calloc,	4_2_00007FF6CE52D8ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE549DA0 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,malloc,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,free,	4_2_00007FF6CE549DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52FB70 CryptAcquireContextA,CryptCreateHash,	4_2_00007FF6CE52FB70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52CBE0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	4_2_00007FF6CE52CBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52FBC0 CryptHashData,	4_2_00007FF6CE52FBC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52FBD0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	4_2_00007FF6CE52FBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52CCB0 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	4_2_00007FF6CE52CCB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE5507F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	4_2_00007FF6CE5507F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE5528E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	4_2_00007FF6CE5528E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE549480 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,malloc,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,	4_2_00007FF6CE549480

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: -----BEGIN PUBLIC KEY-----		4_2_00007FF6CE512A90
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

4_2_00007FF6CE53C4B0

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.7:49709 version: TLS 1.2

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: b0E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Source:	Binary string: E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Source: global traffic

HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 54Content-Type: application/x-www-form-urlencoded

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE509770 malloc,recv,free,

4_2_00007FF6CE509770

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: unknown

HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 54Content-Type: application/x-www-form-urlencoded

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	String found in binary or memory: http://185.101.104.92/as.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	String found in binary or memory: http://185.101.104.92/as.exeC:
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415048357.0000018E503A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5037B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.cc/panel/bronkz/valorantplus/
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/ce
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.1/pace

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.7:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE5507F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

4_2_00007FF6CE5507F0

Source: cmd.exe

Process created: 56

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE522F40	4_2_00007FF6CE522F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52D8ED	4_2_00007FF6CE52D8ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE4F18E0	4_2_00007FF6CE4F18E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE51B670	4_2_00007FF6CE51B670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE504510	4_2_00007FF6CE504510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE51C330	4_2_00007FF6CE51C330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE51A330	4_2_00007FF6CE51A330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE513FB0	4_2_00007FF6CE513FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52FF80	4_2_00007FF6CE52FF80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE544F60	4_2_00007FF6CE544F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE4F1000	4_2_00007FF6CE4F1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE528D90	4_2_00007FF6CE528D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE4FAF0B	4_2_00007FF6CE4FAF0B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE543F30	4_2_00007FF6CE543F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE53CED0	4_2_00007FF6CE53CED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE540BD0	4_2_00007FF6CE540BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE4FAD2D	4_2_00007FF6CE4FAD2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE516CE0	4_2_00007FF6CE516CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52D9AC	4_2_00007FF6CE52D9AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52D9B5	4_2_00007FF6CE52D9B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE4FEA20	4_2_00007FF6CE4FEA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE5507F0	4_2_00007FF6CE5507F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE552870	4_2_00007FF6CE552870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE4FF5B0	4_2_00007FF6CE4FF5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE52B670	4_2_00007FF6CE52B670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE5383A0	4_2_00007FF6CE5383A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE500340	4_2_00007FF6CE500340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE50C340	4_2_00007FF6CE50C340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE4FC3CD	4_2_00007FF6CE4FC3CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE549480	4_2_00007FF6CE549480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE51D1F0	4_2_00007FF6CE51D1F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE526240	4_2_00007FF6CE526240

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE519320 appears 380 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE51DDC0 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE553E18 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE5069E0 appears 49 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE51C760 appears 46 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE513BF0 appears 70 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE51DC50 appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE51DCE0 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE5194A0 appears 323 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: String function: 00007FF6CE51C830 appears 36 times

Source: classification engine

Classification label: mal80.evad.winEXE@107/28@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE505FF0 GetLastError,_errno,FormatMessageA,strchr,_errno,_errno,GetLastError,SetLastError,

4_2_00007FF6CE505FF0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

ReversingLabs: Detection: 60%

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I32I64%ld.%ld$@

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: b0E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Source:	Binary string: E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE51C010 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

4_2_00007FF6CE51C010

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro

Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Binary or memory string: TASKKILL /IM OLLYDBG.EXE /F
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Binary or memory string: BAD CASTQWERTYUIOPASDFGHJKLZXCVBNMQWERTYUIOPASDFGHJKLZXCVBNM1234567890 \| DEVELOPER : BRONKZ TASKKILL /IM PROCESSHACKER.EXE /FTASKKILL /IM DNSPY.EXE /FTASKKILL /IM CHEATENGINE-X86_64.EXE /FCLSTASKKILL /IM OLLYDBG.EXE /FTASKKILL /IM IDA.EXE /FTASKKILL /IM IDA64.EXE /FTASKKILL /IM RADARE2.EXE /FTASKKILL /IM X64DBG.EXE /FSTOP DEBUGGING U YERK
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Binary or memory string: TASKKILL /IM PROCESSHACKER.EXE /F
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Binary or memory string: TASKKILL /IM X64DBG.EXE /F

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 6057

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

API coverage: 5.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5037B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>[$P

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE504D00 GetStdHandle,GetConsoleMode,SetConsoleMode,GetStdHandle,GetConsoleScreenBufferInfoEx,SetConsoleScreenBufferInfoEx,GetConsoleMode,SetConsoleMode,IsDebuggerPresent,system,system,system,system,system,system,system,system,system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetConsoleWindow,GetWindowLongA,SetWindowLongA,GetConsoleWindow,GetWindowRect,MoveWindow,system,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,system,Beep,system,system,exit,

4_2_00007FF6CE504D00

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE553CB8 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

4_2_00007FF6CE553CB8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE51C010 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

4_2_00007FF6CE51C010

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE4F31E0 GetProcessHeap,

4_2_00007FF6CE4F31E0

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE553AC4 SetUnhandledExceptionFilter,	4_2_00007FF6CE553AC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE55391C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF6CE55391C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE55340C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF6CE55340C

HIPS / PFW / Operating System Protection Evasion

Excessive usage of taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark" /IM /F /T	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Code function: 4_2_00007FF6CE553B30 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF6CE553B30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE528410 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,	4_2_00007FF6CE528410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE51AFE0 memset,strncmp,strncmp,strchr,htons,atoi,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	4_2_00007FF6CE51AFE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE53F100 calloc,calloc,calloc,bind,WSAGetLastError,	4_2_00007FF6CE53F100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE53EEC9 calloc,calloc,calloc,bind,WSAGetLastError,	4_2_00007FF6CE53EEC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Code function: 4_2_00007FF6CE5383A0 calloc,strchr,strncpy,strchr,strncpy,strchr,strtoul,strchr,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,	4_2_00007FF6CE5383A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Process Injection	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	61%	ReversingLabs	Win64.Trojan.Tedy
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	100%	Avira	HEUR/AGEN.1315672
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe
http://185.101.104.92/as.exe	100%	Avira URL Cloud	malware
https://keyauth.cc/panel/bronkz/valorantplus/	0%	Avira URL Cloud	safe
http://185.101.104.92/as.exeC:	0%	Avira URL Cloud	safe
https://keyauth.win/api/1.1/ce	0%	Avira URL Cloud	safe
https://keyauth.win/api/1.1/	0%	Avira URL Cloud	safe
https://keyauth.win/api/1.1/pace	0%	Avira URL Cloud	safe
https://curl.haxx.se/docs/http-cookies.html#	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.1/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.1/pace	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.101.104.92/as.exe	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	false	Avira URL Cloud: malware	unknown
https://keyauth.cc/panel/bronkz/valorantplus/	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415048357.0000018E503A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5037B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	false	URL Reputation: safe	unknown
https://curl.haxx.se/docs/http-cookies.html#	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	false	Avira URL Cloud: safe	unknown
https://keyauth.win/api/1.1/ce	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.101.104.92/as.exeC:	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.0.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501355
Start date and time:	2024-08-29 19:28:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	70
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@107/28@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 238
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Simulations

Behavior and APIs

Time	Type	Description
14:39:28	API Interceptor	3133x Sleep call for process: conhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.0.5	SecuriteInfo.com.Win64.MalwareX-gen.26384.14234.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.73779679.12724.23011.exe	Get hash	malicious	Unknown	Browse
	PmTPg1LYm4.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.HacktoolX-gen.11863.1266.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.HacktoolX-gen.11863.1266.exe	Get hash	malicious	Unknown	Browse
	Loader.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.2830.16242.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.25703.16605.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W64.Agent.NV.tr.9318.30020.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.1540.18028.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	SecuriteInfo.com.Win64.MalwareX-gen.29811.31558.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win32.Evo-gen.24813.27582.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Win64.MalwareX-gen.26384.14234.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.GenericKD.73779679.12724.23011.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.MulDrop28.40.18458.1049.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Trojan.MulDrop28.40.18458.1049.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	PmTPg1LYm4.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.HacktoolX-gen.11863.1266.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	aj.exe	Get hash	malicious	Unknown	Browse	172.67.72.57

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	New Document from Community Insurance Center.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	172.64.148.10
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://alkimialofts.com/on%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	https://decktop.us/MUYKd1	Get hash	malicious	Unknown	Browse	162.247.243.29
	sxs.exe	Get hash	malicious	Unknown	Browse	172.67.41.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://getquckbulck.top	Get hash	malicious	Unknown	Browse	104.26.0.5
	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse	104.26.0.5
	https://decktop.us/MUYKd1	Get hash	malicious	Unknown	Browse	104.26.0.5
	Page1.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.0.5
	Detailed Itinerary.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	104.26.0.5
	https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.	Get hash	malicious	Unknown	Browse	104.26.0.5
	Nettably.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.0.5
	DHL Page1.exe	Get hash	malicious	GuLoader	Browse	104.26.0.5
	Upit za prevoz 28 08 2024 1037 Agrorit d.o.o.exe	Get hash	malicious	AgentTesla	Browse	104.26.0.5
	Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.0.5

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	336
Entropy (8bit):	3.381719730288618
Encrypted:	false
SSDEEP:	3:rRRqmfXMHdMIRgDQCXT+FOEaGj3F/9Dqa+Oe2oTiWWu1AX7oj4NAPWRX6u2vooa4:HfX0VyMCXT741lxoTLK7VAPWchwz4
MD5:	4DFC909CA4DD851D88B767DE3DE855C0
SHA1:	244B3561C1FE12EA595B1E10D37C1A4410B2B94A
SHA-256:	A30DD910BD924D63DBD4DA1183E58057E2FC6A69AADF4B6C5571B77119A8CD06
SHA-512:	D6C848114D171665CFFA3F57F30B35FF1322C4F984E76CF8A5AEEDC0F6D9C248BE7D89BD6CABCE21B1FA65D2AB694B132BA5626ACFED2A03865ECF3F38D5F113
Malicious:	false
Preview:	....##########################################################..[ Astrix Private Plus ]..[ Selecione uma opcao: ]..##########################################################....[+] Status > Valorant Plus \| Undetected.....[1] Registrar Key....[+] Selecione uma opcao:

\Device\Null

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.003997527334849
Encrypted:	false
SSDEEP:	3:HnRthLK5a6eCMABe:HRoJPO
MD5:	DF5DC1ABC0D52F3C9E931E26A7C0065C
SHA1:	EE84123D3B3BC440C63DFE65FF5616BE2B0904D5
SHA-256:	F7167A2FACDE50428D8D2697A1CDFF075DE809323DD16D62B65CDD103B2A9A6D
SHA-512:	9B2253CE41880D22A2DDF4F886BB6CB22FF0C981400CD9D03A1FCA81DE5FAEB86C26B85B66ECEC960816D7BBE9740843890F2FCCD334B6D274295A32A8E6A4E9
Malicious:	false
Preview:	The system cannot find the file specified...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.4250352264986
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
File size:	532'480 bytes
MD5:	0b1d213e54d820dd3fefa386aa3e1f43
SHA1:	12e6ac4bed321f1a44e6d71338502e3dae943466
SHA256:	0e7ff3739925d9952c557cd8c3454c181549953975cc6241e95a638c52c33dcd
SHA512:	f97fd05a49223574a6e4fa4e43e03369589ba25112fe04467cd17a122a13c4a496ee3d4d64370d860644ae5bf01443c5bd4d58181f80b9751f31f66227198e35
SSDEEP:	12288:vwEh/b02vun/UtniLxUD9HpxZamJNcXo/0:Yw/Q4u/euUDlPZamAXo/
TLSH:	CCB47C56A7A807FAD167803CC547D603E7B6B4591311DBDB43A0CA792F23BE16E3A720
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p....,..p....B..p.......p.......p.......p.......p.......p...p...q.......p.......p.......p....@..p.......p..Rich.p.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14006330c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66614027 [Thu Jun 6 04:50:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	40029d5e9ef0ec678817a8a6a4ca4414

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE4A48F6AF0h
dec eax
add esp, 28h
jmp 00007FE4A48F6147h
int3
int3
jmp 00007FE4A48F6DB6h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0001C4F0h]
call dword ptr [00002E1Ah]
mov eax, dword ptr [0001BD84h]
dec eax
lea ecx, dword ptr [0001C4DDh]
mov edx, dword ptr [0001CA6Fh]
inc eax
mov dword ptr [0001BD6Fh], eax
mov dword ptr [ebx], eax
dec eax
mov eax, dword ptr [00000058h]
inc ecx
mov ecx, 00000004h
dec esp
mov eax, dword ptr [eax+edx*8]
mov eax, dword ptr [0001BD54h]
inc ebx
mov dword ptr [ecx+eax], eax
call dword ptr [00002F9Ah]
dec eax
lea ecx, dword ptr [0001C49Bh]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00002DCFh]
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0001C484h]
call dword ptr [00002DAEh]
cmp dword ptr [ebx], 00000000h
jne 00007FE4A48F62F4h
or dword ptr [ebx], FFFFFFFFh
jmp 00007FE4A48F6317h
inc ebp
xor ecx, ecx
dec eax
lea edx, dword ptr [0001C46Ah]
inc ecx
or eax, FFFFFFFFh
dec eax
lea ecx, dword ptr [0001C457h]
call dword ptr [00002F29h]
jmp 00007FE4A48F62ABh
cmp dword ptr [ebx], FFFFFFFFh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7c2b8	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x85000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x80000	0x4428	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x528	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x75520	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x75600	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x753e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x66000	0x990	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6431c	0x64400	86e8bf3447559eaf6297b667d427e493	False	0.5306971828241895	data	6.3354313196726535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x66000	0x184aa	0x18600	856fde56690eff6b5be6891b39a8dfd9	False	0.38233173076923077	data	5.600669485538329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7f000	0xec0	0x400	4acac08389ef34030efddca5696dc082	False	0.3017578125	data	3.586573501093021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x80000	0x4428	0x4600	a816d04a2667fb26b29d63d2f93950ea	False	0.4732700892857143	data	5.721899138805059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x85000	0x1e8	0x200	114a35859e65254a8c4077b5732ac14d	False	0.5390625	data	4.766656762050388	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x528	0x600	ba8a1df2c67b95f5a6f1e01478bb30f4	False	0.5221354166666666	data	4.9609386154671755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x85060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	MultiByteToWideChar, GetEnvironmentVariableA, GetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, CreateFileA, GetFileSizeEx, WideCharToMultiByte, AcquireSRWLockExclusive, WakeAllConditionVariable, QueryPerformanceFrequency, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VerSetConditionMask, SleepEx, LeaveCriticalSection, MoveFileExA, FormatMessageA, SetLastError, LocalFree, CloseHandle, GetCurrentProcess, GetProcessHeap, DeleteCriticalSection, HeapDestroy, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, TerminateProcess, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcessId, GetCurrentThreadId, WaitForSingleObjectEx, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, GetProcAddress, GetModuleHandleA, FreeLibrary, EnterCriticalSection, GetSystemTimeAsFileTime, GetSystemDirectoryA, InitializeCriticalSectionEx, HeapFree, GetConsoleWindow, SetConsoleTitleA, SetConsoleTextAttribute, SetConsoleScreenBufferInfoEx, GetConsoleScreenBufferInfoEx, SetConsoleMode, GetConsoleMode, Sleep, Beep, IsDebuggerPresent, SleepConditionVariableSRW, GetStdHandle, InitializeSListHead, OutputDebugStringW, ReleaseSRWLockExclusive
USER32.dll	GetWindowLongA, MoveWindow, GetWindowRect, MessageBoxA, SetWindowLongA
ADVAPI32.dll	CryptEncrypt, GetTokenInformation, GetLengthSid, OpenProcessToken, IsValidSid, CopySid, ConvertSidToStringSidA, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey
SHELL32.dll	ShellExecuteA
MSVCP140.dll	?_Random_device@std@@YAIXZ, ?id@?$ctype@D@std@@2V0locale@2@A, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?uncaught_exception@std@@YA_NXZ, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ??Bid@locale@std@@QEAA_KXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_Xbad_function_call@std@@YAXXZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?width@ios_base@std@@QEBA_JXZ, ?width@ios_base@std@@QEAA_J_J@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
urlmon.dll	URLDownloadToFileA
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertOpenStore, CertCloseStore
WS2_32.dll	ntohl, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, __WSAFDIsSet, ioctlsocket, listen, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, socket
USERENV.dll	UnloadUserProfile
VCRUNTIME140.dll	__std_exception_copy, __current_exception, __std_exception_destroy, _CxxThrowException, memcmp, __std_terminate, memcpy, memmove, __C_specific_handler, __current_exception_context, strchr, memchr, strstr, strrchr, memset
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_resetstkoflw, __sys_nerr, _errno, strerror, _invalid_parameter_noinfo_noreturn, exit, _invalid_parameter_noinfo, _beginthreadex, _getpid, system, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, __p___argc, terminate, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, _set_app_type
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, realloc, calloc, _set_new_mode, malloc, free
api-ms-win-crt-utility-l1-1-0.dll	rand, qsort
api-ms-win-crt-stdio-l1-1-0.dll	fseek, __stdio_common_vfprintf, __acrt_iob_func, ftell, __stdio_common_vsscanf, __p__commode, feof, fputs, fopen, _read, _write, _close, _open, _lseeki64, fclose, fgets, fflush, __stdio_common_vsprintf, fwrite, fputc, _set_fmode, fread
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtol, strtoul, strtoull, strtod, strtoll
api-ms-win-crt-locale-l1-1-0.dll	localeconv, _configthreadlocale
api-ms-win-crt-time-l1-1-0.dll	_time64, _gmtime64
api-ms-win-crt-string-l1-1-0.dll	strncmp, strpbrk, strspn, strncpy, strcmp, _strdup, strcspn, tolower, isupper
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink, _access
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dclass

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 19:29:48.894685984 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:48.894742012 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:48.894809961 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:48.912616968 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:48.912643909 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:49.408215046 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:49.408289909 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:49.411206007 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:49.411216021 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:49.411669970 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:49.414805889 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:49.456501007 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:49.634783030 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:49.634879112 CEST	443	49709	104.26.0.5	192.168.2.7
Aug 29, 2024 19:29:49.634932995 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:49.644041061 CEST	49709	443	192.168.2.7	104.26.0.5
Aug 29, 2024 19:29:49.644071102 CEST	443	49709	104.26.0.5	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 19:29:48.875948906 CEST	61121	53	192.168.2.7	1.1.1.1
Aug 29, 2024 19:29:48.885786057 CEST	53	61121	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 19:29:48.875948906 CEST	192.168.2.7	1.1.1.1	0x2860	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 19:29:48.885786057 CEST	1.1.1.1	192.168.2.7	0x2860	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:29:48.885786057 CEST	1.1.1.1	192.168.2.7	0x2860	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Aug 29, 2024 19:29:48.885786057 CEST	1.1.1.1	192.168.2.7	0x2860	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

keyauth.win

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	104.26.0.5	443	7252	C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 17:29:49 UTC	128	OUT	POST /api/1.1/ HTTP/1.1 Host: keyauth.win Accept: / Content-Length: 54 Content-Type: application/x-www-form-urlencoded
2024-08-29 17:29:49 UTC	54	OUT	Data Raw: 74 79 70 65 3d 69 6e 69 74 26 76 65 72 3d 31 2e 30 26 6e 61 6d 65 3d 76 61 6c 6f 72 61 6e 74 70 6c 75 73 26 6f 77 6e 65 72 69 64 3d 75 61 48 51 57 38 46 50 7a 57 Data Ascii: type=init&ver=1.0&name=valorantplus&ownerid=uaHQW8FPzW
2024-08-29 17:29:49 UTC	1107	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 17:29:49 GMT Content-Type: application/json; charset=UTF-8 Content-Length: 418 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aLav0uSdr6lrP7fjMut4Oac7ABmvf5rb476a9S15173DtTtmpKF8O7J56oo54rYgHyVfjaKDAgEzYv6PphDzY%2BJwkXOcK8yY2uX6S9G9RvihDsm6SLU3m%2FETpZjs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Acknowledge: Credit to VaultCord.com X-Powered-By: VaultCord.com content-security-policy: upgrade-insecure-requests permissions-policy: accelerometer=(), camera=(), fullscreen=, geolocation=(self), gyroscope=(), microphone=(), payment= referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains x-content-security-policy: img-src ; media-src data:; x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Server: cloudflare CF-RAY: 8bae43f45fc20c90-EWR
2024-08-29 17:29:49 UTC	262	IN	Data Raw: 7b 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 73 65 73 73 69 6f 6e 69 64 22 3a 22 65 63 36 35 30 63 36 35 22 2c 22 61 70 70 69 6e 66 6f 22 3a 7b 22 6e 75 6d 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4f 6e 6c 69 6e 65 55 73 65 72 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 65 73 74 20 65 78 61 6d 70 6c 65 22 2c 22 6e 75 6d 4b 65 79 73 22 3a 22 4e 2f 41 20 2d 20 55 73 65 20 66 65 74 63 68 53 74 61 74 73 28 29 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 6c 61 74 Data Ascii: {"success":true,"message":"Initialized","sessionid":"ec650c65","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() function in lat
2024-08-29 17:29:49 UTC	156	IN	Data Raw: 6d 70 6c 65 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 2e 30 22 2c 22 63 75 73 74 6f 6d 65 72 50 61 6e 65 6c 4c 69 6e 6b 22 3a 22 68 74 74 70 73 3a 2f 2f 6b 65 79 61 75 74 68 2e 63 63 2f 70 61 6e 65 6c 2f 62 72 6f 6e 6b 7a 2f 76 61 6c 6f 72 61 6e 74 70 6c 75 73 2f 22 7d 2c 22 6e 65 77 53 65 73 73 69 6f 6e 22 3a 74 72 75 65 2c 22 6e 6f 6e 63 65 22 3a 22 36 65 33 61 61 31 37 63 2d 64 64 65 36 2d 34 36 66 33 2d 61 61 64 65 2d 66 62 66 31 62 64 30 33 65 33 39 39 22 7d Data Ascii: mple","version":"1.0","customerPanelLink":"https://keyauth.cc/panel/bronkz/valorantplus/"},"newSession":true,"nonce":"6e3aa17c-dde6-46f3-aade-fbf1bd03e399"}

Target ID:	4
Start time:	13:29:35
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe"
Imagebase:	0x7ff6ce4f0000
File size:	532'480 bytes
MD5 hash:	0B1D213E54D820DD3FEFA386AA3E1F43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:29:35
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:29:35
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im HTTPDebuggerUI.exe
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im HTTPDebuggerSvc.exe
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff60ca70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq cheatengine" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:29:36
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:29:38
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:29:38
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq processhacker" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:29:38
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:29:38
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq x64dbg" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:29:39
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:29:39
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq x32dbg" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:29:39
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:29:39
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq ollydbg" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:29:40
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:29:40
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:29:41
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 7968, Parent PID: 7936

General

Target ID:	30
Start time:	13:29:41
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:29:42
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:29:42
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:29:42
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 8056, Parent PID: 8040

General

Target ID:	34
Start time:	13:29:42
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:29:43
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 8100, Parent PID: 8084

General

Target ID:	36
Start time:	13:29:43
Start date:	29/08/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff60ca70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:29:43
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:29:44
Start date:	29/08/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff60ca70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:29:44
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:29:44
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 1196, Parent PID: 1836

General

Target ID:	41
Start time:	13:29:44
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:29:45
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 7388, Parent PID: 7244

General

Target ID:	43
Start time:	13:29:45
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	13:29:46
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 7452, Parent PID: 3232

General

Target ID:	45
Start time:	13:29:46
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:29:47
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	13:29:47
Start date:	29/08/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff60ca70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	13:29:47
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	13:29:47
Start date:	29/08/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff60ca70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	13:29:47
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	13:29:48
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	13:29:48
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq fiddler" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	13:29:49
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	13:29:49
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq wireshark" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	13:29:49
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	13:29:49
Start date:	29/08/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /FI "IMAGENAME eq httpdebugger" /IM /F /T
Imagebase:	0x7ff62ec50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	13:29:50
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	13:29:50
Start date:	29/08/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerPro
Imagebase:	0x7ff60ca70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	13:29:50
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	13:29:50
Start date:	29/08/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop HTTPDebuggerProSdk
Imagebase:	0x7ff60ca70000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	13:29:50
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	13:29:50
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff72d4a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26%
Total number of Nodes:	2000
Total number of Limit Nodes:	106

Executed Functions

Function 00007FF6CE522F40 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523018
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE523025
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5230F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52317C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523223
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5232BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523385
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5233BD
strchr.VCRUNTIME140 ref: 00007FF6CE523537
strchr.VCRUNTIME140 ref: 00007FF6CE52354A
strchr.VCRUNTIME140 ref: 00007FF6CE52355C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523663
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5236D3
memcpy.VCRUNTIME140 ref: 00007FF6CE5236FA
strchr.VCRUNTIME140 ref: 00007FF6CE52370E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523722
strstr.VCRUNTIME140 ref: 00007FF6CE523958
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523A91
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523C09

Part of subcall function 00007FF6CE51C760: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51C7D3

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523CBC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523D41
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523F9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523FB0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE523FBF

Part of subcall function 00007FF6CE525310: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52536A

strchr.VCRUNTIME140 ref: 00007FF6CE524577
strchr.VCRUNTIME140 ref: 00007FF6CE52458A
strchr.VCRUNTIME140 ref: 00007FF6CE52459C

Part of subcall function 00007FF6CE525310: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52538A
Part of subcall function 00007FF6CE525310: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE525393

strchr.VCRUNTIME140 ref: 00007FF6CE5247EF
strchr.VCRUNTIME140 ref: 00007FF6CE524802
strchr.VCRUNTIME140 ref: 00007FF6CE524814

Part of subcall function 00007FF6CE527940: strchr.VCRUNTIME140 ref: 00007FF6CE527A26
Part of subcall function 00007FF6CE527940: strchr.VCRUNTIME140 ref: 00007FF6CE527A39
Part of subcall function 00007FF6CE527940: strchr.VCRUNTIME140 ref: 00007FF6CE527A4B

Strings

GET, xrefs: 00007FF6CE5230D2
Transfer-Encoding:, xrefs: 00007FF6CE5234EE
Host, xrefs: 00007FF6CE523669
If-Unmodified-Since, xrefs: 00007FF6CE524204
;type=%c, xrefs: 00007FF6CE5239C1
%s?%s, xrefs: 00007FF6CE523115
Content-Type: application/x-www-form-urlencoded, xrefs: 00007FF6CE524771
Failed sending HTTP request, xrefs: 00007FF6CE5246E6
Referer, xrefs: 00007FF6CE5232D3
Content-Type, xrefs: 00007FF6CE523427, 00007FF6CE52475D
Content-Length, xrefs: 00007FF6CE524354, 00007FF6CE5244A9, 00007FF6CE52472E
If-Modified-Since, xrefs: 00007FF6CE52420D
1.1, xrefs: 00007FF6CE523CAE
Cookie, xrefs: 00007FF6CE523342
File already completely uploaded, xrefs: 00007FF6CE523BA9
Failed sending POST request, xrefs: 00007FF6CE524449, 00007FF6CE52468D
Range: bytes=%s, xrefs: 00007FF6CE523A9E
Failed sending HTTP POST request, xrefs: 00007FF6CE524A1B
ftp, xrefs: 00007FF6CE523929
Proxy-Connection: Keep-Alive, xrefs: 00007FF6CE523E3F, 00007FF6CE523E54
Content-Range, xrefs: 00007FF6CE523BEE
ftp://%s:%s@%s, xrefs: 00007FF6CE523D6B
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00007FF6CE524294
OPTIONS, xrefs: 00007FF6CE5230AB
Content-Length: 0, xrefs: 00007FF6CE524410
Content-Length: %I64d, xrefs: 00007FF6CE52436B, 00007FF6CE5244C0, 00007FF6CE524745
%x, xrefs: 00007FF6CE524915
%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF6CE523F7B
upload completely sent off: %I64d out of %I64d bytes, xrefs: 00007FF6CE524B1E
Transfer-Encoding: chunked, xrefs: 00007FF6CE52362F
Accept, xrefs: 00007FF6CE523A13
Accept-Encoding: %s, xrefs: 00007FF6CE523392
Content-Range: bytes %s%I64d/%I64d, xrefs: 00007FF6CE523C48
multipart/form-data, xrefs: 00007FF6CE52346A
%s%s=%s, xrefs: 00007FF6CE5240C9
Expect, xrefs: 00007FF6CE524514, 00007FF6CE524789
POST, xrefs: 00007FF6CE5230C5
Could only read %I64d bytes from the input, xrefs: 00007FF6CE523BC5
Referer: %s, xrefs: 00007FF6CE5232EE
Host:%s, xrefs: 00007FF6CE523766
HEAD, xrefs: 00007FF6CE523081
%s , xrefs: 00007FF6CE523CD3
%s, xrefs: 00007FF6CE5244F3
Accept-Encoding, xrefs: 00007FF6CE523361
Transfer-Encoding, xrefs: 00007FF6CE5234CD
%s%s, xrefs: 00007FF6CE524150
100-continue, xrefs: 00007FF6CE5245B6, 00007FF6CE524836
Cookie: , xrefs: 00007FF6CE5240AE, 00007FF6CE524124
Proxy-Connection, xrefs: 00007FF6CE523E13
Host: %s%s%s, xrefs: 00007FF6CE5237DD
Range, xrefs: 00007FF6CE523A72
Failed sending PUT request, xrefs: 00007FF6CE5243E9
Host:, xrefs: 00007FF6CE523731
Expect:, xrefs: 00007FF6CE524535, 00007FF6CE5247AA
http, xrefs: 00007FF6CE5238BB
Could not seek stream, xrefs: 00007FF6CE523B08
0, xrefs: 00007FF6CE524966, 00007FF6CE524A65
Last-Modified, xrefs: 00007FF6CE5241FB
chunked, xrefs: 00007FF6CE523576
Invalid TIMEVALUE, xrefs: 00007FF6CE5241C3
PUT, xrefs: 00007FF6CE5230B8
?%s, xrefs: 00007FF6CE523DAB
;type=, xrefs: 00007FF6CE52394E
Host: %s%s%s:%d, xrefs: 00007FF6CE523822
Content-Range: bytes 0-%I64d/%I64d, xrefs: 00007FF6CE523C24
Content-Range: bytes %s/%I64d, xrefs: 00007FF6CE523C56
Chunky upload is not supported by HTTP 1.0, xrefs: 00007FF6CE52363C
1.0, xrefs: 00007FF6CE523CA0
Accept: */*, xrefs: 00007FF6CE523A25
User-Agent, xrefs: 00007FF6CE5230DD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$strchr$_strdup$callocmemcpystrstr
String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s: %s, %02d %s %4d %02d:%02d:%02d GMT$%s?%s$%x$0$1.0$1.1$100-continue$;type=$;type=%c$?%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified$OPTIONS$POST$PUT$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp$ftp://%s:%s@%s$http$multipart/form-data$upload completely sent off: %I64d out of %I64d bytes
API String ID: 2045874074-4264080130
Opcode ID: 8f83aba3311d1b321c561d2b37f579abd4217c5cfa5a9480348ccf3bad937963
Instruction ID: e309fea1b35aa8a2244cfab355d16894727ec4919afed5091bb211b69b63c138
Opcode Fuzzy Hash: 8f83aba3311d1b321c561d2b37f579abd4217c5cfa5a9480348ccf3bad937963
Instruction Fuzzy Hash: 1403CD61E0968385FB688F25D4683B927B1AF71B8AF844031EE9DA7795DF3EE445C300

Function 00007FF6CE504D00 Relevance: 159.6, APIs: 68, Strings: 23, Instructions: 355
processsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF6CE504D2A
GetConsoleMode.KERNELBASE ref: 00007FF6CE504D3B
SetConsoleMode.KERNELBASE ref: 00007FF6CE504D4E
GetStdHandle.KERNEL32 ref: 00007FF6CE504D59
GetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF6CE504D70
SetConsoleScreenBufferInfoEx.KERNELBASE ref: 00007FF6CE504D97
GetConsoleMode.KERNELBASE ref: 00007FF6CE504DA5
SetConsoleMode.KERNELBASE ref: 00007FF6CE504DB9
IsDebuggerPresent.KERNEL32 ref: 00007FF6CE504DBF
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504DD4
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504DE1
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504DEE
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E0E
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E1B
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E28
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E35
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E55
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E62
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E6F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6CE504EB2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504EBB
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE5050C3

Part of subcall function 00007FF6CE505420: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE505444
Part of subcall function 00007FF6CE505420: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE505465

GetStdHandle.KERNEL32 ref: 00007FF6CE5050DA
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE5050E8
GetStdHandle.KERNEL32 ref: 00007FF6CE5050FF
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE50510D
GetStdHandle.KERNEL32 ref: 00007FF6CE505124
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE505132
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504E8F

Part of subcall function 00007FF6CE4F6080: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F61FC
Part of subcall function 00007FF6CE4F6080: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F6203
Part of subcall function 00007FF6CE4F6080: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F6210

GetConsoleWindow.KERNELBASE ref: 00007FF6CE504EC2
GetWindowLongA.USER32 ref: 00007FF6CE504ED3
SetWindowLongA.USER32 ref: 00007FF6CE504EE9
GetConsoleWindow.KERNELBASE ref: 00007FF6CE504EEF
GetWindowRect.USER32 ref: 00007FF6CE504F00
MoveWindow.USER32 ref: 00007FF6CE504F28
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504F6A
GetStdHandle.KERNEL32 ref: 00007FF6CE504F75
SetConsoleTextAttribute.KERNELBASE ref: 00007FF6CE504F83
GetStdHandle.KERNEL32 ref: 00007FF6CE504FA6
SetConsoleTextAttribute.KERNELBASE ref: 00007FF6CE504FB4
GetStdHandle.KERNEL32 ref: 00007FF6CE504FD7
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE504FE5
GetStdHandle.KERNEL32 ref: 00007FF6CE504FFC
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE50500A
GetStdHandle.KERNEL32 ref: 00007FF6CE505021
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE50502F
GetStdHandle.KERNEL32 ref: 00007FF6CE505046
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE505054
GetStdHandle.KERNEL32 ref: 00007FF6CE50506B
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE505079
GetStdHandle.KERNEL32 ref: 00007FF6CE505090
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE50509E
GetStdHandle.KERNEL32 ref: 00007FF6CE5050B5
GetStdHandle.KERNEL32 ref: 00007FF6CE505187
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE505195
GetStdHandle.KERNEL32 ref: 00007FF6CE5051AC
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE5051BA
GetStdHandle.KERNEL32 ref: 00007FF6CE5051D1
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6CE5051DF
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF6CE505215
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50524C

Part of subcall function 00007FF6CE504CD0: GetStdHandle.KERNEL32 ref: 00007FF6CE504CDE

Part of subcall function 00007FF6CE502A60: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6CE502AA2
Part of subcall function 00007FF6CE502A60: ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF6CE502ABC
Part of subcall function 00007FF6CE502A60: ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF6CE502ADD
Part of subcall function 00007FF6CE502A60: ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6CE502B2F
Part of subcall function 00007FF6CE502A60: ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6CE502B44
Part of subcall function 00007FF6CE502A60: ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6CE502B63
Part of subcall function 00007FF6CE502A60: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6CE502B82
Part of subcall function 00007FF6CE502A60: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6CE502B8B
Part of subcall function 00007FF6CE502A60: ?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF6CE502C3C

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50534E
Sleep.KERNEL32 ref: 00007FF6CE505392
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50539F
Beep.KERNEL32 ref: 00007FF6CE5053AC
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505404
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505411
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505419

Strings

Selecione uma opcao: , xrefs: 00007FF6CE5051E5
Undetected., xrefs: 00007FF6CE5050A4
Status > Valorant Plus | , xrefs: 00007FF6CE50507F
taskkill /IM dnSpy.exe /F, xrefs: 00007FF6CE504DDA
taskkill /IM x64dbg.exe /F, xrefs: 00007FF6CE504E68
valorantplus, xrefs: 00007FF6CE504F33, 00007FF6CE50533B
C:\Windows\System\winver32.exe, xrefs: 00007FF6CE5053C3
taskkill /IM ollydbg.exe /F, xrefs: 00007FF6CE504E14
[ Coloque sua key: ], xrefs: 00007FF6CE50527E
taskkill /IM cheatengine-x86_64.exe /F, xrefs: 00007FF6CE504DE7
taskkill /IM ida64.exe /F, xrefs: 00007FF6CE504E2E
taskkill /IM radare2.exe /F, xrefs: 00007FF6CE504E5B
http://185.101.104.92/as.exe, xrefs: 00007FF6CE5053B2
taskkill /IM ProcessHacker.exe /F, xrefs: 00007FF6CE504DCD
Stop debugging u yerk, xrefs: 00007FF6CE504E95
taskkill /IM ida.exe /F, xrefs: 00007FF6CE504E21
cls, xrefs: 00007FF6CE505245, 00007FF6CE505347, 00007FF6CE505398
cd C:\, xrefs: 00007FF6CE5053FD
[ Selecione uma opcao: ], xrefs: 00007FF6CE504FC6
start C:\Windows\System\winver32.exe, xrefs: 00007FF6CE50540A
[ Astrix Private Plus ], xrefs: 00007FF6CE504FBA
##########################################################, xrefs: 00007FF6CE504F95, 00007FF6CE505268
##########################################################, xrefs: 00007FF6CE504FEB, 00007FF6CE505294

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Console$Handle$system$AttributeText$U?$char_traits@$D@std@@@std@@$Window$?width@ios_base@std@@Mode$V01@$?rdbuf@?$basic_ios@BufferD@std@@@2@InfoLongScreenV?$basic_streambuf@exit$??5?$basic_istream@??6?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?uncaught_exception@std@@BeepDebuggerIpfx@?$basic_istream@MoveOsfx@?$basic_ostream@PresentRectSleepV01@@Vlocale@2@__acrt_iob_func__stdio_common_vfprintf
String ID: Selecione uma opcao: $ Status > Valorant Plus | $##########################################################$##########################################################$C:\Windows\System\winver32.exe$Stop debugging u yerk$Undetected.$[ Coloque sua key: ]$[ Astrix Private Plus ]$[ Selecione uma opcao: ]$cd C:\$cls$http://185.101.104.92/as.exe$start C:\Windows\System\winver32.exe$taskkill /IM ProcessHacker.exe /F$taskkill /IM cheatengine-x86_64.exe /F$taskkill /IM dnSpy.exe /F$taskkill /IM ida.exe /F$taskkill /IM ida64.exe /F$taskkill /IM ollydbg.exe /F$taskkill /IM radare2.exe /F$taskkill /IM x64dbg.exe /F$valorantplus
API String ID: 2248261355-2666367489
Opcode ID: 67d59743ecfa8e3095966c0ec17e486ad83056ec5717fb9159eb6c54ca3e9787
Instruction ID: fa5cf9e8b377605efe2aff2171fdc3e673e5079c80baa0a04d0e180570a63d8c
Opcode Fuzzy Hash: 67d59743ecfa8e3095966c0ec17e486ad83056ec5717fb9159eb6c54ca3e9787
Instruction Fuzzy Hash: 4712F021A1AAC386EA009F64E8341B97371FFA4756FC00135F59EA76E5DFBEE4488740

Function 00007FF6CE52D8ED Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE52DA48
strchr.VCRUNTIME140 ref: 00007FF6CE52DA74
strchr.VCRUNTIME140 ref: 00007FF6CE52DAAE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52DAD2
strchr.VCRUNTIME140 ref: 00007FF6CE52DBE2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52DBFA

Strings

schannel: AcquireCredentialsHandle failed: %s, xrefs: 00007FF6CE52E065
http/1.1, xrefs: 00007FF6CE52E117
Microsoft Unified Security Protocol Provider, xrefs: 00007FF6CE52DFEF
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF6CE52DE89
LocalMachine, xrefs: 00007FF6CE52DB03
CurrentUserGroupPolicy, xrefs: 00007FF6CE52DB7D
http/1.1, xrefs: 00007FF6CE52E103
schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00007FF6CE52DC60
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF6CE52E0E3
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 00007FF6CE52DEB4
LocalMachineGroupPolicy, xrefs: 00007FF6CE52DB9C
schannel: ALPN, offering %s, xrefs: 00007FF6CE52E125
schannel: Failed to read cert file %s, xrefs: 00007FF6CE52DFA9
CurrentService, xrefs: 00007FF6CE52DB25
schannel: TLS 1.3 is not yet supported, xrefs: 00007FF6CE52D97B
Users, xrefs: 00007FF6CE52DB66
CurrentUser, xrefs: 00007FF6CE52DAC2
LocalMachineEnterprise, xrefs: 00007FF6CE52DBBB
Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00007FF6CE52DAE7
schannel: unable to allocate memory, xrefs: 00007FF6CE52DF6C, 00007FF6CE52E1F7
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 00007FF6CE52DEFF
Services, xrefs: 00007FF6CE52DB47
schannel: Failed to get certificate location or file for %s, xrefs: 00007FF6CE52DFD2

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupstrncmpstrtol
String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$Services$Unable to set ciphers to passed via SSL_CONN_CONFIG$Users$http/1.1$http/1.1$schannel: ALPN, offering %s$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: TLS 1.3 is not yet supported$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.
API String ID: 707411602-3372543188
Opcode ID: 62ecdbbecd750d5a78154b92169a217d3bfc27757623a547c6e53a1737111044
Instruction ID: 388d5f1c47147e1ce38d4f11ebca2eaf8657b49c812676c6222c8fb194af6e8c
Opcode Fuzzy Hash: 62ecdbbecd750d5a78154b92169a217d3bfc27757623a547c6e53a1737111044
Instruction Fuzzy Hash: 4142AF71A09B4282EB248F25E8646B933B0FF75796F805135EA8EA7790DF3EE544C700

Function 00007FF6CE51C330 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF6CE51C358
WSACleanup.WS2_32 ref: 00007FF6CE51C373
GetModuleHandleA.KERNEL32 ref: 00007FF6CE51C3C4
GetProcAddress.KERNEL32 ref: 00007FF6CE51C3F0
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51C40A
LoadLibraryA.KERNEL32 ref: 00007FF6CE51C42D
GetProcAddress.KERNEL32 ref: 00007FF6CE51C44A
LoadLibraryExA.KERNELBASE ref: 00007FF6CE51C460
GetSystemDirectoryA.KERNEL32 ref: 00007FF6CE51C476
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51C48E
GetSystemDirectoryA.KERNEL32 ref: 00007FF6CE51C4A2
LoadLibraryA.KERNEL32 ref: 00007FF6CE51C510
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51C51C
GetProcAddress.KERNEL32 ref: 00007FF6CE51C548
VerSetConditionMask.KERNEL32 ref: 00007FF6CE51C5D1
VerSetConditionMask.KERNEL32 ref: 00007FF6CE51C5E4
VerSetConditionMask.KERNEL32 ref: 00007FF6CE51C5F3
VerSetConditionMask.KERNEL32 ref: 00007FF6CE51C602
VerSetConditionMask.KERNEL32 ref: 00007FF6CE51C612
VerifyVersionInfoA.KERNEL32 ref: 00007FF6CE51C623
QueryPerformanceFrequency.KERNEL32 ref: 00007FF6CE51C63F

Strings

AddDllDirectory, xrefs: 00007FF6CE51C440
if_nametoindex, xrefs: 00007FF6CE51C53E
LoadLibraryExA, xrefs: 00007FF6CE51C3DE
kernel32, xrefs: 00007FF6CE51C3AB
iphlpapi.dll, xrefs: 00007FF6CE51C3F6

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleInfoModulePerformanceQueryStartupVerifyVersionfreemallocstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 2612373469-2794540096
Opcode ID: 673d33687149de1745d9ac90fe4f89c1a679f1b078d88af68f66ad415b7cd04d
Instruction ID: 67240a20a5622cb9d37d9a33812f359f87a1f7312df551939e5a37f47bec83a6
Opcode Fuzzy Hash: 673d33687149de1745d9ac90fe4f89c1a679f1b078d88af68f66ad415b7cd04d
Instruction Fuzzy Hash: 92918325A0D7C282EB64CF11A4243B973B1FBA9B82F844135E9CEA6755EF6EE045C710

Function 00007FF6CE51B670 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF6CE51B70C
socket.WS2_32 ref: 00007FF6CE51B755
htons.WS2_32 ref: 00007FF6CE51B7E1
setsockopt.WS2_32 ref: 00007FF6CE51B843
WSAGetLastError.WS2_32 ref: 00007FF6CE51B84D
getsockopt.WS2_32 ref: 00007FF6CE51B8EF
setsockopt.WS2_32 ref: 00007FF6CE51B91E
setsockopt.WS2_32 ref: 00007FF6CE51B95D
WSAIoctl.WS2_32 ref: 00007FF6CE51B9EA
WSAGetLastError.WS2_32 ref: 00007FF6CE51B9F4

Part of subcall function 00007FF6CE528640: ioctlsocket.WS2_32 ref: 00007FF6CE528659

Part of subcall function 00007FF6CE521160: QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FF6CE5091DF), ref: 00007FF6CE521177

connect.WS2_32 ref: 00007FF6CE51BB1B
WSAGetLastError.WS2_32 ref: 00007FF6CE51BB38

Part of subcall function 00007FF6CE505EB0: GetLastError.KERNEL32 ref: 00007FF6CE505ED2
Part of subcall function 00007FF6CE505EB0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505EDA

Part of subcall function 00007FF6CE5194A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE5195C5
Part of subcall function 00007FF6CE5194A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE5195E0

Part of subcall function 00007FF6CE519F80: closesocket.WS2_32 ref: 00007FF6CE519FC3

Strings

Immediate connect fail for %s: %s, xrefs: 00007FF6CE51BB68
@, xrefs: 00007FF6CE51B887
Could not set TCP_NODELAY: %s, xrefs: 00007FF6CE51B86A
Trying %s:%ld..., xrefs: 00007FF6CE51B7EF
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00007FF6CE51B96A
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00007FF6CE51B9FD
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00007FF6CE51BBDE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$setsockopt$fwrite$CounterIoctlPerformanceQuery_errnoclosesocketconnectgetsockopthtonsioctlsocketmemcpysocket
String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3453287622-3868455274
Opcode ID: 9901918d985003610e96a397e0676bf6ccac9ccacce26bcac8654692eab6c441
Instruction ID: 7171ebd4c19a93c2dd455deaaf31aea84457118a4eb2fd7e14a7bf18e5ffc810
Opcode Fuzzy Hash: 9901918d985003610e96a397e0676bf6ccac9ccacce26bcac8654692eab6c441
Instruction Fuzzy Hash: 7AF1BE71E0828286E7909F65D4642BE73B0FB54B49F804135FA8DE7AA5DF3EE945CB00

Function 00007FF6CE4F18E0 Relevance: 30.1, APIs: 1, Strings: 16, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6CE502D90: memcpy.VCRUNTIME140(?,?,?,?,00007FF6CE4F1052), ref: 00007FF6CE502DC8

Part of subcall function 00007FF6CE502D90: memcpy.VCRUNTIME140(?,?,?,?,00007FF6CE4F1052), ref: 00007FF6CE502E69

Part of subcall function 00007FF6CE502D90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6CE4F1052), ref: 00007FF6CE502E3D
Part of subcall function 00007FF6CE502D90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE502E87

Part of subcall function 00007FF6CE552CC8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE552CE2

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F1DE3

Part of subcall function 00007FF6CE552CC8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE552CF8
Part of subcall function 00007FF6CE552CC8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE552CFE

Strings

aqua, xrefs: 00007FF6CE4F19AF
white, xrefs: 00007FF6CE4F1A62
light green, xrefs: 00007FF6CE4F1B0D
green, xrefs: 00007FF6CE4F1983
light yellow, xrefs: 00007FF6CE4F1BF3
bright white, xrefs: 00007FF6CE4F1C2B
black, xrefs: 00007FF6CE4F1929
light blue, xrefs: 00007FF6CE4F1AD2
light aqua, xrefs: 00007FF6CE4F1B45
light purple, xrefs: 00007FF6CE4F1BB8
yellow, xrefs: 00007FF6CE4F1A33
purple, xrefs: 00007FF6CE4F1A07
red, xrefs: 00007FF6CE4F19DB
light red, xrefs: 00007FF6CE4F1B80
blue, xrefs: 00007FF6CE4F1957
grey, xrefs: 00007FF6CE4F1A9A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task$memcpy$_beginthreadex_invalid_parameter_noinfo_noreturnmalloc
String ID: aqua$black$blue$bright white$green$grey$light aqua$light blue$light green$light purple$light red$light yellow$purple$red$white$yellow
API String ID: 41608588-1613386935
Opcode ID: 2f957afa67e90aada8e42a86225cda717ce7a827b3db9356893e2eeb278857fc
Instruction ID: 0fd3be5ac75d6a8422efc81ba690ec4dc5eed859f2e829d0cf1c10b8c7818664
Opcode Fuzzy Hash: 2f957afa67e90aada8e42a86225cda717ce7a827b3db9356893e2eeb278857fc
Instruction Fuzzy Hash: 48E1BF32914BC689E720CF30E8516EA3374FBA9349F909235F68CA7A55DF79E685C700

Function 00007FF6CE504510 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 199
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504577
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5045D7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504627
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504697
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5046F7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504757
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5047B7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504817
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504877
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5048D8

Strings

-z`z, xrefs: 00007FF6CE5045A1
!NTN, xrefs: 00007FF6CE5047D5
jht2, xrefs: 00007FF6CE504595
7*'<, xrefs: 00007FF6CE5045A8
>, xrefs: 00007FF6CE5045F5
*, xrefs: 00007FF6CE5045AF

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: system
String ID: !NTN$*$-z`z$7*'<$>$jht2
API String ID: 3377271179-319890355
Opcode ID: fdef32d83dd7d3cf955ed9b32d818ebf344c5666f4f197112ba7d8ca2d1adbe2
Instruction ID: 84a773a587c0bdfed817dc08c201861e6b5dbe393acdcc19896bfc735a7efb33
Opcode Fuzzy Hash: fdef32d83dd7d3cf955ed9b32d818ebf344c5666f4f197112ba7d8ca2d1adbe2
Instruction Fuzzy Hash: 10C14E22E297D28DF701CFB8A8211BC7B70BBA9709F901628DEC575D15EFA95208C754

Function 00007FF6CE51C010 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,?,00007FF6CE545E6A,?,?,?,?,00007FF6CE51C39B), ref: 00007FF6CE51C024
GetProcAddress.KERNEL32(?,?,00007FF6CE545E6A,?,?,?,?,00007FF6CE51C39B), ref: 00007FF6CE51C049
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00007FF6CE545E6A,?,?,?,?,00007FF6CE51C39B), ref: 00007FF6CE51C05C

Strings

AddDllDirectory, xrefs: 00007FF6CE51C0A3
LoadLibraryExA, xrefs: 00007FF6CE51C03A
kernel32, xrefs: 00007FF6CE51C01D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: 7c4f2fc369ceef35da4cc00e9ce75a277ea8312e9eea679c65a3c8a41ba914d0
Instruction ID: 43be111d2722729cb5b5d8cc62c530b4af706ee6945e252f9587219917cde2fa
Opcode Fuzzy Hash: 7c4f2fc369ceef35da4cc00e9ce75a277ea8312e9eea679c65a3c8a41ba914d0
Instruction Fuzzy Hash: 7741F916F4E64242EB098F52A92013967B0EF95BD2F884134EE8DA3790DE3FD486C300

Function 00007FF6CE528410 Relevance: 24.1, APIs: 16, Instructions: 127
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF6CE528451
htonl.WS2_32 ref: 00007FF6CE52847E
setsockopt.WS2_32 ref: 00007FF6CE5284B5
bind.WS2_32 ref: 00007FF6CE5284D0
getsockname.WS2_32 ref: 00007FF6CE5284EC
listen.WS2_32 ref: 00007FF6CE528501
socket.WS2_32 ref: 00007FF6CE528518
connect.WS2_32 ref: 00007FF6CE528537
accept.WS2_32 ref: 00007FF6CE52854E
send.WS2_32 ref: 00007FF6CE52859C
recv.WS2_32 ref: 00007FF6CE5285BA
memcmp.VCRUNTIME140 ref: 00007FF6CE5285D5
closesocket.WS2_32 ref: 00007FF6CE5285E1

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: socket$acceptbindclosesocketconnectgetsocknamehtonllistenmemcmprecvsendsetsockopt
String ID:
API String ID: 3699910901-0
Opcode ID: 0d4c7ab26ed7e8ab0f7134864bffdbdd0db549245289935f3c944496672256d1
Instruction ID: c05eb0f61ec843c083f45a07663e3fc421b610314420a5012a3b51d7e9711e18
Opcode Fuzzy Hash: 0d4c7ab26ed7e8ab0f7134864bffdbdd0db549245289935f3c944496672256d1
Instruction Fuzzy Hash: 3951A431609A4281D7609F25E86416973B1FBA4BB6F904331FABE936E4DF7DE449C700

Function 00007FF6CE51A330 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

connect to %s port %ld failed: %s, xrefs: 00007FF6CE51A5AD
Connection time-out, xrefs: 00007FF6CE51A419
After %I64dms connect time, move on!, xrefs: 00007FF6CE51A4F5
Failed to connect to %s port %ld: %s, xrefs: 00007FF6CE51A85E
Connection failed, xrefs: 00007FF6CE51A716

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
API String ID: 0-3307081561
Opcode ID: 994ea3f9bb0d9fadcdb01d677eb0d464cbdb416cbc24e5e0e6c73f16636ec1b9
Instruction ID: 86d1d2115defcc5bbbbf9c5220d3901ef84cec63b2561213fcb2a4fac41ccae6
Opcode Fuzzy Hash: 994ea3f9bb0d9fadcdb01d677eb0d464cbdb416cbc24e5e0e6c73f16636ec1b9
Instruction Fuzzy Hash: E2E10366B086C282EB568F6494643BD6371FB98795F804235FA9DA77C6DF3EE441C300

Function 00007FF6CE509770 Relevance: 4.8, APIs: 3, Instructions: 309networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF6CE509B66
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE509B87

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freerecv
String ID:
API String ID: 2032557106-0
Opcode ID: e0d5220d61dc43b26c976585556dbcefb18984b26525e93c61f20345ab19815e
Instruction ID: ad0d64d078777bc7d49d48438472213860177b9205ca55aeaae75f044a87792d
Opcode Fuzzy Hash: e0d5220d61dc43b26c976585556dbcefb18984b26525e93c61f20345ab19815e
Instruction Fuzzy Hash: B8C1C7B260C6C245EB658F2594603B962B0FF947A9F946235FEDE937C8DE3ED4418700

Function 00007FF6CE4F36D0 Relevance: 40.7, APIs: 16, Strings: 7, Instructions: 402
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F34D7
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3547
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F35A7
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F35F7
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3647

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3878

Part of subcall function 00007FF6CE4F5F40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F6000

Part of subcall function 00007FF6CE552CC8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE552CE2

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F38C8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3907
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3955
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3994
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3A48
memcpy.VCRUNTIME140 ref: 00007FF6CE4F3A6D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3B43
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3B8A
ShellExecuteA.SHELL32 ref: 00007FF6CE4F3C82
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3C8A
MessageBoxA.USER32 ref: 00007FF6CE4F3CC0
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3CD1
Sleep.KERNEL32 ref: 00007FF6CE4F3D39
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3D41
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE4F3D48

Part of subcall function 00007FF6CE4F3D90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3E9F
Part of subcall function 00007FF6CE4F3D90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3EE0

Part of subcall function 00007FF6CE4F52A0: memcpy.VCRUNTIME140 ref: 00007FF6CE4F52F3

Part of subcall function 00007FF6CE4F3F00: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3FE0

Part of subcall function 00007FF6CE4F4000: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F40E0

Strings

message, xrefs: 00007FF6CE4F3BD3, 00007FF6CE4F3C91
Failure, xrefs: 00007FF6CE4F3CB7
download, xrefs: 00007FF6CE4F3C45
success, xrefs: 00007FF6CE4F3AA6
invalidver, xrefs: 00007FF6CE4F3C09
sessionid, xrefs: 00007FF6CE4F3ACE
open, xrefs: 00007FF6CE4F3C79

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$system$exitmemcpy$Concurrency::cancel_current_taskExecuteMessageShellSleepmalloc
String ID: Failure$download$invalidver$message$open$sessionid$success
API String ID: 3283070336-3881042241
Opcode ID: efa8badad9e1f88c70e21c7859164edb3027d15fb94ea58b4cbfa374ef5f5acd
Instruction ID: bc9c9de68789cd5509436e18dbc372bba73e1a2aeee68a5bbfe43d8456967e18
Opcode Fuzzy Hash: efa8badad9e1f88c70e21c7859164edb3027d15fb94ea58b4cbfa374ef5f5acd
Instruction Fuzzy Hash: A402C162A0878285EB00DF24D4543AD3771EB61B95F809235FAEDA6BDADF7DE484C340

Function 00007FF6CE52EF70 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF6CE52F5B1
memcpy.VCRUNTIME140 ref: 00007FF6CE52F5CD

Strings

schannel: server closed the connection, xrefs: 00007FF6CE52F444
schannel: Curl_read_plain returned error %d, xrefs: 00007FF6CE52F311
schannel: renegotiation failed, xrefs: 00007FF6CE52F53E
schannel: can't renogotiate, encrypted data available, xrefs: 00007FF6CE52F552
schannel: unable to re-allocate memory, xrefs: 00007FF6CE52F0AD, 00007FF6CE52F516
schannel: server indicated shutdown in a prior call, xrefs: 00007FF6CE52F038
schannel: failed to read data from server: %s, xrefs: 00007FF6CE52F502
schannel: server closed abruptly (missing close_notify), xrefs: 00007FF6CE52F55E
schannel: renegotiating SSL/TLS connection, xrefs: 00007FF6CE52F3C8
schannel: can't renogotiate, an error is pending, xrefs: 00007FF6CE52F532
schannel: enough decrypted data is already available, xrefs: 00007FF6CE52EFF5
schannel: remote party requests renegotiation, xrefs: 00007FF6CE52F392
schannel: failed to decrypt data, need more data, xrefs: 00007FF6CE52F4DA
schannel: an unrecoverable error occurred in a prior call, xrefs: 00007FF6CE52F015
schannel: Curl_read_plain returned CURLE_RECV_ERROR, xrefs: 00007FF6CE52F13D
schannel: SSL/TLS connection renegotiated, xrefs: 00007FF6CE52F40F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: schannel: Curl_read_plain returned CURLE_RECV_ERROR$schannel: Curl_read_plain returned error %d$schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: can't renogotiate, an error is pending$schannel: can't renogotiate, encrypted data available$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server closed abruptly (missing close_notify)$schannel: server closed the connection$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
API String ID: 3510742995-857957974
Opcode ID: 2b695a1137e97254246a1ab44243a13d41a2c4160949021752e9243e96901486
Instruction ID: 701348e24de578f057c64796c675d23500dc486647f39f6939ba2b0f3494ca9a
Opcode Fuzzy Hash: 2b695a1137e97254246a1ab44243a13d41a2c4160949021752e9243e96901486
Instruction Fuzzy Hash: A302E072A08A8585EB60DF19E46836937B4FB74B96F904136EA8DE77A4CF7BD440C700

Function 00007FF6CE52E400 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52E4F0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52E541
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52E584
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52E667
memcpy.VCRUNTIME140 ref: 00007FF6CE52E709
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52E772
memcpy.VCRUNTIME140 ref: 00007FF6CE52E84A
memset.VCRUNTIME140 ref: 00007FF6CE52EA17
CertFreeCertificateContext.CRYPT32 ref: 00007FF6CE52EA7A

Strings

schannel: Failed to read remote certificate context: %s, xrefs: 00007FF6CE52EABA
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 00007FF6CE52E876
SSL: failed retrieving public key from server certificate, xrefs: 00007FF6CE52EA9A
schannel: next InitializeSecurityContext failed: %s, xrefs: 00007FF6CE52E90E, 00007FF6CE52EB22
schannel: unable to re-allocate memory, xrefs: 00007FF6CE52E592
schannel: unable to allocate memory, xrefs: 00007FF6CE52EB6F
schannel: SNI or certificate check failed: %s, xrefs: 00007FF6CE52E8DB
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 00007FF6CE52E924
SSL: public key does not match pinned public key!, xrefs: 00007FF6CE52EA5C, 00007FF6CE52EA84

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: malloc$memcpy$CertCertificateContextFreefreememsetrealloc
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 860210379-3059304359
Opcode ID: 7fb0d3548eb4696715b61b4d34b3ffc1fb1c834f0369d31dd022699ec7e78fe4
Instruction ID: 5709bdabe3d0e754582c1ba77018f534654f7d93b29f8f9da8a64331c4579f41
Opcode Fuzzy Hash: 7fb0d3548eb4696715b61b4d34b3ffc1fb1c834f0369d31dd022699ec7e78fe4
Instruction Fuzzy Hash: 3612A572708B4185EB61CF29D4643AE77B0FB64B96F900136EA8EA7794DF3AD445C700

Function 00007FF6CE52D620 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6CE52D6F1
GetProcAddress.KERNEL32 ref: 00007FF6CE52D701

Strings

http/1.1, xrefs: 00007FF6CE52E117
ntdll, xrefs: 00007FF6CE52D6EA
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00007FF6CE52E399
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00007FF6CE52D6D2
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF6CE52D792
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00007FF6CE52E2BC, 00007FF6CE52E303
Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 00007FF6CE52E09F
wine_get_version, xrefs: 00007FF6CE52D6FA
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF6CE52E0E3
http/1.1, xrefs: 00007FF6CE52E103
schannel: ALPN, offering %s, xrefs: 00007FF6CE52E125
schannel: unable to allocate memory, xrefs: 00007FF6CE52E1F7
schannel: SNI or certificate check failed: %s, xrefs: 00007FF6CE52E2DD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Unrecognized parameter passed via CURLOPT_SSLVERSION$http/1.1$http/1.1$ntdll$schannel: ALPN, offering %s$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 1646373207-2477831187
Opcode ID: 3f68eddcdc12938e3d7424a30c3aca718588809a139331383700c071d1ec7716
Instruction ID: af28ee7c03bad83c7f6ab137ab13bda345d7a6d7f466def8b4b291739dbf51c5
Opcode Fuzzy Hash: 3f68eddcdc12938e3d7424a30c3aca718588809a139331383700c071d1ec7716
Instruction Fuzzy Hash: E102B172A08B8186EB108F25D8643EE37B4FB6578AF904135EA8DA7791DF3EE545C700

Function 00007FF6CE50EC60 Relevance: 28.7, APIs: 19, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50EC92
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50ED2D
InitializeCriticalSectionEx.KERNEL32 ref: 00007FF6CE50ED46

Part of subcall function 00007FF6CE528410: socket.WS2_32 ref: 00007FF6CE528451

DeleteCriticalSection.KERNEL32 ref: 00007FF6CE50ED80
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50ED8A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50ED94
closesocket.WS2_32 ref: 00007FF6CE50EDB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50EDE8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50EDEE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50EE1D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50EE37
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50EE40
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50EE75
EnterCriticalSection.KERNEL32 ref: 00007FF6CE50EE96
LeaveCriticalSection.KERNEL32 ref: 00007FF6CE50EEAA
CloseHandle.KERNEL32 ref: 00007FF6CE50EEB7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50EEE2
closesocket.WS2_32 ref: 00007FF6CE50EEFB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50EF0F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalSection$_errno_strdupclosesocket$CloseDeleteEnterHandleInitializeLeavecallocmallocsocket
String ID:
API String ID: 259767416-0
Opcode ID: 5001c8b9b2bd06600651865901df8cedbbabaf59c43ffc619a4b2716dd299c62
Instruction ID: dbe2b660556890cfab0a96035f6f45f2ba919aaf3c2cc71253567c7e4a8973cf
Opcode Fuzzy Hash: 5001c8b9b2bd06600651865901df8cedbbabaf59c43ffc619a4b2716dd299c62
Instruction Fuzzy Hash: 1F815D26E19B8182EA24DF21E4602697370FBA8B55F545235EBDE937A2DF79F0D4C300

Function 00007FF6CE5162D0 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON

Download Yara Rule

Strings

No connections available., xrefs: 00007FF6CE516A71
anonymous, xrefs: 00007FF6CE516488
Re-using existing connection! (#%ld) with %s %s, xrefs: 00007FF6CE5169B3
No more connections allowed to host %s: %zu, xrefs: 00007FF6CE516A62
ftp@example.com, xrefs: 00007FF6CE51648F
No connections available in cache, xrefs: 00007FF6CE516CCB
host, xrefs: 00007FF6CE5169A0
NTLM-proxy picked AND auth done set, clear picked!, xrefs: 00007FF6CE516B50
proxy, xrefs: 00007FF6CE516992
NTLM picked AND auth done set, clear picked!, xrefs: 00007FF6CE516B22

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host %s: %zu$Re-using existing connection! (#%ld) with %s %s$anonymous$ftp@example.com$host$proxy
API String ID: 0-760484938
Opcode ID: 7e5a9ecc9f364a1abff28ad31555aa64131474e0263a4fd0f7626a158c15246f
Instruction ID: b42f2ad90c2671fe16c57e344beeda3889c9ec8aa3ae66a27f9253813b5176c8
Opcode Fuzzy Hash: 7e5a9ecc9f364a1abff28ad31555aa64131474e0263a4fd0f7626a158c15246f
Instruction Fuzzy Hash: 8342E166A09BC292EB588F6595603B873B0FB65B85F884035EEDD97385DF7EE460C300

Function 00007FF6CE515260 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE505511,?,?,?,?,00007FF6CE4F4C01), ref: 00007FF6CE515278
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5152C1

Strings

<, xrefs: 00007FF6CE5153D7
<, xrefs: 00007FF6CE5154FE
<, xrefs: 00007FF6CE515508
v, xrefs: 00007FF6CE51556F
`, xrefs: 00007FF6CE51555A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: callocfree
String ID: <$<$<$`$v
API String ID: 306872129-2056843887
Opcode ID: 3eef42f8e11f84fd80d09224aaad3287b80bf499d6f8e5f18735260e96aef36e
Instruction ID: e1f7a047a9180ba1fe501b28caed868c51d17cdfc2dd57ac789f472ab8b54575
Opcode Fuzzy Hash: 3eef42f8e11f84fd80d09224aaad3287b80bf499d6f8e5f18735260e96aef36e
Instruction Fuzzy Hash: AE915B72908BC186E310CF24D4143E837A4FB65B6CF485239DF995B39ADFBAA095C720

Function 00007FF6CE51ACB0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getpeername.WS2_32 ref: 00007FF6CE51AD1C
WSAGetLastError.WS2_32 ref: 00007FF6CE51AD26

Part of subcall function 00007FF6CE505EB0: GetLastError.KERNEL32 ref: 00007FF6CE505ED2
Part of subcall function 00007FF6CE505EB0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505EDA

getsockname.WS2_32 ref: 00007FF6CE51ADA6
WSAGetLastError.WS2_32 ref: 00007FF6CE51ADB0

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00007FF6CE51AECC
getpeername() failed with errno %d: %s, xrefs: 00007FF6CE51AD46
getsockname() failed with errno %d: %s, xrefs: 00007FF6CE51ADD0
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00007FF6CE51AE36

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_errnogetpeernamegetsockname
String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 2911674258-670633250
Opcode ID: 559b675214bbfd1821bf51f3e6cf208b6a51f128b56bb22836966ea5e2880d44
Instruction ID: 429056cbd1ecd9583ee7fd603302d9e417ff02d8a17e75e2350308feda260feb
Opcode Fuzzy Hash: 559b675214bbfd1821bf51f3e6cf208b6a51f128b56bb22836966ea5e2880d44
Instruction Fuzzy Hash: D2919176A19BC182E710CF25D4642E973B0FBA8B49F845236EE8C97756DF3AE185C700

Function 00007FF6CE52C080 Relevance: 19.6, APIs: 13, Instructions: 128networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FF6CE52C0A2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C10E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C148
memcpy.VCRUNTIME140(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C161
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C16F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1AA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1B3
freeaddrinfo.WS2_32(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1E1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1F5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1FF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C20C
WSASetLastError.WS2_32(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C22D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$ErrorLast_strdupfreeaddrinfogetaddrinfomemcpy
String ID:
API String ID: 2364279375-0
Opcode ID: ca50c8ca88fe1f4457af3d72081aeddcddfa0bca7dd5fbdb425e7f22079f941d
Instruction ID: b23156ed0904a95aa3bcdc67ede584dc67afb89c36efb90d5d9c30a5832f487c
Opcode Fuzzy Hash: ca50c8ca88fe1f4457af3d72081aeddcddfa0bca7dd5fbdb425e7f22079f941d
Instruction Fuzzy Hash: 90518F36A09B4182EA28CF41A52513977B4FFA8B91F844035EECEE7751DF3EE8549700

Function 00007FF6CE529990 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF6CE5299ED
Sleep.KERNEL32 ref: 00007FF6CE5299FE
WSASetLastError.WS2_32 ref: 00007FF6CE529B68
Sleep.KERNEL32 ref: 00007FF6CE529B79
__WSAFDIsSet.WS2_32 ref: 00007FF6CE529C2C
__WSAFDIsSet.WS2_32 ref: 00007FF6CE529C43
__WSAFDIsSet.WS2_32 ref: 00007FF6CE529C5E
__WSAFDIsSet.WS2_32 ref: 00007FF6CE529C72
__WSAFDIsSet.WS2_32 ref: 00007FF6CE529C8D
__WSAFDIsSet.WS2_32 ref: 00007FF6CE529CA1

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: b17c9a42e245c7741aaed1d22f339584a59fe42792c13619a6d9d44380aee17a
Instruction ID: af8668140be64bdcd86330ff2966c781b2e0fce4d90f15036340c01aa956c0bc
Opcode Fuzzy Hash: b17c9a42e245c7741aaed1d22f339584a59fe42792c13619a6d9d44380aee17a
Instruction Fuzzy Hash: 1491FAB1B0C68286EB644F1598682B962B1FF74356FD06134FA9EE6BC4DF3FD9418600

Function 00007FF6CE5049C0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE502D90: memcpy.VCRUNTIME140(?,?,?,?,00007FF6CE4F1052), ref: 00007FF6CE502DC8

Part of subcall function 00007FF6CE503A50: memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE503AA0

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6CE504A55

Part of subcall function 00007FF6CE502D90: memcpy.VCRUNTIME140(?,?,?,?,00007FF6CE4F1052), ref: 00007FF6CE502E69

memcpy.VCRUNTIME140 ref: 00007FF6CE504AFC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504BEB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504BF2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504C31
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE504C7F

Strings

QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm1234567890, xrefs: 00007FF6CE504A0D
| Developer : Bronkz , xrefs: 00007FF6CE504B97

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$memsetrand
String ID: | Developer : Bronkz $QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm1234567890
API String ID: 1615646049-1834593235
Opcode ID: 3c534d76cba189520c6d2fb855150c2b7eac48da072d9367d55a083801a22756
Instruction ID: 6e365e5d863dc546d7f9b2b023100f03741782193b5f9f6cfb98c71165c3a8dd
Opcode Fuzzy Hash: 3c534d76cba189520c6d2fb855150c2b7eac48da072d9367d55a083801a22756
Instruction Fuzzy Hash: 6681C462F18BC189FB10CFA5E4603AC2371EB55799F804631FEADA6AD9DE79D485C300

Function 00007FF6CE5188A0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5188EF

Strings

Couldn't resolve proxy '%s', xrefs: 00007FF6CE518ACC
Unix socket path too long: '%s', xrefs: 00007FF6CE518946
Couldn't resolve host '%s', xrefs: 00007FF6CE518A21

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: calloc
String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$Unix socket path too long: '%s'
API String ID: 2635317215-3812100122
Opcode ID: f3fa1684d0793ac13c963c35e78721a6e3a71da14f5f712953180809184ba821
Instruction ID: cb096d74b28c5545dfb451de0004d9f1d951e97b4c6a685b2178fae6aa81457a
Opcode Fuzzy Hash: f3fa1684d0793ac13c963c35e78721a6e3a71da14f5f712953180809184ba821
Instruction Fuzzy Hash: FA51A022A0CB8297FB298F65A4603BD67A0FB94791F940031EBCD93791DF3EE4558710

Function 00007FF6CE4F3470 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121processCOMMON

Download Yara Rule

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F34D7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3547
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F35A7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F35F7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3647
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F36B8

Strings

h%49, xrefs: 00007FF6CE4F368E
.8, xrefs: 00007FF6CE4F3695

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: system
String ID: .8$h%49
API String ID: 3377271179-4206735779
Opcode ID: 521d45bdb8a55dc01889218d64817cac38f63317c1f3d791648d4055fc5679f5
Instruction ID: c93481b53a7b07c9a99617372ad05b7d487d9b84a1cc36ccb90c9159baa84081
Opcode Fuzzy Hash: 521d45bdb8a55dc01889218d64817cac38f63317c1f3d791648d4055fc5679f5
Instruction Fuzzy Hash: D0614122E187D689F301CF78E8551BC7770BBA9B49F805368EEC5B5A19EFB85148C344

Function 00007FF6CE553190 Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6CE5531B9
__scrt_release_startup_lock.LIBCMT ref: 00007FF6CE553227
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE553275
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE55327A
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE553282
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE55328A
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5532AC
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE553306

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: 86edb2caa39de90e9cd6f2952ff0692118652086183848987bc26694b561c529
Instruction ID: 8627c417358a18d34bf114ae897117a984d21fc19befe0b2487edaa3d1e20100
Opcode Fuzzy Hash: 86edb2caa39de90e9cd6f2952ff0692118652086183848987bc26694b561c529
Instruction Fuzzy Hash: 4B315C21A0E54A81EA14AF64E4323B933B1AF75786FD45434F6CDEB6DBCE2FA4048710

Function 00007FF6CE50EB50 Relevance: 12.1, APIs: 8, Instructions: 67networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE52C080: getaddrinfo.WS2_32 ref: 00007FF6CE52C0A2
Part of subcall function 00007FF6CE52C080: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C10E
Part of subcall function 00007FF6CE52C080: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C148
Part of subcall function 00007FF6CE52C080: memcpy.VCRUNTIME140(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C161
Part of subcall function 00007FF6CE52C080: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C16F
Part of subcall function 00007FF6CE52C080: freeaddrinfo.WS2_32(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1E1
Part of subcall function 00007FF6CE52C080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1F5
Part of subcall function 00007FF6CE52C080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C1FF
Part of subcall function 00007FF6CE52C080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EBA5), ref: 00007FF6CE52C20C

WSAGetLastError.WS2_32 ref: 00007FF6CE50EBAB
WSAGetLastError.WS2_32 ref: 00007FF6CE50EBB5
EnterCriticalSection.KERNEL32 ref: 00007FF6CE50EBD0
LeaveCriticalSection.KERNEL32 ref: 00007FF6CE50EBDF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50EBF0
send.WS2_32 ref: 00007FF6CE50EC13
WSAGetLastError.WS2_32 ref: 00007FF6CE50EC1D
LeaveCriticalSection.KERNEL32 ref: 00007FF6CE50EC30

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalErrorLastSection$Leavemalloc$Enter_strdupfreeaddrinfogetaddrinfomemcpysend
String ID:
API String ID: 506363382-0
Opcode ID: 5b0755b5e0d2ce06b35841c5bc2c5bce5d465279ad45c3f2c2743dd5cf135806
Instruction ID: 95e783d6c3f36d30caf91676f0e01aedfb19d3f0fde50c8bc30c1bac555d3e16
Opcode Fuzzy Hash: 5b0755b5e0d2ce06b35841c5bc2c5bce5d465279ad45c3f2c2743dd5cf135806
Instruction Fuzzy Hash: 79317271B08A8286EB509F35E46026933B0FF54B99F904132FA9EE36A4DF7EE445C750

Function 00007FF6CE5295F0 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF6CE529656
WSASetLastError.WS2_32 ref: 00007FF6CE529816
Sleep.KERNEL32 ref: 00007FF6CE529826
__WSAFDIsSet.WS2_32 ref: 00007FF6CE52993A
__WSAFDIsSet.WS2_32 ref: 00007FF6CE529952
Sleep.KERNEL32 ref: 00007FF6CE52997D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 584ff7c4a0ade376e1590f5c5be4166b00c7f66651601a01946c64729a27996f
Instruction ID: c97b96c864f7a6c05113aeba78f726727f4331cfcf81092297f29ce62985dfe7
Opcode Fuzzy Hash: 584ff7c4a0ade376e1590f5c5be4166b00c7f66651601a01946c64729a27996f
Instruction Fuzzy Hash: 6DA13AB1A1968286EB694F14D4243B962B5FF75BA1F946234F99EE67C4DF3FD8008300

Function 00007FF6CE52C860 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52CA8A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52CACF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52CAF7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52CB39

Strings

schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 00007FF6CE52CA53
schannel: ApplyControlToken failure: %s, xrefs: 00007FF6CE52C968
schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 00007FF6CE52C8DE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
API String ID: 1294909896-116363806
Opcode ID: 2fa0a04dca0a2d736e9febbc5c35a769116f2a2a83354f8b04f79121c240596a
Instruction ID: 1bfd9e18883c82b76640740e10740db2e2dfacbfcd5a954398eccc7491c2fb28
Opcode Fuzzy Hash: 2fa0a04dca0a2d736e9febbc5c35a769116f2a2a83354f8b04f79121c240596a
Instruction Fuzzy Hash: FF914A32A08B8186EB10CF25D8646AD37B4FB54B9AF940135EE8DA77A4DF3AD455CB00

Function 00007FF6CE52F640 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52F6DE
memcpy.VCRUNTIME140 ref: 00007FF6CE52F776
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52F8AC

Strings

select/poll on SSL socket, errno: %d, xrefs: 00007FF6CE52F854
schannel: timed out sending data (bytes sent: %zd), xrefs: 00007FF6CE52F874

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemcpy
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 3056473165-3891197721
Opcode ID: 115eca9854ca0fd17bac56368392ffc65c445426865f8d94ac47b19f7d186ac1
Instruction ID: edd8a60de2c7fa2265d34745b762d07d3291ddf3958340afdbdee3da0b012ce6
Opcode Fuzzy Hash: 115eca9854ca0fd17bac56368392ffc65c445426865f8d94ac47b19f7d186ac1
Instruction Fuzzy Hash: 2671B372B08B018AEB10CF65E4646AD73B5FB68BA9F400235EE6DA77D4DE3AD405C350

Function 00007FF6CE4F6080 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F6113
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F6167
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F618E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F61B6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F61FC
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F6203
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,?,?,00007FF6CE4F3D7B,?,?,?,00007FF6CE4F3D34), ref: 00007FF6CE4F6210

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 208fa52b44a035180f7d91b060c35db5a5747a70b1b81ebf8405fb8aa7e967d3
Instruction ID: 2cd5470ccc938e62525b2e8daea673e17cd12c3fcaeab06ec2f34fcb6a0ba2f4
Opcode Fuzzy Hash: 208fa52b44a035180f7d91b060c35db5a5747a70b1b81ebf8405fb8aa7e967d3
Instruction Fuzzy Hash: 2D517432609A4281EB208F19E590238A7B0FB95F96F15C671DE9E937E1CF3EE446C340

Function 00007FF6CE50A6B0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50A6FE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50A715
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50A842
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50A86E

Strings

%s, xrefs: 00007FF6CE50A977
Connection #%ld to host %s left intact, xrefs: 00007FF6CE50A92B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s$Connection #%ld to host %s left intact
API String ID: 1294909896-118628944
Opcode ID: e77895a9751036b21535ac73da886d50c503ef3642a7971e689c0f5a40f0e31f
Instruction ID: 967358d9758d4d102f05689f724c2b9b53009cdfe8498c0c6d9a5319eeb031ea
Opcode Fuzzy Hash: e77895a9751036b21535ac73da886d50c503ef3642a7971e689c0f5a40f0e31f
Instruction Fuzzy Hash: AD919735B086C182E759DF2595603B963B0FB64B8AF844432FE9EA7356CF3EE4618740

Function 00007FF6CE515AD0 Relevance: 9.2, APIs: 6, Instructions: 161COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF6CE51634B), ref: 00007FF6CE515AE7
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF6CE51634B), ref: 00007FF6CE515B18

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 0254dc93bb3bd32d0669771128c780dc98bea4f5bf358c96edf4e62052080987
Instruction ID: 6933df668b35309e3218f2eaaf579e02c1b47496190b372741117e8fa3e92a1a
Opcode Fuzzy Hash: 0254dc93bb3bd32d0669771128c780dc98bea4f5bf358c96edf4e62052080987
Instruction Fuzzy Hash: 47919D22609BC189D7558F3494503AD37A0F765B29F480236DBAC8B3DACF3AA1A4C721

Function 00007FF6CE514B40 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE514B6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE514B81

Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE51499D
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE5149BA
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE5149CE
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE5149EA
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A07
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A2A
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A3E
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A52
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A78
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A8C
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514AA0
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514AEF
Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514AFC

Part of subcall function 00007FF6CE514920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514B25

memset.VCRUNTIME140 ref: 00007FF6CE514BB5

Strings

User-Agent: %s, xrefs: 00007FF6CE514C4F
Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF6CE514D91

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$memset
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 2717317152-3248832348
Opcode ID: 7afb2b27abbf41bfa3c672d527035cb6dc133b315ca04ec1a04d1086fe65b9a4
Instruction ID: 99f2dcb1fa8443ab79e3a471b7c90a292a097693686f0b4540edbc7a9b841f00
Opcode Fuzzy Hash: 7afb2b27abbf41bfa3c672d527035cb6dc133b315ca04ec1a04d1086fe65b9a4
Instruction Fuzzy Hash: E671826290CBC281EB51DF65D4203BD2770EBA1B99F885135EB9EA7285DF3EE4418310

Function 00007FF6CE5250C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE525158
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE525161
memcpy.VCRUNTIME140 ref: 00007FF6CE52517C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5252DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5252E5

Strings

1.1, xrefs: 00007FF6CE5250CF

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$memcpy
String ID: 1.1
API String ID: 4107583993-2150719395
Opcode ID: 5300e14513d8f7ebe35a0b8dd6fefa137ce1587b572c5d9cb8c8937d774a9538
Instruction ID: 1c40784d6d4415d4066edea72c1142f2d6efe017cf7618e7fd24792d5a7074e7
Opcode Fuzzy Hash: 5300e14513d8f7ebe35a0b8dd6fefa137ce1587b572c5d9cb8c8937d774a9538
Instruction Fuzzy Hash: 76517E72608B8586DA64CF62E4543AA73B4FB64B85F844031EEDE97759CF3DE054C301

Function 00007FF6CE519880 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE519946
recv.WS2_32 ref: 00007FF6CE519970
send.WS2_32 ref: 00007FF6CE519993
WSAGetLastError.WS2_32 ref: 00007FF6CE5199A5

Strings

Send failure: %s, xrefs: 00007FF6CE5199D5

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastmallocrecvsend
String ID: Send failure: %s
API String ID: 25851408-857917747
Opcode ID: 863de7c726ec3fc0b01bb3668a44103df19d21e46b8851c7976f4897b69886ac
Instruction ID: 95755a345269d7a985e2eb646bc4a83a486ce497232ce4fd3023979338eac6f2
Opcode Fuzzy Hash: 863de7c726ec3fc0b01bb3668a44103df19d21e46b8851c7976f4897b69886ac
Instruction Fuzzy Hash: 4B41E4B270578545EB608F65E8607B962B0BB58BA9F845235EEED933C4DF3ED050C300

Function 00007FF6CE50B7A8 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50B8F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50B93F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50B96A

Part of subcall function 00007FF6CE50A6B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50A6FE
Part of subcall function 00007FF6CE50A6B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50A715

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50B99F

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF6CE50ACE6

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Resolving timed out after %I64d milliseconds
API String ID: 1294909896-3343404259
Opcode ID: e645904f14e393138d41cc4d956c1f5d7b4f2d7e58b8321eccfaa764749d0a0a
Instruction ID: 9bc194e2ab65bb4743072980d7a24d2f9105efb305d5427a8b2d41319a78f141
Opcode Fuzzy Hash: e645904f14e393138d41cc4d956c1f5d7b4f2d7e58b8321eccfaa764749d0a0a
Instruction Fuzzy Hash: 9FD1A471E0868285FB658F6590653B923B1FF60B8EF845431FE8DA729ADF3AE4418340

Function 00007FF6CE4F4BC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F34D7
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3547
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F35A7
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F35F7
Part of subcall function 00007FF6CE4F3470: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F3647

MessageBoxA.USER32 ref: 00007FF6CE4F4D97

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F4DFA

Strings

null, xrefs: 00007FF6CE4F4C22
keyauth.win, xrefs: 00007FF6CE4F4D23

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: system$Message_invalid_parameter_noinfo_noreturnmemcpy
String ID: keyauth.win$null
API String ID: 3545939226-2841560827
Opcode ID: ed64171637d9b5b9956b76b2d1e9ffefe921fba106e267350f9c5ed2697d310b
Instruction ID: 75e500db9b1620aa1a855db2c911efe732f69a54ab04e32199dfc793446c0ef5
Opcode Fuzzy Hash: ed64171637d9b5b9956b76b2d1e9ffefe921fba106e267350f9c5ed2697d310b
Instruction Fuzzy Hash: 6751D232B1879285FB04DF75E4643AC2371AB55B89F808134EE8D67B9ADF7D91828344

Function 00007FF6CE545E30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE51C010: GetModuleHandleA.KERNEL32(?,?,?,00007FF6CE545E6A,?,?,?,?,00007FF6CE51C39B), ref: 00007FF6CE51C024

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF6CE51C39B), ref: 00007FF6CE545E80

Strings

security.dll, xrefs: 00007FF6CE545E5A
InitSecurityInterfaceA, xrefs: 00007FF6CE545E76
secur32.dll, xrefs: 00007FF6CE545E53

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressCallerHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2084706301-3788156360
Opcode ID: 82a0fb6484f3e8b6611add1df3e0e797bdb1d519db4f7b5807b093002f62a582
Instruction ID: 077bcb7f4ebe4e16ae184b382c117af33868356b92e400aa20bd97724336d532
Opcode Fuzzy Hash: 82a0fb6484f3e8b6611add1df3e0e797bdb1d519db4f7b5807b093002f62a582
Instruction Fuzzy Hash: FDF03CA1E1AB0340FF589F11A9B177013B4AF74746FC80475E48CE6391EE6FE5A58310

Function 00007FF6CE50B2DB Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Resolving timed out after %I64d milliseconds, xrefs: 00007FF6CE50ACE6

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Resolving timed out after %I64d milliseconds
API String ID: 0-3343404259
Opcode ID: 6d10da8ec952336e027cf8c184e3c1e9517f343eba6b145a19ff8fa48737c229
Instruction ID: 4c2e4f9c82f537d55346193f52dcbf19736b03bc147da26c644d6b8c0267caf0
Opcode Fuzzy Hash: 6d10da8ec952336e027cf8c184e3c1e9517f343eba6b145a19ff8fa48737c229
Instruction Fuzzy Hash: 22B18931E0868286FBA48F2594B427D23B1FF61B4EF945535FA9EA7295DE3EE440C340

Function 00007FF6CE524C80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE524D80

Part of subcall function 00007FF6CE525310: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE52536A

Part of subcall function 00007FF6CE5250C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE525158
Part of subcall function 00007FF6CE5250C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE525161

Strings

TCP6, xrefs: 00007FF6CE524D07
PROXY %s %s %s %li %li, xrefs: 00007FF6CE524D54
TCP4, xrefs: 00007FF6CE524D1A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$calloc
String ID: PROXY %s %s %s %li %li$TCP4$TCP6
API String ID: 3095843317-1242256665
Opcode ID: 04a00c3a825b976bc83a577d51352bb5e16238101738be73d0353c13f482c4b5
Instruction ID: 8e85e9e02987beeda4478cb731118c72f4eae2010dc83a24db90be4e82d95504
Opcode Fuzzy Hash: 04a00c3a825b976bc83a577d51352bb5e16238101738be73d0353c13f482c4b5
Instruction Fuzzy Hash: 1A41C371A0C6C246F760CF24A4253BA37B1ABA5785F885032EACDE7286DE3ED404CB00

Function 00007FF6CE509570 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00007FF6CE5055A6,?,?,?,?,00000000,?,00007FF6CE4F4D7E), ref: 00007FF6CE50958D
closesocket.WS2_32 ref: 00007FF6CE509699
closesocket.WS2_32 ref: 00007FF6CE5096A6

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: closesocket$calloc
String ID:
API String ID: 2958813939-0
Opcode ID: 2e311719630227007828969db5fa304b32be0e1b8abce2cd6af2a0a5e0c61705
Instruction ID: ba2f8f5f21bb0df0985fd5e9534111a29743dc24b6e0a5f1eadf49b93ca816b8
Opcode Fuzzy Hash: 2e311719630227007828969db5fa304b32be0e1b8abce2cd6af2a0a5e0c61705
Instruction Fuzzy Hash: 5F414236A08A8181E740DF31D4642E92371EFB8769FC84235FE9DD62DAEF3AD5458350

Function 00007FF6CE503A50 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE503AA0
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE503B3A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE503B58

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memset$Concurrency::cancel_current_task
String ID:
API String ID: 3006004123-0
Opcode ID: 5976bfd24160100ad2df36c3457a3cdc8c7beb3fbc45187ce150c2c9b6e4d792
Instruction ID: 41cd63ccb21660728906c7a0801b6ad7e9f411fb8570337900644c762ca77a73
Opcode Fuzzy Hash: 5976bfd24160100ad2df36c3457a3cdc8c7beb3fbc45187ce150c2c9b6e4d792
Instruction Fuzzy Hash: 50212B22B067C641FA169F11A55037822B09F24BFAF944730FEAC67BD2DE3D64939300

Function 00007FF6CE52D430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

select/poll on SSL/TLS socket, errno: %d, xrefs: 00007FF6CE52D573
SSL/TLS connection timeout, xrefs: 00007FF6CE52D58C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 1062d8c4fcfa794554350b31ae4101be37d5c586297e745c5e4bc9d7aa0bb695
Instruction ID: 05b446ea11c79c8a842ef8a8679c9f2dd739938660951aa2caf14c427fcd0a32
Opcode Fuzzy Hash: 1062d8c4fcfa794554350b31ae4101be37d5c586297e745c5e4bc9d7aa0bb695
Instruction Fuzzy Hash: F351E522B0968289EB10DF219568279B3B1EB757A9F948231EA9DD73D4DE7EE041C300

Function 00007FF6CE515840 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5158A5

Strings

User-Agent: %s, xrefs: 00007FF6CE5158B6
Connected to %s (%s) port %ld (#%ld), xrefs: 00007FF6CE5159E4

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
API String ID: 1294909896-3248832348
Opcode ID: 1772b3dbdd24c40b34deb516f0790b8f8902f8ea61525a4a851735ece554d061
Instruction ID: b174da94a2d0c356a56d4f48e806b3b1e200e33b4d4a1c58f4d3d2c603465bae
Opcode Fuzzy Hash: 1772b3dbdd24c40b34deb516f0790b8f8902f8ea61525a4a851735ece554d061
Instruction Fuzzy Hash: B9518162A08AC181E7418F65D4643BD6770EB94BA9F485131EFCCAB39ADFBED490C311

Function 00007FF6CE552CC8 Relevance: 4.5, APIs: 3, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE552CE2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE552CF8

Part of subcall function 00007FF6CE553734: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CE55373D
Part of subcall function 00007FF6CE553734: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF6CE552CFD,?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333), ref: 00007FF6CE55374E

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE552CFE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task$ExceptionThrowmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 594857686-0
Opcode ID: d45501a47fe0c93f163af86d8cedd9b663048174fb29c1dc453c45f1ca705199
Instruction ID: 82175ee25c516af9136a59d450565de7e91054acd522a0e99c0fe1beff760d15
Opcode Fuzzy Hash: d45501a47fe0c93f163af86d8cedd9b663048174fb29c1dc453c45f1ca705199
Instruction Fuzzy Hash: 7BE0EC44E5F14B15F9582E6218261B521B01F75772EA81730FEFEE92C7ED1EB4918A10

Function 00007FF6CE5048F0 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE5049C0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6CE504A55
Part of subcall function 00007FF6CE5049C0: memcpy.VCRUNTIME140 ref: 00007FF6CE504AFC

SetConsoleTitleA.KERNELBASE ref: 00007FF6CE50491C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50495D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleTitle_invalid_parameter_noinfo_noreturnmemcpyrand
String ID:
API String ID: 2197930578-0
Opcode ID: d94dddc29e53a8d47172155ad00cd63a78f076d89053cbda679b758f1adc2db4
Instruction ID: ecc1cdd83f76b3b52ef73e72c6669dc7adaec375a595ef7b109111518426f263
Opcode Fuzzy Hash: d94dddc29e53a8d47172155ad00cd63a78f076d89053cbda679b758f1adc2db4
Instruction Fuzzy Hash: 26F0C271A08AC681ED209F10E06433C2270FF95BAAFD04631F6EE927E4CE3EE4409200

Function 00007FF6CE5196A0 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF6CE5196AC
WSAGetLastError.WS2_32 ref: 00007FF6CE5196BB

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 4c901c4136b4487d5cfc523d5afe1cbdefb8dc3579f7cbc50ae47f02235c701e
Instruction ID: ef500019b9221fc615c444f48be6b566382bdeb94b41b0a81f5efb9a4dc171eb
Opcode Fuzzy Hash: 4c901c4136b4487d5cfc523d5afe1cbdefb8dc3579f7cbc50ae47f02235c701e
Instruction Fuzzy Hash: F5E0DFA1F0450582FF284FB1A86433821A09B64732F845734EA7A863C0DE6C44D24700

Function 00007FF6CE505420 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE505444
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE505465

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 64a6dfbbf8d296f68d70b9412b4b18a72c97af2256e479083ee554ed7de60f30
Instruction ID: c40d7643bb129db2e7c43b2d10afae0adf182ab4b102bcb04b94fa4c8bc90932
Opcode Fuzzy Hash: 64a6dfbbf8d296f68d70b9412b4b18a72c97af2256e479083ee554ed7de60f30
Instruction Fuzzy Hash: 56E03072608B8192D6009F50F81455AB3B4FBA87C5F804039EBCC57A64CF7CC165C740

Function 00007FF6CE519F80 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF6CE519FC3

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 999616c77db2e3887c3f9f8fe01128bb6490dea282ff98eb386819be609384fd
Instruction ID: f06562b49a082ae73da08cb40f81d37e5cc95e9085ecbaede40d73857e461a25
Opcode Fuzzy Hash: 999616c77db2e3887c3f9f8fe01128bb6490dea282ff98eb386819be609384fd
Instruction Fuzzy Hash: D50196A1B055C181EB45DF6AD1A836D63B0FFD8B89F485031FB4D87299CE2ED4958340

Function 00007FF6CE521AA0 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF6CE521AC9

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: cf5e51d1a4bf7630574794120a43a3685bcdb6461cb0384ef6396c409ada1fc3
Instruction ID: db9253a9f7067935227707c50341f06540b159a663f55008498f3ea206f524c6
Opcode Fuzzy Hash: cf5e51d1a4bf7630574794120a43a3685bcdb6461cb0384ef6396c409ada1fc3
Instruction Fuzzy Hash: 2AE0223AE0268182CE08AF2284A12B92371AB60735FC44375E63D563C0CE2EE2569B00

Function 00007FF6CE52C700 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE52C71B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 8bb45da2976d398286988acd8fadef8bf7f34971bb97ccd64d6bbb3ca771250e
Instruction ID: 447e25a75a31be97b9df9914d1bc15e8ab15aa7aa49449963a06565f1226d9fc
Opcode Fuzzy Hash: 8bb45da2976d398286988acd8fadef8bf7f34971bb97ccd64d6bbb3ca771250e
Instruction Fuzzy Hash: 6FD0C263718A00429F108F61A850029E252F798774B884738EE7D827E0DB38D1458600

Function 00007FF6CE528640 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF6CE528659

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 0ab89bf5b60c86f36ef367bbb247df94a50ec002144ef512cae682d7c32797fb
Instruction ID: 9528fe81c06979cab6281da8760961e80847f9a02ad47d114de27cc4495ec887
Opcode Fuzzy Hash: 0ab89bf5b60c86f36ef367bbb247df94a50ec002144ef512cae682d7c32797fb
Instruction Fuzzy Hash: 32C08066F155C2C2C3445F615485197B771BBC4205FD55435E147C112CED3CC2A58B40

Non-executed Functions

Function 00007FF6CE540BD0 Relevance: 102.1, APIs: 45, Strings: 13, Instructions: 581COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE5194A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE5195C5
Part of subcall function 00007FF6CE5194A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE5195E0

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE540C5E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE540C92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE540C9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE540CB9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE540CCC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE540CD5
#22.WLDAP32 ref: 00007FF6CE540CE6
#211.WLDAP32 ref: 00007FF6CE540D80
#217.WLDAP32 ref: 00007FF6CE540D9C
#211.WLDAP32 ref: 00007FF6CE540DB5
#211.WLDAP32 ref: 00007FF6CE540DC7
#60.WLDAP32 ref: 00007FF6CE540DF7
#211.WLDAP32 ref: 00007FF6CE540F12
#60.WLDAP32 ref: 00007FF6CE540F37
#22.WLDAP32 ref: 00007FF6CE540FDA
#41.WLDAP32 ref: 00007FF6CE5413F6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54141E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE541428
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE541448
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54145B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE541464
#46.WLDAP32 ref: 00007FF6CE541476

Strings

LDAP local: bind via ldap_win_bind %s, xrefs: 00007FF6CE540FE4
LDAP local: %s, xrefs: 00007FF6CE540CEC
DN: , xrefs: 00007FF6CE5410D2
LDAP remote: %s, xrefs: 00007FF6CE541057
LDAP local: Cannot connect to %s:%ld, xrefs: 00007FF6CE540E1B
cleartext, xrefs: 00007FF6CE540D0F
There are more than %d entries, xrefs: 00007FF6CE541406
;binary, xrefs: 00007FF6CE541260
Microsoft Corporation., xrefs: 00007FF6CE540BF0
encrypted, xrefs: 00007FF6CE540D2E
LDAP local: trying to establish %s connection, xrefs: 00007FF6CE540D19
LDAP local: LDAP Vendor = %s ; LDAP Version = %d, xrefs: 00007FF6CE540C04
LDAP local: %s, xrefs: 00007FF6CE540C47

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$#211$fwrite$#217calloc
String ID: ;binary$DN: $LDAP local: %s$LDAP local: %s$LDAP local: Cannot connect to %s:%ld$LDAP local: LDAP Vendor = %s ; LDAP Version = %d$LDAP local: bind via ldap_win_bind %s$LDAP local: trying to establish %s connection$LDAP remote: %s$Microsoft Corporation.$There are more than %d entries$cleartext$encrypted
API String ID: 2742731861-78870445
Opcode ID: 0fc67a95772723a82de9b6a323919df84d450f64d6f651ef3d23f7d3c2a81af6
Instruction ID: 6bd7df16f9154d5a776301e5ff33af41c1e3605c37111ec27b5ea635423d55aa
Opcode Fuzzy Hash: 0fc67a95772723a82de9b6a323919df84d450f64d6f651ef3d23f7d3c2a81af6
Instruction Fuzzy Hash: A1428472B09B4286E710DF6295642B933B1FB64B89F804432EE8EA7794DE3EE455D340

Function 00007FF6CE4FAD2D Relevance: 78.0, APIs: 39, Strings: 5, Instructions: 975COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF6CE4FB72D
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF6CE4FB734
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB814
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FB842
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FB850
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB88B

Strings

array, xrefs: 00007FF6CE4FB94A
object key, xrefs: 00007FF6CE4FB5BF, 00007FF6CE4FBDF9
object separator, xrefs: 00007FF6CE4FB433, 00007FF6CE4FBC6A
object, xrefs: 00007FF6CE4FBAD9
number overflow parsing ', xrefs: 00007FF6CE4FB750

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@__std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: array$number overflow parsing '$object$object key$object separator
API String ID: 1664669839-85532522
Opcode ID: 897081a7bd7634a7eeeefdb572b3a23f29dc86dd5a4ccd0dde15270ec1d942b8
Instruction ID: afa396d9fbb84dd40d5a0df21687343b20090ae9eac5a66c2893d44d4840438f
Opcode Fuzzy Hash: 897081a7bd7634a7eeeefdb572b3a23f29dc86dd5a4ccd0dde15270ec1d942b8
Instruction Fuzzy Hash: C0A2C662A18B8686EF10CF68D4443AD2371FB55BA5F509235EADDA7AD9DF7CE081C300

Function 00007FF6CE53CED0 Relevance: 77.4, APIs: 26, Strings: 18, Instructions: 435networkfilepipeCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53CF1F
WSAStartup.WS2_32 ref: 00007FF6CE53CFC0
FreeLibrary.KERNEL32 ref: 00007FF6CE53D1AD
GetStdHandle.KERNEL32 ref: 00007FF6CE53D1BC
GetFileType.KERNEL32 ref: 00007FF6CE53D1DD
WaitForMultipleObjects.KERNEL32 ref: 00007FF6CE53D227
PeekNamedPipe.KERNEL32 ref: 00007FF6CE53D2AC
ReadFile.KERNEL32 ref: 00007FF6CE53D2D3
ReadFile.KERNEL32 ref: 00007FF6CE53D38D
WSAGetLastError.WS2_32 ref: 00007FF6CE53D3EE
WSAGetLastError.WS2_32 ref: 00007FF6CE53D5EA
FreeLibrary.KERNEL32 ref: 00007FF6CE53D60A
GetLastError.KERNEL32 ref: 00007FF6CE53D614

Part of subcall function 00007FF6CE53DE40: send.WS2_32 ref: 00007FF6CE53DE7D
Part of subcall function 00007FF6CE53DE40: WSAGetLastError.WS2_32 ref: 00007FF6CE53DE87

Strings

, xrefs: 00007FF6CE53D5B2
failed to find WSAEnumNetworkEvents function (%u), xrefs: 00007FF6CE53D110
WSAEnumNetworkEvents, xrefs: 00007FF6CE53D0F0
Time-out, xrefs: 00007FF6CE53D5C7
WSACreateEvent failed (%d), xrefs: 00007FF6CE53D12E
WSAEventSelect, xrefs: 00007FF6CE53D0C1
WSAStartup failed (%d), xrefs: 00007FF6CE53CFCD
WSACloseEvent failed (%d), xrefs: 00007FF6CE53D5F0
FreeLibrary(wsock2) failed (%u), xrefs: 00007FF6CE53D61A
WSACloseEvent, xrefs: 00007FF6CE53D07C
WSAEnumNetworkEvents failed (%d), xrefs: 00007FF6CE53D402
failed to find WSAEventSelect function (%u), xrefs: 00007FF6CE53D0E7
WS2_32.DLL, xrefs: 00007FF6CE53D00E
failed to load WS2_32.DLL (%u), xrefs: 00007FF6CE53D03B
WSACreateEvent, xrefs: 00007FF6CE53D055
failed to find WSACloseEvent function (%u), xrefs: 00007FF6CE53D09C
insufficient winsock version to support telnet, xrefs: 00007FF6CE53D64F
failed to find WSACreateEvent function (%u), xrefs: 00007FF6CE53D073

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$File$FreeLibraryRead$HandleMultipleNamedObjectsPeekPipeStartupTypeWaitcallocsend
String ID: $FreeLibrary(wsock2) failed (%u)$Time-out$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$WSAStartup failed (%d)$failed to find WSACloseEvent function (%u)$failed to find WSACreateEvent function (%u)$failed to find WSAEnumNetworkEvents function (%u)$failed to find WSAEventSelect function (%u)$failed to load WS2_32.DLL (%u)$insufficient winsock version to support telnet
API String ID: 1025660337-777782649
Opcode ID: c9dcd3d3987a12d53f45995fa24dec8f457d42c5b6b5cc3b40d9e4318cb59d90
Instruction ID: 0a06d5291fc26873c85299636ee3f99b095443fbe6da9ebdbd8109eb0f2bad0b
Opcode Fuzzy Hash: c9dcd3d3987a12d53f45995fa24dec8f457d42c5b6b5cc3b40d9e4318cb59d90
Instruction Fuzzy Hash: E1129F75A08A8282EB648F15A4643B973B0FB65B86F844135EECEE7794DF7EE444C700

Function 00007FF6CE512A90 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 254stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE512AF6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE512B1D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE512B78

Strings

;sha256//, xrefs: 00007FF6CE512BF0
sha256//, xrefs: 00007FF6CE512AEC, 00007FF6CE512C3E
public key hash: sha256//%s, xrefs: 00007FF6CE512B8E
-----BEGIN PUBLIC KEY-----, xrefs: 00007FF6CE512D4A
-----END PUBLIC KEY-----, xrefs: 00007FF6CE512D7E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocstrncmp
String ID: public key hash: sha256//%s$-----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$;sha256//$sha256//
API String ID: 1436789207-471711153
Opcode ID: f5aa2a3b72427ac3efbd59ab5ff24d4843ba125c3f1a9a7ec2f0d467d4f9c03f
Instruction ID: fd1e2ca43ee9cf23644c04b7bf284a70fbfbca5bedd74272e465b63428a7d926
Opcode Fuzzy Hash: f5aa2a3b72427ac3efbd59ab5ff24d4843ba125c3f1a9a7ec2f0d467d4f9c03f
Instruction Fuzzy Hash: 96A1B125B0D64281FE509F62A4302B963B0AF65BD2FC44535FE8EA7794DF3EE4459300

Function 00007FF6CE549DA0 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 253fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6CE549DE6

Part of subcall function 00007FF6CE505FF0: GetLastError.KERNEL32 ref: 00007FF6CE50600C
Part of subcall function 00007FF6CE505FF0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE506014

CreateFileA.KERNEL32 ref: 00007FF6CE549E40
GetLastError.KERNEL32 ref: 00007FF6CE549E51
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A18D

Strings

schannel: failed to extract certificate from CA file '%s': %s, xrefs: 00007FF6CE54A115
schannel: CA file '%s' is not correctly formatted, xrefs: 00007FF6CE54A131
schannel: failed to read from CA file '%s': %s, xrefs: 00007FF6CE54A090
-----BEGIN CERTIFICATE-----, xrefs: 00007FF6CE549F8E
schannel: failed to open CA file '%s': %s, xrefs: 00007FF6CE549E6B
schannel: added %d certificate(s) from CA file '%s', xrefs: 00007FF6CE54A163
-----END CERTIFICATE-----, xrefs: 00007FF6CE549FB9
schannel: did not add any certificates from CA file '%s', xrefs: 00007FF6CE54A152
schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 00007FF6CE54A0C6
schannel: invalid path name for CA file '%s': %s, xrefs: 00007FF6CE549E00
schannel: CA file exceeds max size of %u bytes, xrefs: 00007FF6CE549EE9
schannel: failed to determine size of CA file '%s': %s, xrefs: 00007FF6CE549EB2
schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 00007FF6CE54A0E5

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateFile_errnofree
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: CA file exceeds max size of %u bytes$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to determine size of CA file '%s': %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
API String ID: 1377488173-902404565
Opcode ID: 4ef997890e21ee2b6ede1455b427ae8585ab3804f843de745b925b65734bc92f
Instruction ID: be81350c780baf23cf9c34cd32940c8dc609d9b6fd73ad96436283aaa9008e5f
Opcode Fuzzy Hash: 4ef997890e21ee2b6ede1455b427ae8585ab3804f843de745b925b65734bc92f
Instruction Fuzzy Hash: 52B1A1A5B0874282EA208F65E4206AA63B5BF64785FC01436FDCEE7B95DF7EE505C700

Function 00007FF6CE516CE0 Relevance: 51.2, APIs: 21, Strings: 8, Instructions: 401stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6CE516D3A
memset.VCRUNTIME140 ref: 00007FF6CE516D4F
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE516D6B
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE516D92
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE516E09
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE516E3C
strchr.VCRUNTIME140 ref: 00007FF6CE516F26
strchr.VCRUNTIME140 ref: 00007FF6CE516F6B
strchr.VCRUNTIME140 ref: 00007FF6CE516F9B
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE517043

Part of subcall function 00007FF6CE52F8F0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F918
Part of subcall function 00007FF6CE52F8F0: GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F93E
Part of subcall function 00007FF6CE52F8F0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F95F
Part of subcall function 00007FF6CE52F8F0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F970

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517116
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517145
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51716B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517197
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5171A5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5171B7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51735A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517363

Strings

all_proxy, xrefs: 00007FF6CE5170C9
ALL_PROXY, xrefs: 00007FF6CE5170E0
memory shortage, xrefs: 00007FF6CE516E17
no_proxy, xrefs: 00007FF6CE516E61
Uses proxy env variable %s == '%s', xrefs: 00007FF6CE516E9C, 00007FF6CE5170FA
NO_PROXY, xrefs: 00007FF6CE516E7D
http_proxy, xrefs: 00007FF6CE51708D
_proxy, xrefs: 00007FF6CE517059

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$strchr$_strdupmemsetreallocstrncpy$EnvironmentVariabletolower
String ID: ALL_PROXY$NO_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy$memory shortage$no_proxy
API String ID: 1339443121-1021110354
Opcode ID: 417984568cb3bb09a9ec995b3f70e0b3dbd78b579f572f14e818ca5481ebab13
Instruction ID: 74084dc01409feeb28b141d9cdafe2c77569916f00d0d40f3ab4749db4f941a3
Opcode Fuzzy Hash: 417984568cb3bb09a9ec995b3f70e0b3dbd78b579f572f14e818ca5481ebab13
Instruction Fuzzy Hash: 4202B222A0D7C289EA51CF55A4643BA67B4EF66B86F881035EECD97785DF7EE404C300

Function 00007FF6CE544F60 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 425COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545016
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5450D1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5450DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5450F1

Strings

realm, xrefs: 00007FF6CE545277
digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 00007FF6CE54530B
WDigest, xrefs: 00007FF6CE544FA1, 00007FF6CE5453D5

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$realm
API String ID: 2190258309-2223379150
Opcode ID: 0c826b8d39769713cb702df9992078b6bb46f2c3275ed240e172b7baba578129
Instruction ID: b8e4a99c340aea7302e63930064ff9c7687eb390cfb5412e3763023b196077b6
Opcode Fuzzy Hash: 0c826b8d39769713cb702df9992078b6bb46f2c3275ed240e172b7baba578129
Instruction Fuzzy Hash: 23127F72A08B458AEB11CF61E4642AD37B4FB54B86F840036EECE97B98DF3AD514C740

Function 00007FF6CE51AFE0 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 317stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6CE51B0B2
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51B0CD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51B10C

Strings

Local Interface %s is ip %s using address family %i, xrefs: 00007FF6CE51B1C7
Name '%s' family %i resolved to '%s' family %i, xrefs: 00007FF6CE51B2D8
bind failed with errno %d: %s, xrefs: 00007FF6CE51B498
Couldn't bind to interface '%s', xrefs: 00007FF6CE51B250
Bind to local port %hu failed, trying next, xrefs: 00007FF6CE51B3C0
Local port: %hu, xrefs: 00007FF6CE51B4B5
getsockname() failed with errno %d: %s, xrefs: 00007FF6CE51B45C
Couldn't bind to '%s', xrefs: 00007FF6CE51B1A2

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strncmp$memset
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
API String ID: 3268688168-2769131373
Opcode ID: 3a2d566405f58e07a26b211ce09203f59ecb060a0523437c51504bf8719f1765
Instruction ID: 79b8b867202463994cbfb323e751b17708b89b1d73ed6a3c8fbb101d53f268be
Opcode Fuzzy Hash: 3a2d566405f58e07a26b211ce09203f59ecb060a0523437c51504bf8719f1765
Instruction Fuzzy Hash: 3FE1C266E18682C5EB50CF61D4602BD6370FBA9789F805236FE8EA3765DF6ED444C700

Function 00007FF6CE52D9AC Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE52DA48
strchr.VCRUNTIME140 ref: 00007FF6CE52DA74
strchr.VCRUNTIME140 ref: 00007FF6CE52DAAE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52DAD2
strchr.VCRUNTIME140 ref: 00007FF6CE52DBE2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52DBFA
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE52DD25
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE52DD51

Strings

, xrefs: 00007FF6CE52D9AC
CurrentUser, xrefs: 00007FF6CE52DAC2
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF6CE52DE89

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: $CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-4282655970
Opcode ID: 4f112af17fb67a23f2d20053220846bfce6bc761a204968eec3052061f775bdd
Instruction ID: ed576c08cdc3bde8cae7f89ee4d9556a9032921aedbc7ba59ef3f086c200aa39
Opcode Fuzzy Hash: 4f112af17fb67a23f2d20053220846bfce6bc761a204968eec3052061f775bdd
Instruction Fuzzy Hash: 8B818E61B0964286FB598F2198743B927B0BF75B96FC44535EA9EE63D0EF3EE4448300

Function 00007FF6CE4FAF0B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 509COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF6CE4FB734
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB814
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FB842
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FB850
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB88B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB8CA

Strings

array, xrefs: 00007FF6CE4FB94A
object, xrefs: 00007FF6CE4FBAD9
number overflow parsing ', xrefs: 00007FF6CE4FB750

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$Xbad_function_call@std@@
String ID: array$number overflow parsing '$object
API String ID: 958247072-579821726
Opcode ID: 1f85228a8e1dcd96c5749357920a7be9297188ea7e4e065a2d09485e3d617784
Instruction ID: eb63ef22055370efcbda833e8cdb6161eda2054fa69ca3b34e1068294015bdf5
Opcode Fuzzy Hash: 1f85228a8e1dcd96c5749357920a7be9297188ea7e4e065a2d09485e3d617784
Instruction Fuzzy Hash: 2C329262A18A8685EF10CF68D4443ED2371FB65BA5F409235EADDA7AD9DF7CE181C300

Function 00007FF6CE52D9B5 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202stringfileCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE52DA48
strchr.VCRUNTIME140 ref: 00007FF6CE52DA74
strchr.VCRUNTIME140 ref: 00007FF6CE52DAAE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52DAD2
strchr.VCRUNTIME140 ref: 00007FF6CE52DBE2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52DBFA
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE52DD25
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE52DD51

Strings

CurrentUser, xrefs: 00007FF6CE52DAC2
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF6CE52DE89

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupfopenfseekstrncmpstrtol
String ID: CurrentUser$schannel: Failed to import cert file %s, password is bad
API String ID: 4221717217-1887299029
Opcode ID: d81118415de279e1bd8c7ef0bff756aefff24ffe37d1422fcd19cfe41d797d7c
Instruction ID: 683173973eb85ebc062ac0d5b64d279af6c2ff620f6f0745ee15baa4873b5119
Opcode Fuzzy Hash: d81118415de279e1bd8c7ef0bff756aefff24ffe37d1422fcd19cfe41d797d7c
Instruction Fuzzy Hash: 44819F61B0964286FB598F2198643B927B0BF75B96F844535EA9EE63D0EF3EE4448300

Function 00007FF6CE543F30 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000468,00000470,00000000,?), ref: 00007FF6CE543FC3
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE543FED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5440B2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5440BE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE544122
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54412E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE544231
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54423F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE54424A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54429F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5442BE

Strings

password, xrefs: 00007FF6CE544169
machine, xrefs: 00007FF6CE544181, 00007FF6CE5441C2
, xrefs: 00007FF6CE544001, 00007FF6CE544202
login, xrefs: 00007FF6CE54414E
default, xrefs: 00007FF6CE5441DD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup$fclosefgetsfopen
String ID: $default$login$machine$password
API String ID: 431015889-155862542
Opcode ID: 120d301832f87ea5628d90ead2db6dd58f88ec22e2c86d66c45c4a88094fe9e5
Instruction ID: 2fc1aa270247e987b30001d9d681c2f88c8e40f311951b47bfbd90a61d91ba9c
Opcode Fuzzy Hash: 120d301832f87ea5628d90ead2db6dd58f88ec22e2c86d66c45c4a88094fe9e5
Instruction Fuzzy Hash: 7EA1B962A4D6C245FA619F11A43037A66B0BFB4786F885032FECDE6794DE3EE4648700

Function 00007FF6CE4F1000 Relevance: 25.4, Strings: 20, Instructions: 421COMMON

Download Yara Rule

Strings

aqua, xrefs: 00007FF6CE4F113E
valorantplus, xrefs: 00007FF6CE4F18B1
white, xrefs: 00007FF6CE4F12EB
light green, xrefs: 00007FF6CE4F1438
green, xrefs: 00007FF6CE4F10EA
light yellow, xrefs: 00007FF6CE4F15F4
bright white, xrefs: 00007FF6CE4F1663
valorantplus, xrefs: 00007FF6CE4F188E
black, xrefs: 00007FF6CE4F1041
light blue, xrefs: 00007FF6CE4F13C9
light aqua, xrefs: 00007FF6CE4F14A7
light purple, xrefs: 00007FF6CE4F1585
yellow, xrefs: 00007FF6CE4F127C
1.0, xrefs: 00007FF6CE4F1838
purple, xrefs: 00007FF6CE4F120D
red, xrefs: 00007FF6CE4F119E
uaHQW8FPzW, xrefs: 00007FF6CE4F187A
light red, xrefs: 00007FF6CE4F1516
blue, xrefs: 00007FF6CE4F1096
grey, xrefs: 00007FF6CE4F135A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task$memcpy$_invalid_parameter_noinfo_noreturnmalloc
String ID: 1.0$aqua$black$blue$bright white$green$grey$light aqua$light blue$light green$light purple$light red$light yellow$purple$red$uaHQW8FPzW$valorantplus$valorantplus$white$yellow
API String ID: 2521954609-3145754764
Opcode ID: 69b15d03ec6337db883e88422c229bc7fd9d859ecb5634d82d7c52e76ca82bd6
Instruction ID: ab14d888f9d6f1b1683d5dd44f4475ee38fd4f0398efa58ac4a7babda6dfe870
Opcode Fuzzy Hash: 69b15d03ec6337db883e88422c229bc7fd9d859ecb5634d82d7c52e76ca82bd6
Instruction Fuzzy Hash: B532C232914BC699E760CF30D8902EA3374FBA434DF909326F68C66956DF79A789C740

Function 00007FF6CE52CCB0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6CE52CCF0
CryptAcquireContextA.ADVAPI32(?,?,?,?,?,?,?,?,00007FF6CE52CC79), ref: 00007FF6CE52CD0F
CryptCreateHash.ADVAPI32(?,?,?,?,?,?,?,?,00007FF6CE52CC79), ref: 00007FF6CE52CD39
CryptHashData.ADVAPI32(?,?,?,?,?,?,?,?,00007FF6CE52CC79), ref: 00007FF6CE52CD51
CryptGetHashParam.ADVAPI32(?,?,?,?,?,?,?,?,00007FF6CE52CC79), ref: 00007FF6CE52CD76
CryptGetHashParam.ADVAPI32(?,?,?,?,?,?,?,?,00007FF6CE52CC79), ref: 00007FF6CE52CDA2
CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,?,00007FF6CE52CC79), ref: 00007FF6CE52CDB2
CryptReleaseContext.ADVAPI32(?,?,?,?,?,?,?,?,00007FF6CE52CC79), ref: 00007FF6CE52CDC4

Strings

@, xrefs: 00007FF6CE52CD05

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyReleasememset
String ID: @
API String ID: 2041421932-2766056989
Opcode ID: 1eb8a48e2300e5bf157cfc237dde58775f69cb9af600b55eba24a45786b79056
Instruction ID: aaf25e906c8105955cd21832b45142eb43c6951448cb42a1f69e7292aaca5e1d
Opcode Fuzzy Hash: 1eb8a48e2300e5bf157cfc237dde58775f69cb9af600b55eba24a45786b79056
Instruction Fuzzy Hash: 2F311D366196C186EB60CF11E854A6A7B74FFE5B81F844135EE8EA3B64CF3DD4458B00

Function 00007FF6CE505FF0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6CE50600C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE506014
FormatMessageA.KERNEL32 ref: 00007FF6CE50604E
strchr.VCRUNTIME140 ref: 00007FF6CE506063
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5060AC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5060B6
GetLastError.KERNEL32 ref: 00007FF6CE5060BE
SetLastError.KERNEL32 ref: 00007FF6CE5060CA

Strings

Unknown error %u (0x%08X), xrefs: 00007FF6CE50609A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchr
String ID: Unknown error %u (0x%08X)
API String ID: 1897771742-1058733786
Opcode ID: d84f3f5b4417d24dde26fdb44b697695d289cb837b7e06a603b2ceecd887a71f
Instruction ID: 7454a48dd6a359c1db7eb75d3f7e3a7503c4041536e7d04859b8a96d74cf88e8
Opcode Fuzzy Hash: d84f3f5b4417d24dde26fdb44b697695d289cb837b7e06a603b2ceecd887a71f
Instruction Fuzzy Hash: 9E21C831A497C1C6E7515F21A42422A76B0AF64BD6F844134FECEA3B95CFBEE5408701

Function 00007FF6CE513FB0 Relevance: 14.3, Strings: 11, Instructions: 540COMMON

Download Yara Rule

Strings

Could multiplex, but not asked to!, xrefs: 00007FF6CE51414C
Server doesn't support multiplex yet, wait, xrefs: 00007FF6CE5140FB
Server doesn't support multiplex (yet), xrefs: 00007FF6CE51411F
Multiplexed connection found!, xrefs: 00007FF6CE514821
can multiplex, xrefs: 00007FF6CE5140B2
Can not multiplex, even if we wanted to!, xrefs: 00007FF6CE51416A
serially, xrefs: 00007FF6CE5140BE
Connection #%ld is still name resolving, can't reuse, xrefs: 00007FF6CE5141F1
Found bundle for host %s: %p [%s], xrefs: 00007FF6CE5140C9
Connection #%ld isn't open enough, can't reuse, xrefs: 00007FF6CE514216
Found pending candidate for reuse and CURLOPT_PIPEWAIT is set, xrefs: 00007FF6CE51487A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Can not multiplex, even if we wanted to!$Connection #%ld is still name resolving, can't reuse$Connection #%ld isn't open enough, can't reuse$Could multiplex, but not asked to!$Found bundle for host %s: %p [%s]$Found pending candidate for reuse and CURLOPT_PIPEWAIT is set$Multiplexed connection found!$Server doesn't support multiplex (yet)$Server doesn't support multiplex yet, wait$can multiplex$serially
API String ID: 0-2774518510
Opcode ID: 9c467e42603e081e45cec4e688cc9939d413c5be2b5618097dbca3e2b5c45818
Instruction ID: 1d81d2dea87cb5d4943045241e79a6e81b7034fd7c693655b2cc8692fba23dfa
Opcode Fuzzy Hash: 9c467e42603e081e45cec4e688cc9939d413c5be2b5618097dbca3e2b5c45818
Instruction Fuzzy Hash: BC42DA61A0C7C245EB558EA581203B937F1FB62B4AF886035EFDEA7285DF2EE451C310

Function 00007FF6CE5528E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF6CE552926
CryptCreateHash.ADVAPI32 ref: 00007FF6CE55294A
CryptHashData.ADVAPI32 ref: 00007FF6CE552966
CryptGetHashParam.ADVAPI32 ref: 00007FF6CE552985
CryptGetHashParam.ADVAPI32 ref: 00007FF6CE5529A8
CryptDestroyHash.ADVAPI32 ref: 00007FF6CE5529B8
CryptReleaseContext.ADVAPI32 ref: 00007FF6CE5529CA

Strings

@, xrefs: 00007FF6CE5528FD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID: @
API String ID: 3606780921-2766056989
Opcode ID: 082323a5f092b46e25be36ed7ee31bbafcb87e115c1c4ceae835060f559dbb31
Instruction ID: 246af4e78544ce6006fdb9de616efdb66b3ad14d1948a71261e1b62effc7f54d
Opcode Fuzzy Hash: 082323a5f092b46e25be36ed7ee31bbafcb87e115c1c4ceae835060f559dbb31
Instruction Fuzzy Hash: F4219132619785C6EB608F11E46066AB370FBD9B86F805135FACE93A58CF3ED4458B00

Function 00007FF6CE55391C Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6CE553938
memset.VCRUNTIME140 ref: 00007FF6CE55395C
RtlCaptureContext.KERNEL32 ref: 00007FF6CE553965
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CE55397F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6CE5539C0
memset.VCRUNTIME140 ref: 00007FF6CE5539F3
IsDebuggerPresent.KERNEL32 ref: 00007FF6CE553A14
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6CE553A31
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6CE553A3C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 8bab5ded550b86401e2723e37e838836c295cd33c65aafcb946cd39ac4b2147a
Instruction ID: 640064b0cc55592fda4bddbc098fdd018d2e2e634b66993c852c9942d51e9b62
Opcode Fuzzy Hash: 8bab5ded550b86401e2723e37e838836c295cd33c65aafcb946cd39ac4b2147a
Instruction Fuzzy Hash: B9315E7260AB8586EB608F60E8503FD7370FB94745F84403AEA8E97B99DF79D648C710

Function 00007FF6CE5507F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF6CE550837
CryptImportKey.ADVAPI32 ref: 00007FF6CE550909
CryptReleaseContext.ADVAPI32 ref: 00007FF6CE550921
CryptEncrypt.ADVAPI32 ref: 00007FF6CE550952
CryptDestroyKey.ADVAPI32 ref: 00007FF6CE55095C
CryptReleaseContext.ADVAPI32 ref: 00007FF6CE550968

Strings

@, xrefs: 00007FF6CE55081D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID: @
API String ID: 3016261861-2766056989
Opcode ID: 1788b0ae83449a45a2ade76b7383e2518fda4de1d4ee8bc5fad836e17e610514
Instruction ID: cfd84e6bec4a87ec4925999046e8448a8af35a3a9aa12f08a50938857748e79e
Opcode Fuzzy Hash: 1788b0ae83449a45a2ade76b7383e2518fda4de1d4ee8bc5fad836e17e610514
Instruction Fuzzy Hash: 9941AD22A056A08EF7108FB5E4603EE3BB0E75A349F444025EE8963A9ACF3DD11AD750

Function 00007FF6CE52FF80 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF6CE52FF78,?,?,?,?,?,?,00007FF6CE5471BE), ref: 00007FF6CE52FFF6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF6CE52FF78,?,?,?,?,?,?,00007FF6CE5471BE), ref: 00007FF6CE53015D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5302BC

Strings

%c%c==, xrefs: 00007FF6CE530123
%c%c%c%c, xrefs: 00007FF6CE5300B3
%c%c%c=, xrefs: 00007FF6CE5300F1

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: %c%c%c%c$%c%c%c=$%c%c==
API String ID: 3985033223-3943651191
Opcode ID: cacad52c925f5218b3d33db38ab2126b830451db61f18385c2c7449608d761c1
Instruction ID: 000419d640ebd44d363f97f2c663f74ad8e1e88c2a690e96b95c559ede07ab56
Opcode Fuzzy Hash: cacad52c925f5218b3d33db38ab2126b830451db61f18385c2c7449608d761c1
Instruction Fuzzy Hash: 4891D732908AD185E7658F25A4243BA7BB0EBA5795F884231FADD977D6CF3ED401C700

Function 00007FF6CE53F100 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53F14F
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53F1AC
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53F1D0
bind.WS2_32 ref: 00007FF6CE53F24B
WSAGetLastError.WS2_32 ref: 00007FF6CE53F255

Strings

bind() failed; %s, xrefs: 00007FF6CE53F270

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: calloc$ErrorLastbind
String ID: bind() failed; %s
API String ID: 2604820300-1141498939
Opcode ID: d5849b88b19d97702c076809e3d371474d12a2961274c776bb8a89410a3bac8a
Instruction ID: 7a99c25fb22e4be9c7b223e5c80b95f334702f4b4cda5e6b708e3f8d7050b753
Opcode Fuzzy Hash: d5849b88b19d97702c076809e3d371474d12a2961274c776bb8a89410a3bac8a
Instruction Fuzzy Hash: 2E519135A0878281EB258F25D8613F962B0FB58B85F844035EA9D97785DF3FE4518720

Function 00007FF6CE53EEC9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53EF1E
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53EF7B
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53EFA3
bind.WS2_32 ref: 00007FF6CE53F022
WSAGetLastError.WS2_32 ref: 00007FF6CE53F02C

Strings

bind() failed; %s, xrefs: 00007FF6CE53F047

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: calloc$ErrorLastbind
String ID: bind() failed; %s
API String ID: 2604820300-1141498939
Opcode ID: ce2d296cf8783bc94a88b2c1d0c80a5ce672f6c6ce68c514c241579a7bac9d96
Instruction ID: 7af5ba862e6ce414c21f37543b3f81e4e5194e4cb4cee27d22bc35e64e3ae909
Opcode Fuzzy Hash: ce2d296cf8783bc94a88b2c1d0c80a5ce672f6c6ce68c514c241579a7bac9d96
Instruction Fuzzy Hash: 1041BE32A08B8286EB148F25D4643B933B0FB58B95F844136EA8DCB781DF7EE465C710

Function 00007FF6CE528D90 Relevance: 10.1, Strings: 8, Instructions: 72COMMON

Download Yara Rule

Strings

%5I64d, xrefs: 00007FF6CE528DA5
%4I64dk, xrefs: 00007FF6CE528DBE
%4I64dP, xrefs: 00007FF6CE528EAD
%2I64d.%0I64dG, xrefs: 00007FF6CE528E4A
%4I64dM, xrefs: 00007FF6CE528E2C
%4I64dT, xrefs: 00007FF6CE528EA0
%2I64d.%0I64dM, xrefs: 00007FF6CE528DD9
%4I64dG, xrefs: 00007FF6CE528E84

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 0-2102732564
Opcode ID: 2a48ad6cef984a9ea5c1fae6b38a6bb216c9540a4b5d462fd645c5f3228d850f
Instruction ID: 0680070420da1da90c63b114bf2fa4a51095c1ba9ef0d3d840d62ebe7cdb8374
Opcode Fuzzy Hash: 2a48ad6cef984a9ea5c1fae6b38a6bb216c9540a4b5d462fd645c5f3228d850f
Instruction Fuzzy Hash: 1721BA91E0AA4A43FE08CFD5A4347F452305FB4782EC44432F88EA63A1DF7EA986C240

Function 00007FF6CE553CB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF6CE4F203C), ref: 00007FF6CE553CCE
GetLastError.KERNEL32 ref: 00007FF6CE553D19
IsDebuggerPresent.KERNEL32 ref: 00007FF6CE553D31
OutputDebugStringW.KERNEL32 ref: 00007FF6CE553D42

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF6CE553D3B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: e6cef69aee3141f14ee97e917ddaed074d2a29b6d4041a8ca2c1c7a45bda0501
Instruction ID: 0dda9a24ad135030dd02a85c2d9ea7ef9815201c9794942a4fac87e8423b83cc
Opcode Fuzzy Hash: e6cef69aee3141f14ee97e917ddaed074d2a29b6d4041a8ca2c1c7a45bda0501
Instruction Fuzzy Hash: 2D11823261478292E7448F21DA6137932B4FF24746F804134E68DD6A94DF7EE474C710

Function 00007FF6CE52CBE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF6CE52CC11
CryptGenRandom.ADVAPI32 ref: 00007FF6CE52CC25
CryptReleaseContext.ADVAPI32 ref: 00007FF6CE52CC36
CryptReleaseContext.ADVAPI32 ref: 00007FF6CE52CC4C

Strings

@, xrefs: 00007FF6CE52CBF9

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireRandom
String ID: @
API String ID: 2916321625-2766056989
Opcode ID: e05c50b21d959d8e395491d60bbc47aa5adc7d80906625a7559923a369537477
Instruction ID: ec5a8938f1c0579ada2a9f40cbef2dffa1dcc6391386b40b8cefd177c65cd775
Opcode Fuzzy Hash: e05c50b21d959d8e395491d60bbc47aa5adc7d80906625a7559923a369537477
Instruction Fuzzy Hash: AAF03165B08B81C2E7108F65F85432BB770EFA8BD5F944430EF8DA66A9DE7DC4858B00

Function 00007FF6CE553B30 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6CE553B5C
GetCurrentThreadId.KERNEL32 ref: 00007FF6CE553B6A
GetCurrentProcessId.KERNEL32 ref: 00007FF6CE553B76
QueryPerformanceCounter.KERNEL32 ref: 00007FF6CE553B86

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 99ceee5d647225e7261e63e45ab74b95ec5175b664bee8bc72b1c3e7bc0a526f
Instruction ID: 2e749669f092082ec2e9840db8e120a76b3c91d94a309dcfdf680ba017b731ca
Opcode Fuzzy Hash: 99ceee5d647225e7261e63e45ab74b95ec5175b664bee8bc72b1c3e7bc0a526f
Instruction Fuzzy Hash: 90114C22B15B0589EF408F60E8652A833B4FB28769F841E31EAADD67A4DF79D1548340

Function 00007FF6CE52FBD0 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF6CE52FC00
CryptGetHashParam.ADVAPI32 ref: 00007FF6CE52FC26
CryptDestroyHash.ADVAPI32 ref: 00007FF6CE52FC35
CryptReleaseContext.ADVAPI32 ref: 00007FF6CE52FC45

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 34c936b0a9c703c2195cdcb355cbdb83e9601ea6e0023119d1c346eafcc79f3c
Instruction ID: 876adb89cfd330abcd4c058886fdbc379c4fbd8431ab9aba140e3537bb2ca59b
Opcode Fuzzy Hash: 34c936b0a9c703c2195cdcb355cbdb83e9601ea6e0023119d1c346eafcc79f3c
Instruction Fuzzy Hash: 4E017136609681C2EB50CF21E46532AB330EB95B8AF544531EB8D56A68CF7EC488CB00

Function 00007FF6CE52FB70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF6CE52FB8C
CryptCreateHash.ADVAPI32 ref: 00007FF6CE52FBAD

Strings

@, xrefs: 00007FF6CE52FB7C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID: @
API String ID: 1914063823-2766056989
Opcode ID: b862b517ba0bd64001c480fe4c624aace2dc47611f69372d84f0203f44008b0f
Instruction ID: 9efda6fd323eb0dec0e84284a588e0aeb4be5352119eb519ae811d50d8e5b6a8
Opcode Fuzzy Hash: b862b517ba0bd64001c480fe4c624aace2dc47611f69372d84f0203f44008b0f
Instruction Fuzzy Hash: 77E04862B1469283F7608F65E415B167360EBA4749F884030DFCC56B54DF7EC1558F14

Function 00007FF6CE4FF5B0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 00007FF6CE4FF6B4

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: 782d4cc1314472888749f682ab7d939439a3d052ee13c76280ac9d32abdb7d4d
Instruction ID: 819d934f60c3f561fd32921ee176da8d4097988a2bdf9f1e6b5ed2d4c69291be
Opcode Fuzzy Hash: 782d4cc1314472888749f682ab7d939439a3d052ee13c76280ac9d32abdb7d4d
Instruction Fuzzy Hash: 70817C62B19B9A89EB00CF69D4943AC37B0E765B89F548026EF8DA7795DF3DD041C340

Function 00007FF6CE4FEA20 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ca6de128e55fb6ce216344201d591ed70013569d8b0f4d9d2315b49ebf49f1
Instruction ID: efadba9f716916065e3f5b8b142f8902e3ee68189823e0593877ac56b0e85c85
Opcode Fuzzy Hash: 25ca6de128e55fb6ce216344201d591ed70013569d8b0f4d9d2315b49ebf49f1
Instruction Fuzzy Hash: F761D562A19B8682DA10CF19E4446796371FB69BE6F11D235EF9E97B84EF3CE1418300

Function 00007FF6CE552870 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction ID: adac722210679cd33418add525afdfe46a8004d4ccb00f8c173f55bf6f0db514
Opcode Fuzzy Hash: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
Instruction Fuzzy Hash: C9F05829325767AAFE008A3B4624FAD2E509B90741FA36864CCC0420CBCA9E5493D714

Function 00007FF6CE52FBC0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12047c80ebe4bcc38adf0cdfcd9573bb89e240435a430d77410cd1ca2cdc25a8
Instruction ID: 55c55531b2fb732ff6694e868d44e29157398c75e64366510423720cf3b8587b
Opcode Fuzzy Hash: 12047c80ebe4bcc38adf0cdfcd9573bb89e240435a430d77410cd1ca2cdc25a8
Instruction Fuzzy Hash: 7BA00162A4AA8AC0A6108B16E6A0E266660FBA8B5A7959021D94E96860CE6A95428200

Function 00007FF6CE553AC4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2deab06299b5b0072e02a87b154cca8802c303cad1b5a34a14635d41f16380f5
Instruction ID: 03237a2caaaf7617b7775c3175710ab0b86878b4e36ee4f62fb42f260c88843b
Opcode Fuzzy Hash: 2deab06299b5b0072e02a87b154cca8802c303cad1b5a34a14635d41f16380f5
Instruction Fuzzy Hash: 66A00121A0A84690E6048F20E9600307330EB60302B810435E18DA54A9DE7EA5108300

Function 00007FF6CE52CDE0 Relevance: 145.9, APIs: 50, Strings: 47, Instructions: 399stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF6CE52CE13
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CE63
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CE84
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CE9A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CEB8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CED6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CEF4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CF0C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52CF24

Strings

CALG_DSS_SIGN, xrefs: 00007FF6CE52CF59
CALG_SSL2_MASTER, xrefs: 00007FF6CE52D20B
CALG_DH_SF, xrefs: 00007FF6CE52D085
CALG_RC5, xrefs: 00007FF6CE52D247
CALG_ECDSA, xrefs: 00007FF6CE52D3C4
CALG_ECDH_EPHEM, xrefs: 00007FF6CE52D3DF
CALG_RC2, xrefs: 00007FF6CE52D02B
CALG_TEK, xrefs: 00007FF6CE52D11B
CALG_MD4, xrefs: 00007FF6CE52CEB1
CALG_HUGHES_MD5, xrefs: 00007FF6CE52D0DF
CALG_AES_256, xrefs: 00007FF6CE52D2FB
CALG_DESX, xrefs: 00007FF6CE52D00D
CALG_RSA_SIGN, xrefs: 00007FF6CE52CF3B
CALG_AES_128, xrefs: 00007FF6CE52D2BF
CALG_DH_EPHEM, xrefs: 00007FF6CE52D0A3
CALG_SHA_512, xrefs: 00007FF6CE52D373
CALG_ECDH, xrefs: 00007FF6CE52D38E
CALG_DES, xrefs: 00007FF6CE52CFB3
CALG_SHA_256, xrefs: 00007FF6CE52D337
CALG_SHA_384, xrefs: 00007FF6CE52D355
CALG_SKIPJACK, xrefs: 00007FF6CE52D0FD
CALG_AGREEDKEY_ANY, xrefs: 00007FF6CE52D0C1
CALG_TLS1_MASTER, xrefs: 00007FF6CE52D229
CALG_RC4, xrefs: 00007FF6CE52D049
CALG_SCHANNEL_ENC_KEY, xrefs: 00007FF6CE52D1CF
CALG_PCT1_MASTER, xrefs: 00007FF6CE52D1ED
CALG_MD2, xrefs: 00007FF6CE52CE93
CALG_ECMQV, xrefs: 00007FF6CE52D3A9
CALG_SHA, xrefs: 00007FF6CE52CEED
CALG_SSL3_SHAMD5, xrefs: 00007FF6CE52D157
CALG_RSA_KEYX, xrefs: 00007FF6CE52CF95
CALG_SSL3_MASTER, xrefs: 00007FF6CE52D175
CALG_AES, xrefs: 00007FF6CE52D319
CALG_SCHANNEL_MASTER_HASH, xrefs: 00007FF6CE52D193
CALG_MAC, xrefs: 00007FF6CE52CF1D
CALG_CYLINK_MEK, xrefs: 00007FF6CE52D139
CALG_3DES_112, xrefs: 00007FF6CE52CFD1
CALG_NO_SIGN, xrefs: 00007FF6CE52CF77
CALG_AES_192, xrefs: 00007FF6CE52D2DD
CALG_MD5, xrefs: 00007FF6CE52CECF
CALG_TLS1PRF, xrefs: 00007FF6CE52D283
CALG_SCHANNEL_MAC_KEY, xrefs: 00007FF6CE52D1B1
CALG_SEAL, xrefs: 00007FF6CE52D067
CALG_3DES, xrefs: 00007FF6CE52CFEF
CALG_HASH_REPLACE_OWF, xrefs: 00007FF6CE52D2A1
CALG_SHA1, xrefs: 00007FF6CE52CF05
CALG_HMAC, xrefs: 00007FF6CE52D265

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strcmp$strncpy$strchr
String ID: CALG_3DES$CALG_3DES_112$CALG_AES$CALG_AES_128$CALG_AES_192$CALG_AES_256$CALG_AGREEDKEY_ANY$CALG_CYLINK_MEK$CALG_DES$CALG_DESX$CALG_DH_EPHEM$CALG_DH_SF$CALG_DSS_SIGN$CALG_ECDH$CALG_ECDH_EPHEM$CALG_ECDSA$CALG_ECMQV$CALG_HASH_REPLACE_OWF$CALG_HMAC$CALG_HUGHES_MD5$CALG_MAC$CALG_MD2$CALG_MD4$CALG_MD5$CALG_NO_SIGN$CALG_PCT1_MASTER$CALG_RC2$CALG_RC4$CALG_RC5$CALG_RSA_KEYX$CALG_RSA_SIGN$CALG_SCHANNEL_ENC_KEY$CALG_SCHANNEL_MAC_KEY$CALG_SCHANNEL_MASTER_HASH$CALG_SEAL$CALG_SHA$CALG_SHA1$CALG_SHA_256$CALG_SHA_384$CALG_SHA_512$CALG_SKIPJACK$CALG_SSL2_MASTER$CALG_SSL3_MASTER$CALG_SSL3_SHAMD5$CALG_TEK$CALG_TLS1PRF$CALG_TLS1_MASTER
API String ID: 1395212091-3550120021
Opcode ID: f4201c3ebc7a936199a8356e3c549b6c306c6fe13998301a96da1393634263f1
Instruction ID: d4b5c7ad2be4b4f05bb6cafbeb36d4c0c7bc5dfbf7b1f6bd5dc1414aaf809514
Opcode Fuzzy Hash: f4201c3ebc7a936199a8356e3c549b6c306c6fe13998301a96da1393634263f1
Instruction Fuzzy Hash: 6E021612F19517A1FB509F24D9641B923B5AF3034BFE04032F98EEA099EE5EF546C381

Function 00007FF6CE53A840 Relevance: 49.9, APIs: 6, Strings: 27, Instructions: 385COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53A93D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53AA3E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53AAB1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53AB2B

Strings

CSeq cannot be set as a custom header., xrefs: 00007FF6CE53AB70
Referer: %s, xrefs: 00007FF6CE53AAE2
Referer, xrefs: 00007FF6CE53AAC7
Content-Type, xrefs: 00007FF6CE53ADC3, 00007FF6CE53ADF9
Content-Length, xrefs: 00007FF6CE53AD7C
CSeq, xrefs: 00007FF6CE53AB5C
Content-Type: application/sdp, xrefs: 00007FF6CE53AE0D
Range: %s, xrefs: 00007FF6CE53AB33
Accept-Encoding, xrefs: 00007FF6CE53A9B4
Accept: application/sdp, xrefs: 00007FF6CE53A9AA
Transport: %s, xrefs: 00007FF6CE53A94A
Session: %s, xrefs: 00007FF6CE53AC0D
Content-Type: text/parameters, xrefs: 00007FF6CE53ADD7
Session, xrefs: 00007FF6CE53AB89
Range, xrefs: 00007FF6CE53AB07
Failed sending RTSP request, xrefs: 00007FF6CE53AEA1
OPTIONS, xrefs: 00007FF6CE53A840
Content-Length: %I64d, xrefs: 00007FF6CE53AD97
%s %s RTSP/1.0CSeq: %ld, xrefs: 00007FF6CE53ABD7
Refusing to issue an RTSP SETUP without a Transport: header., xrefs: 00007FF6CE53A975
Refusing to issue an RTSP request [%s] without a session ID., xrefs: 00007FF6CE53A8C3
Session ID cannot be set as a custom header., xrefs: 00007FF6CE53AB9D
Transport, xrefs: 00007FF6CE53A8EE
Accept, xrefs: 00007FF6CE53A998
%s%s%s%s%s%s%s%s, xrefs: 00007FF6CE53AC96
Accept-Encoding: %s, xrefs: 00007FF6CE53A9E9
User-Agent, xrefs: 00007FF6CE53AA1E, 00007FF6CE53AA4D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s %s RTSP/1.0CSeq: %ld$%s%s%s%s%s%s%s%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: application/sdp$CSeq$CSeq cannot be set as a custom header.$Content-Length$Content-Length: %I64d$Content-Type$Content-Type: application/sdp$Content-Type: text/parameters$Failed sending RTSP request$OPTIONS$Range$Range: %s$Referer$Referer: %s$Refusing to issue an RTSP SETUP without a Transport: header.$Refusing to issue an RTSP request [%s] without a session ID.$Session$Session ID cannot be set as a custom header.$Session: %s$Transport$Transport: %s$User-Agent
API String ID: 1294909896-2200874227
Opcode ID: 23678354ea3f23a5995a636bf68add3aadb59c8ca7b5c683519bd05585954df7
Instruction ID: 46cb13ac35baff30e72c44fe86da15e5f26bbca43a7706338d9a83fdf82b51a1
Opcode Fuzzy Hash: 23678354ea3f23a5995a636bf68add3aadb59c8ca7b5c683519bd05585954df7
Instruction Fuzzy Hash: 6D02A325A0978281EA64DF21E4603B963B1EF60786FC40036EEDDE7796EF3EE4458310

Function 00007FF6CE5517C0 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5518A6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE55194B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5519A2
htonl.WS2_32 ref: 00007FF6CE5519CF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5519E1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551A10
htonl.WS2_32 ref: 00007FF6CE551A25
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551A52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551AD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551AE2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551AEB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551B11
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551B22
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551B2B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551B34
memcpy.VCRUNTIME140 ref: 00007FF6CE551B4F
memcpy.VCRUNTIME140 ref: 00007FF6CE551B63
memcpy.VCRUNTIME140 ref: 00007FF6CE551B79
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551BA0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551BA9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551BB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551BBB

Strings

GSSAPI handshake failure (invalid security layer), xrefs: 00007FF6CE5519B6
GSSAPI handshake failure (invalid security data), xrefs: 00007FF6CE551937
GSSAPI handshake failure (empty security message), xrefs: 00007FF6CE551927, 00007FF6CE551BC8

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$memcpy$htonl
String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
API String ID: 82385936-242323837
Opcode ID: a8397c215724f632e5744daf35831221ed87b7b74fff3a08a4de72df6ab63d0a
Instruction ID: 0a07a9b65deeb477a38d9b1a164a31af0c6816b27271e9936302d0f9ef507ed7
Opcode Fuzzy Hash: a8397c215724f632e5744daf35831221ed87b7b74fff3a08a4de72df6ab63d0a
Instruction Fuzzy Hash: C0C16072A19B4286EB10CF65E4602AD77B4FB54B95F804035EE8EA7B98DF3EE405C710

Function 00007FF6CE515F60 Relevance: 42.6, APIs: 34, Instructions: 121COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515F7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515F93
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515FA7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515FBB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515FCF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515FE3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515FF7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51600B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51601F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516033
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516047
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51605B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51606F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516083
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516097
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5160AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5160BF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5160D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5160E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5160FB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51610F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516123
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516137
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51614B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51615F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516173
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516187
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51619B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5161AF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5161C3

Part of subcall function 00007FF6CE516250: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5161D8), ref: 00007FF6CE51626B
Part of subcall function 00007FF6CE516250: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5161D8), ref: 00007FF6CE516299

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5161ED

Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A11
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A21
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A2F
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A3D
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A4B
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A59
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A67
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A75

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE516219
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51622D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51623D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: aa421b02ee1a9bb1142f222c8ef83d204ac9fdbd3b2a9a50c4576232eef0ff70
Instruction ID: bf2405c721dd99a00cc643c3732183361a878cec3f019d3bdc07b2a767fc1643
Opcode Fuzzy Hash: aa421b02ee1a9bb1142f222c8ef83d204ac9fdbd3b2a9a50c4576232eef0ff70
Instruction Fuzzy Hash: A071FB76918B8181DB40DF61E4A53BC33B8FB94F9AF481431DE9E9A318CF3A91658331

Function 00007FF6CE4FC5DF Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 459COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6CE4FC5E7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FD0A3
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FD0D1
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FD0DF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FD11A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FD159

Strings

array, xrefs: 00007FF6CE4FD1D9
object, xrefs: 00007FF6CE4FD368
number overflow parsing ', xrefs: 00007FF6CE4FCFDF

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$_dclass
String ID: array$number overflow parsing '$object
API String ID: 1391767211-579821726
Opcode ID: ea2d0396c8f191f992d0f2f5919d327607649db06ba931623e2468fee896ad31
Instruction ID: 68557bcd56532d12273bfa084044a8f879d078c76eb3ce7a0a4a9833c84fa9dc
Opcode Fuzzy Hash: ea2d0396c8f191f992d0f2f5919d327607649db06ba931623e2468fee896ad31
Instruction Fuzzy Hash: 4E22C662A18B8686EB10CF78E4443AD3371FB55BA5F505235EA9DA7AD9DF7CE081C300

Function 00007FF6CE546560 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6CE546649
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE546690
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5468E6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5468FD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE546918
htons.WS2_32 ref: 00007FF6CE546977

Strings

%s%02x%02x, xrefs: 00007FF6CE5467DE
DOH A: %u.%u.%u.%u, xrefs: 00007FF6CE54675E
DOH AAAA: , xrefs: 00007FF6CE546792
%s, xrefs: 00007FF6CE546833
TTL: %u seconds, xrefs: 00007FF6CE546725
DOH Host name: %s, xrefs: 00007FF6CE546711
DOH: %s type %s for %s, xrefs: 00007FF6CE5466C4
AAAA, xrefs: 00007FF6CE5466B6
Could not DOH-resolve: %s, xrefs: 00007FF6CE5465B6
bad error code, xrefs: 00007FF6CE5466A8
CNAME: %s, xrefs: 00007FF6CE546873

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: calloc$_strdupfreehtonsmemset
String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
API String ID: 130798683-4053692942
Opcode ID: 3ab14d4c703a9b1e3d824fdd9e47185ccd7e52835745cbace91c64c7b1cb41c7
Instruction ID: bd21778c0762c6124937e4bd55ae191d96ca7145b1c8d93038e0843397c3ceae
Opcode Fuzzy Hash: 3ab14d4c703a9b1e3d824fdd9e47185ccd7e52835745cbace91c64c7b1cb41c7
Instruction Fuzzy Hash: 33E1B372A08A8286EB60CF11D4603BD77B4FB64B95F844036EA8EA7785DF7EE554C700

Function 00007FF6CE4FB0B8 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 423COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB814
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FB842
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FB850
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB88B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FB8CA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC2BE

Strings

array, xrefs: 00007FF6CE4FB94A
object, xrefs: 00007FF6CE4FBAD9
number overflow parsing ', xrefs: 00007FF6CE4FB750

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: array$number overflow parsing '$object
API String ID: 1346393832-579821726
Opcode ID: 83047499cedd7b0348272822f581b2d2d9134c76b4fb3a593c779d18fe0018a6
Instruction ID: 80dedd7b0480fed73e5a67b4ec7bedfec67f02986f6c568255b7bce4dd64e207
Opcode Fuzzy Hash: 83047499cedd7b0348272822f581b2d2d9134c76b4fb3a593c779d18fe0018a6
Instruction Fuzzy Hash: 05129662E18A8685FF00CF68E4443AD2371EB657A5F509235EADDA7AD9DF7DE081C300

Function 00007FF6CE50F7B0 Relevance: 34.9, APIs: 6, Strings: 17, Instructions: 352COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE5090E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5136E0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE505511), ref: 00007FF6CE509107
Part of subcall function 00007FF6CE5090E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5136E0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE505511), ref: 00007FF6CE509113

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50FA44
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50FA4C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50FA73
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50FA7C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50FB00
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50FB09

Strings

Content-Transfer-Encoding, xrefs: 00007FF6CE50FB71
attachment, xrefs: 00007FF6CE50F9FB, 00007FF6CE50FA02
; name=", xrefs: 00007FF6CE50FA9F
multipart/mixed, xrefs: 00007FF6CE50F8A5
Content-Disposition: %s%s%s%s%s%s%s, xrefs: 00007FF6CE50FAC9
Content-Type, xrefs: 00007FF6CE50F838
text/plain, xrefs: 00007FF6CE50F91C
form-data, xrefs: 00007FF6CE50FCB6
; boundary=, xrefs: 00007FF6CE50FB23
; filename=", xrefs: 00007FF6CE50FA91
application/octet-stream, xrefs: 00007FF6CE50F8D6
8bit, xrefs: 00007FF6CE50FC8A
Content-Transfer-Encoding: %s, xrefs: 00007FF6CE50FC91
Content-Type: %s%s%s, xrefs: 00007FF6CE50FB2D
multipart/form-data, xrefs: 00007FF6CE50FC07
Content-Disposition, xrefs: 00007FF6CE50F971
multipart/, xrefs: 00007FF6CE50F9E7

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
API String ID: 1294909896-1595554923
Opcode ID: 3b251fc1422559d088b0442fe48444d67342af4a5fc5820eebc5f1f98a3d2395
Instruction ID: 828e7ffc9211a67d714cde1e2897e86711f3f253e94b1ce30e696a5fda4ed33e
Opcode Fuzzy Hash: 3b251fc1422559d088b0442fe48444d67342af4a5fc5820eebc5f1f98a3d2395
Instruction Fuzzy Hash: 3CE1B321A0968291EA658F1196212B977B4FF20B8AFC84435FECDE7681DF3FE455C310

Function 00007FF6CE527E30 Relevance: 33.2, APIs: 6, Strings: 16, Instructions: 206COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE527FA7

Strings

Basic, xrefs: 00007FF6CE528107
Negotiate, xrefs: 00007FF6CE527E6A
Server, xrefs: 00007FF6CE52813C
Authorization, xrefs: 00007FF6CE527FEA
Authorization: Bearer %s, xrefs: 00007FF6CE527FB0
Proxy, xrefs: 00007FF6CE528154
Proxy-authorization, xrefs: 00007FF6CE527F13
NTLM, xrefs: 00007FF6CE527E8C
Bearer, xrefs: 00007FF6CE527FA0
CONNECT, xrefs: 00007FF6CE527E3E
%s auth using %s with user '%s', xrefs: 00007FF6CE528146
Proxy-, xrefs: 00007FF6CE5280B6
Authorization:, xrefs: 00007FF6CE527F81
Digest, xrefs: 00007FF6CE527EAE
%sAuthorization: Basic %s, xrefs: 00007FF6CE5280C0
%s:%s, xrefs: 00007FF6CE528039

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$Authorization$Authorization:$Authorization: Bearer %s$Basic$Bearer$CONNECT$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
API String ID: 1294909896-115817326
Opcode ID: 418d22dab3358cf896b8c0334a352bf217a22b17e1ce7865d06ee0be5e9d0993
Instruction ID: 4013e48a6468204de7e3d31c5bc486854157108fe92826f2bc60a05e1f0074eb
Opcode Fuzzy Hash: 418d22dab3358cf896b8c0334a352bf217a22b17e1ce7865d06ee0be5e9d0993
Instruction Fuzzy Hash: 9E918D21E0DB9285FA648F51D4683B927B4EB31B96F844036FA9CA76D5DF3EE811C310

Function 00007FF6CE4F7AE0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

memcpy.VCRUNTIME140 ref: 00007FF6CE4F7C56
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6CE4F7CE8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6CE4F7D29
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F7E73
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F7EB2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F7F00
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F7F41
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F7F9E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F8058

Part of subcall function 00007FF6CE552CC8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE552CE2

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F8099
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F8166
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F81A7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE4F81CA

Strings

; expected , xrefs: 00007FF6CE4F80F0
rsing , xrefs: 00007FF6CE4F7C38
; last read: ', xrefs: 00007FF6CE4F7DAC
unexpected , xrefs: 00007FF6CE4F7FE3
syntax error , xrefs: 00007FF6CE4F7B2D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$Concurrency::cancel_current_taskmalloc
String ID: ; expected $; last read: '$rsing $syntax error $unexpected
API String ID: 264867259-3075834232
Opcode ID: 4484d8fd78b33f8dd988f0e6b9b6adc27fd666d131503a6e7e1b1b9daa30a254
Instruction ID: 83bd0ac1196ff2e8a712e499691c8be5e716c4d3a8dbca8222d16470c5e09d64
Opcode Fuzzy Hash: 4484d8fd78b33f8dd988f0e6b9b6adc27fd666d131503a6e7e1b1b9daa30a254
Instruction Fuzzy Hash: 3312C162A18B8245FB14CF64E40436D2771EB65BA9F809731EAADA77D9DF7CE484C300

Function 00007FF6CE541BF0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 214stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE541C00
strstr.VCRUNTIME140 ref: 00007FF6CE541C2F
strchr.VCRUNTIME140 ref: 00007FF6CE541C5B
strrchr.VCRUNTIME140 ref: 00007FF6CE541C75
strchr.VCRUNTIME140 ref: 00007FF6CE541C8A
strrchr.VCRUNTIME140 ref: 00007FF6CE541CEA

Strings

., xrefs: 00007FF6CE541CCA
/, xrefs: 00007FF6CE541D03
?, xrefs: 00007FF6CE541C68
/, xrefs: 00007FF6CE541CBE
/, xrefs: 00007FF6CE541C45

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchrstrrchr$_strdupstrstr
String ID: .$/$/$/$?
API String ID: 2325335452-1821401756
Opcode ID: a17a54aa7133aafaaa9c2ac08328899516170b185ddf7fb9db02016165d41d25
Instruction ID: 0ccb60508dd38ebbe7907bc27fa1337c4f27ccee4934adf80edd7b163e560b4d
Opcode Fuzzy Hash: a17a54aa7133aafaaa9c2ac08328899516170b185ddf7fb9db02016165d41d25
Instruction Fuzzy Hash: 1F81D457A0C28645FB655F1196203796BF1AF65786FC84032EECDA73CADE3EE461A300

Function 00007FF6CE53CAF0 Relevance: 31.7, APIs: 9, Strings: 12, Instructions: 208stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF6CE53CBC3
strchr.VCRUNTIME140 ref: 00007FF6CE53CC1A
strchr.VCRUNTIME140 ref: 00007FF6CE53CC32
strchr.VCRUNTIME140 ref: 00007FF6CE53CC4D
strchr.VCRUNTIME140 ref: 00007FF6CE53CCC9
strchr.VCRUNTIME140 ref: 00007FF6CE53CCE1
strchr.VCRUNTIME140 ref: 00007FF6CE53CCFC
strchr.VCRUNTIME140 ref: 00007FF6CE53CD17
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53CDA4

Strings

/DEFINE:, xrefs: 00007FF6CE53CB7B
/FIND:, xrefs: 00007FF6CE53CB60
CLIENT libcurl 7.70.0DEFINE %s %sQUIT, xrefs: 00007FF6CE53CCAA
lookup word is missing, xrefs: 00007FF6CE53CC64, 00007FF6CE53CD2E
/M:, xrefs: 00007FF6CE53CB45
/MATCH:, xrefs: 00007FF6CE53CB2A
Failed sending DICT request, xrefs: 00007FF6CE53CDB1
CLIENT libcurl 7.70.0%sQUIT, xrefs: 00007FF6CE53CBFA
default, xrefs: 00007FF6CE53CC73, 00007FF6CE53CD3D
/D:, xrefs: 00007FF6CE53CB96
CLIENT libcurl 7.70.0MATCH %s %s %sQUIT, xrefs: 00007FF6CE53CD85
/LOOKUP:, xrefs: 00007FF6CE53CBAD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr$free
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.70.0%sQUIT$CLIENT libcurl 7.70.0DEFINE %s %sQUIT$CLIENT libcurl 7.70.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
API String ID: 3578582447-31095704
Opcode ID: 57f8084c941ee84307938c7e196d8c571a2c12fcedb7f3f1afc5e4682f856cc2
Instruction ID: 53f6d087f572af944ed9d8adb8527fe0c8db68a260088008ba1eb9925512b4a0
Opcode Fuzzy Hash: 57f8084c941ee84307938c7e196d8c571a2c12fcedb7f3f1afc5e4682f856cc2
Instruction Fuzzy Hash: B081D361B4D28640FB619F1299302B566F1AF65BC2FC84431FECDE7785DE6EE401C260

Function 00007FF6CE518B20 Relevance: 30.1, APIs: 24, Instructions: 137COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518B3C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518B52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518B66
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518B73

Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A11
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A21
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A2F
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A3D
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A4B
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A59
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A67
Part of subcall function 00007FF6CE512A00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A75

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518BAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518BC3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518C16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518C2A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518C3E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518C52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518CBA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518CCE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518CE2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518CF6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518D5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518D9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518DAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518DC2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518DD6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518DEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518DFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518E12
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518E26
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518E48

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d658d599a0d1eb89a00984e771f87287ed748dc7128620961ebbc626422fa7af
Instruction ID: 732fb59f16abf4019b219debdce964b5732f066c7c1887e73ddaadfc044835cf
Opcode Fuzzy Hash: d658d599a0d1eb89a00984e771f87287ed748dc7128620961ebbc626422fa7af
Instruction Fuzzy Hash: 6B91D376A18B8193E749CF21E9A02A87378F759F49F041135EFAE87354CF36A2718320

Function 00007FF6CE521F80 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 312stringCOMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE522075
strchr.VCRUNTIME140 ref: 00007FF6CE522115
memcpy.VCRUNTIME140 ref: 00007FF6CE522145
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE522171
strchr.VCRUNTIME140 ref: 00007FF6CE5221BC
memcpy.VCRUNTIME140 ref: 00007FF6CE52221B

Part of subcall function 00007FF6CE50E4D0: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50E514

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE522334

Strings

:%u, xrefs: 00007FF6CE522089, 00007FF6CE522348
RESOLVE %s:%d is - old addresses discarded!, xrefs: 00007FF6CE5223BB
Resolve address '%s' found illegal!, xrefs: 00007FF6CE52229B
], xrefs: 00007FF6CE5221F5
@, xrefs: 00007FF6CE522206
Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 00007FF6CE522017
Added %s:%d:%s to DNS cache, xrefs: 00007FF6CE52242D
%255[^:]:%d, xrefs: 00007FF6CE522001
Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 00007FF6CE5222AA
RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 00007FF6CE52245E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpystrchrtolower$__stdio_common_vsscanfstrtoul
String ID: %255[^:]:%d$:%u$@$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$RESOLVE %s:%d is - old addresses discarded!$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal!$]
API String ID: 1094891576-1753329177
Opcode ID: 55ad13cea51b9193daabda6f8ec91d68e53a31f2c389824ba380a7271e4da1ee
Instruction ID: 9d8f89942ff3d6e17b0d6087d02853aa124499302e9706d15832ca114c5ef6ab
Opcode Fuzzy Hash: 55ad13cea51b9193daabda6f8ec91d68e53a31f2c389824ba380a7271e4da1ee
Instruction Fuzzy Hash: 77D1B22AA1968685EB218F21D4283F93770FB75799FC45231EA9DA7AD5DF3EE401C300

Function 00007FF6CE517BF0 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 219COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517F12

Strings

Unsupported proxy scheme for '%s', xrefs: 00007FF6CE517D21
socks4a, xrefs: 00007FF6CE517CCB
socks4, xrefs: 00007FF6CE517CE6
http, xrefs: 00007FF6CE517D0E
https, xrefs: 00007FF6CE517C74
socks, xrefs: 00007FF6CE517CFA
socks5, xrefs: 00007FF6CE517CB0
socks5h, xrefs: 00007FF6CE517C92
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 00007FF6CE517D54
Unsupported proxy syntax in '%s', xrefs: 00007FF6CE517EFA

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 1294909896-874090715
Opcode ID: 8623f1b333574cf8bcf57701875c6224aec00bc4894f46d89a6a5a544acd2936
Instruction ID: 4e8ae3a46c0ba800b1aa6580bbc2d6348a01186fdcffee660142d0112704feb0
Opcode Fuzzy Hash: 8623f1b333574cf8bcf57701875c6224aec00bc4894f46d89a6a5a544acd2936
Instruction Fuzzy Hash: FDA1CC62E0874289FB10DFA5D4606BD27B5AB6578AF844531EE8DE3785DF3EE904C310

Function 00007FF6CE536810 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 208stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE52FA30: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF6CE516DBF), ref: 00007FF6CE52FA5E

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5368E6
strchr.VCRUNTIME140 ref: 00007FF6CE536904
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE536934
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE53694F
strchr.VCRUNTIME140 ref: 00007FF6CE536979
strrchr.VCRUNTIME140 ref: 00007FF6CE536995
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5369BF
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5369DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5369FE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE536A16
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE536A55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE536A90
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE536B2C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE536B51

Strings

Uploading to a URL without a file name!, xrefs: 00007FF6CE536A7C
Request has same path as previous transfer, xrefs: 00007FF6CE536B36

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: calloc$free$strchrstrncpy$_strdupmallocstrncmpstrrchr
String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
API String ID: 2243338858-131330169
Opcode ID: 7403cf26366828f405d8287ee280245dd47af2536252dbba77c54129c1d1079c
Instruction ID: 6824033bf4222534197b5a35898850bdc95ad235dd949356939804a0b24fbad0
Opcode Fuzzy Hash: 7403cf26366828f405d8287ee280245dd47af2536252dbba77c54129c1d1079c
Instruction Fuzzy Hash: 4B91E122B0C78282EA55CF25A42027963F0FB55B92F944039EBCEA37D5DF7EE4548701

Function 00007FF6CE50DD50 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DDB3
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DE2D
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DE51
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DEA0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DEDA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DEEC
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DEFF
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DF1A
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DF30
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50DF39

Strings

%s.%s.tmp, xrefs: 00007FF6CE50DDEA
# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00007FF6CE50DE26
%s, xrefs: 00007FF6CE50DECB
## Fatal libcurl error, xrefs: 00007FF6CE50DF67

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$fclose$__acrt_iob_func_unlinkcallocfputsqsort
String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
API String ID: 1368378007-4087121635
Opcode ID: 1d56b44139449c6db4f3cf61deeccf1020aca52a27cded63d20186eb9e816fa6
Instruction ID: 6a1b9e9fa8713e8240887c6b1354c2f7cb65f72e260e50a4bdd2610138870271
Opcode Fuzzy Hash: 1d56b44139449c6db4f3cf61deeccf1020aca52a27cded63d20186eb9e816fa6
Instruction Fuzzy Hash: 08514061A1D68246FE659F21A93427A33B0AF75B9AFC45435FDCEE6390DE3EE4058300

Function 00007FF6CE529DF0 Relevance: 27.3, APIs: 1, Strings: 17, Instructions: 341COMMON

Download Yara Rule

Strings

SOCKS4 reply has wrong version, version should be 0., xrefs: 00007FF6CE52A291
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 00007FF6CE52A323
SOCKS4 non-blocking resolve of %s, xrefs: 00007FF6CE529F5B
SOCKS4%s: connecting to HTTP proxy %s port %d, xrefs: 00007FF6CE529EB6
SOCKS4: Failed receiving connect request ack: %s, xrefs: 00007FF6CE52A24A
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 00007FF6CE52A394
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 00007FF6CE52A35D
SOCKS4%s request granted., xrefs: 00007FF6CE52A3B6
Failed to send SOCKS4 connect request., xrefs: 00007FF6CE52A19D
SOCKS4 communication to %s:%d, xrefs: 00007FF6CE529ECF
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 00007FF6CE52A2F6
[, xrefs: 00007FF6CE52A384
Too long SOCKS proxy name, can't use!, xrefs: 00007FF6CE529FB7
SOCKS4 connection to %s not supported, xrefs: 00007FF6CE52A0BC
Failed to resolve "%s" for SOCKS4 connect., xrefs: 00007FF6CE52A0DB
SOCKS4 connect to IPv4 %s (locally resolved), xrefs: 00007FF6CE52A05A
SOCKS4: too long host name, xrefs: 00007FF6CE52A1B6

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$SOCKS4 communication to %s:%d$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: Failed receiving connect request ack: %s$SOCKS4: too long host name$Too long SOCKS proxy name, can't use!$[
API String ID: 0-3760664348
Opcode ID: 498de5cd744b0741ed3635551fa6fa6e30802d32ec2df0f5d96b0ad602538052
Instruction ID: 0294ad06764698777dc2bb1157e3f596e6e854697567f76804269a9783f54b00
Opcode Fuzzy Hash: 498de5cd744b0741ed3635551fa6fa6e30802d32ec2df0f5d96b0ad602538052
Instruction Fuzzy Hash: 61E1C1A6A0C6C189EB548F15D06437977B0FB65B86F849036FA8EA7786DF7EE044C700

Function 00007FF6CE4F6B20 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 364COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F6C7E
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4F6CAC
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4F6CBA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F6CF4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F6D45
memset.VCRUNTIME140 ref: 00007FF6CE4F6B73

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

Part of subcall function 00007FF6CE4F7AE0: memcpy.VCRUNTIME140 ref: 00007FF6CE4F7C56

Part of subcall function 00007FF6CE4F2780: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F28F1

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F6EB2
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4F6EDE
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4F6EEC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F6F27
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F6F7A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F7061
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF6CE4F7079
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6CE4F7086

Strings

value, xrefs: 00007FF6CE4F6BE6, 00007FF6CE4F6E1E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy$?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@memset
String ID: value
API String ID: 2102519606-494360628
Opcode ID: 550cbea3a911ff12450a5818f22cd1eb358e4c722d8d09ac2395583a520f1132
Instruction ID: 107f41bf320411c37a1311cf613f9c6cd14bc3bb68b001d4875c9be15df429e0
Opcode Fuzzy Hash: 550cbea3a911ff12450a5818f22cd1eb358e4c722d8d09ac2395583a520f1132
Instruction Fuzzy Hash: A4F1B322A18A8285EB10CF74E4443AD7770EB95BA9F509331FAED52AE9DF7CD185C700

Function 00007FF6CE52EB90 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 241encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6CE52EE77
CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6CE52EEE7
CertFreeCertificateContext.CRYPT32 ref: 00007FF6CE52EF25
CertFreeCertificateContext.CRYPT32 ref: 00007FF6CE52EF38

Strings

schannel: failed to setup sequence detection, xrefs: 00007FF6CE52EBEA
schannel: failed to retrieve remote cert context, xrefs: 00007FF6CE52EF57
schannel: failed to setup memory allocation, xrefs: 00007FF6CE52EC41
schannel: failed to store credential handle, xrefs: 00007FF6CE52EDDC
schannel: failed to retrieve ALPN result, xrefs: 00007FF6CE52ECAB
schannel: failed to setup stream orientation, xrefs: 00007FF6CE52EC60
ALPN, server did not agree to a protocol, xrefs: 00007FF6CE52ED05
schannel: ALPN, server accepted to use %.*s, xrefs: 00007FF6CE52ECD8
schannel: failed to setup replay detection, xrefs: 00007FF6CE52EC06
schannel: failed to setup confidentiality, xrefs: 00007FF6CE52EC22
http/1.1, xrefs: 00007FF6CE52ECEB

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Cert$CertificateCertificatesContextEnumFreeStore
String ID: ALPN, server did not agree to a protocol$http/1.1$schannel: ALPN, server accepted to use %.*s$schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle
API String ID: 2572311694-3353508759
Opcode ID: 220337b4bee03760ea6e3943104791c253caa592fa02a501f9afb6be55ceed4e
Instruction ID: fa618c625c3d130fa5aa963497bc5edf0eb9ca72f57ec5e80824693e99f6187d
Opcode Fuzzy Hash: 220337b4bee03760ea6e3943104791c253caa592fa02a501f9afb6be55ceed4e
Instruction Fuzzy Hash: 07B18562B08A8282EB619F15D8643B963B1EFA4B86F845035F98DE77D4DF3EE445C700

Function 00007FF6CE5509B0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF6CE5436DF), ref: 00007FF6CE5509DD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0000000100000000,?,00007FF6CE5436DF), ref: 00007FF6CE5509FF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF6CE5436DF), ref: 00007FF6CE550A10
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF6CE5436DF), ref: 00007FF6CE550A3E

Strings

../, xrefs: 00007FF6CE550AA9
/../, xrefs: 00007FF6CE550B0B
/.., xrefs: 00007FF6CE550B42
/./, xrefs: 00007FF6CE550ACC

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: ../$/..$/../$/./
API String ID: 111713529-456519384
Opcode ID: a75eb33e81dc8e798062f8c5b7953372be5622ec13724452a985b9af31ee4b50
Instruction ID: 4d222aacb32eff103188faddca1e1532e2790380d3587a01251531aa59c35c9c
Opcode Fuzzy Hash: a75eb33e81dc8e798062f8c5b7953372be5622ec13724452a985b9af31ee4b50
Instruction Fuzzy Hash: 5571D721E0E68282FB229F11957027D7B70AB72BB6F844171EADE927D4DE3EE451C311

Function 00007FF6CE512E80 Relevance: 25.7, APIs: 17, Instructions: 236COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE512EE4
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE512F18
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE512F29
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE512FFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51300C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513047
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513051
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5130CF
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5130F0
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE513111
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE513132
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5131C9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5131D2

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID:
API String ID: 2653869212-0
Opcode ID: ecaf645ea1409842e54c2ca9caa86425db3d8e01e42d124ac3ae0b50072ede22
Instruction ID: de1d775156055c70027e4294934ee1b7ee654885ea96ccdc9386b75dbb1ab5cb
Opcode Fuzzy Hash: ecaf645ea1409842e54c2ca9caa86425db3d8e01e42d124ac3ae0b50072ede22
Instruction Fuzzy Hash: E7B17B36A0AB81D6EA25CF95E56037933B4FB64B56F840135EBCE93780DF3AE0649310

Function 00007FF6CE54B5B1 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54B5E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAA9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAFC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BC5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BC98

Strings

Signature: %s, xrefs: 00007FF6CE54BA97
-----BEGIN CERTIFICATE-----, xrefs: 00007FF6CE54BB3C
TRUE, xrefs: 00007FF6CE54B5D4
%s, xrefs: 00007FF6CE54BC86
-----END CERTIFICATE-----, xrefs: 00007FF6CE54BBE7
Signature, xrefs: 00007FF6CE54BA7F
FALSE, xrefs: 00007FF6CE54B5CD
Cert, xrefs: 00007FF6CE54BC6E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Signature: %s$%s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$FALSE$Signature$TRUE
API String ID: 111713529-3006446216
Opcode ID: 56071c6eda54952a3fbe1923a43b8368e6934f71e01164f5a98e457e80ea09f4
Instruction ID: 348898fd361af9c442faac0bc76affae9039cbbbefeffcae3469bab1956e4349
Opcode Fuzzy Hash: 56071c6eda54952a3fbe1923a43b8368e6934f71e01164f5a98e457e80ea09f4
Instruction Fuzzy Hash: 6871C4A2E0D7C246EB518F2590642B97BB0EB6574AF984033FACEA3365DE2ED115C701

Function 00007FF6CE545620 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5456E2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54571A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54572D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545761
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54576C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545822
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54582B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545836
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545921
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54592A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545935
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5459AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5459B4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5459BF

Part of subcall function 00007FF6CE545DB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE547C9A,?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE545DC0
Part of subcall function 00007FF6CE545DB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE547C9A,?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE545DD1
Part of subcall function 00007FF6CE545DB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE547C9A,?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE545DE3

Strings

DIGEST-MD5 handshake failure (empty challenge message), xrefs: 00007FF6CE5459CC
WDigest, xrefs: 00007FF6CE5456CC, 00007FF6CE5457E4

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: DIGEST-MD5 handshake failure (empty challenge message)$WDigest
API String ID: 2190258309-1086287758
Opcode ID: 60d6fd4d9496bc5a75371e53f8fa4c1ccef21f004a31d901caf2278722719f1d
Instruction ID: 6bf8ef79b2d6870a31b756fb199126b370c8812ce36b546a22c32d4781799214
Opcode Fuzzy Hash: 60d6fd4d9496bc5a75371e53f8fa4c1ccef21f004a31d901caf2278722719f1d
Instruction Fuzzy Hash: 10B14F72A08B468AEB108F65E4602AD37B4FB58B95F800036EE8DE7B58DF3ED555C740

Function 00007FF6CE54274C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5429B8
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE542A10
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE542A1D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542B11
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542B1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542B6E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542B86

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloctolower
String ID: %%%02x
API String ID: 1244608590-4020994737
Opcode ID: 485ca5efc7fac49324a9721e3d63d5cec0a9c744f99b361fb578be1ce2059ea8
Instruction ID: 176ac0f9ce8945671402bef6a99e80bd71a530c3ae55f27b08cb3fbd8e9c1b38
Opcode Fuzzy Hash: 485ca5efc7fac49324a9721e3d63d5cec0a9c744f99b361fb578be1ce2059ea8
Instruction Fuzzy Hash: 55A1E41590D6A245FF628F2194303796BF09F65B86F884432EECEE63D1DE2EE465C320

Function 00007FF6CE530A30 Relevance: 22.8, APIs: 1, Strings: 14, Instructions: 321COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6CE530A88

Strings

Unexpected continuation response, xrefs: 00007FF6CE530ECE
NOOP, xrefs: 00007FF6CE530DCF
EXPUNGE, xrefs: 00007FF6CE530D87
LIST, xrefs: 00007FF6CE530C6C
, xrefs: 00007FF6CE530A91
PREA, xrefs: 00007FF6CE530AC4
FETCH, xrefs: 00007FF6CE530BFC, 00007FF6CE530D12
UID, xrefs: 00007FF6CE530DB7
EXAMINE, xrefs: 00007FF6CE530D57
LSUB, xrefs: 00007FF6CE530D9F
SELECT, xrefs: 00007FF6CE530D3F
SEARCH, xrefs: 00007FF6CE530B9C, 00007FF6CE530D6F
CAPABILITY, xrefs: 00007FF6CE530E50
STORE, xrefs: 00007FF6CE530CBA

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcmp
String ID: $CAPABILITY$EXAMINE$EXPUNGE$FETCH$LIST$LSUB$NOOP$PREA$SEARCH$SELECT$STORE$UID$Unexpected continuation response
API String ID: 1475443563-555813803
Opcode ID: 3f7a138a4cf8b5a7f6787de4ec62280f8b8da26ad5964f60277828d290879385
Instruction ID: fe4eec282d437cb13b8e3b4aa8baf1ff07c0d03ad45a9188d0a6d26eca45ed5b
Opcode Fuzzy Hash: 3f7a138a4cf8b5a7f6787de4ec62280f8b8da26ad5964f60277828d290879385
Instruction Fuzzy Hash: 3DD18F22B0CB5245FB215F21D5342B967B0AF30B9AFC45432FA9DE7595EEAEE841C301

Function 00007FF6CE4FBF72 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

Part of subcall function 00007FF6CE4F7AE0: memcpy.VCRUNTIME140 ref: 00007FF6CE4F7C56

Part of subcall function 00007FF6CE4F2780: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F28F1

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC021
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FC04F
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FC05D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC097
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC0F4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC1AD
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FC1DB
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FC1E9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC223
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC274
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC2BE

Strings

value, xrefs: 00007FF6CE4FBF90, 00007FF6CE4FC119

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy
String ID: value
API String ID: 3212548336-494360628
Opcode ID: c76a873ace44862f6349023eed5fc4100f4b45aeeb9fe66a199c4c2371892b46
Instruction ID: 763a9904074e340015737c58698c7eec5ea8c79a87a3099ee5dfe544fda7aec4
Opcode Fuzzy Hash: c76a873ace44862f6349023eed5fc4100f4b45aeeb9fe66a199c4c2371892b46
Instruction Fuzzy Hash: 26A19562A18A8686EB00CF68E4543AD3371EF917A5F505335F6ED62AE9DF7CE081C704

Function 00007FF6CE4FD801 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

Part of subcall function 00007FF6CE4F7AE0: memcpy.VCRUNTIME140 ref: 00007FF6CE4F7C56

Part of subcall function 00007FF6CE4F2780: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F28F1

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FD8B0
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FD8DE
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FD8EC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FD926
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FD983
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FDA3C
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FDA6A
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FDA78
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FDAB2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FDB03
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FDB4D

Strings

value, xrefs: 00007FF6CE4FD81F, 00007FF6CE4FD9A8

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy
String ID: value
API String ID: 3212548336-494360628
Opcode ID: dd6525d2d8b59f3baa0861859b7e2aff5fafa17bb200aa34994a6428ec064bb0
Instruction ID: f7b56bb67af536cae10306ad48cfc845b65aa9a5c4d846115e4300362d2791da
Opcode Fuzzy Hash: dd6525d2d8b59f3baa0861859b7e2aff5fafa17bb200aa34994a6428ec064bb0
Instruction Fuzzy Hash: EDA19462A18A8286EB00CF68E4543AD3371EF517A5F505331FAAD62AE9DF7CE081C300

Function 00007FF6CE50D9C0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 161fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50DA2D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50DA4D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50DA81
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50DAA2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50DAC5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50DAD6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50DAF8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50DBAF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50DBC4

Strings

Set-Cookie:, xrefs: 00007FF6CE50DB36
ignoring failed cookie_init for %s, xrefs: 00007FF6CE50DB02
none, xrefs: 00007FF6CE50DA42

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
API String ID: 4109794434-4095489131
Opcode ID: e5d281810f71373cc68a83eff9d9673e87c10818fe74c7b7b7a3c36cff4c26e8
Instruction ID: 0bf0bbf132fe3d9fa55744cf5205150e2f5fa0975b229a9fb3dedf6a2f6eb685
Opcode Fuzzy Hash: e5d281810f71373cc68a83eff9d9673e87c10818fe74c7b7b7a3c36cff4c26e8
Instruction Fuzzy Hash: 42619021A0D7C282EA559F2594242BA27E4AF65B8AF884434FECDA7791DF3EE401C700

Function 00007FF6CE505EB0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6CE505ED2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505EDA
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505EF9
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505F05
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505F14
strrchr.VCRUNTIME140 ref: 00007FF6CE505F65
strrchr.VCRUNTIME140 ref: 00007FF6CE505F86
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505F9F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505FAA
GetLastError.KERNEL32 ref: 00007FF6CE505FB3
SetLastError.KERNEL32 ref: 00007FF6CE505FBF

Strings

Unknown error %d (%#x), xrefs: 00007FF6CE505F47

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_nerrstrerrorstrncpy
String ID: Unknown error %d (%#x)
API String ID: 4262108436-2414550090
Opcode ID: 100a5d9055fd42e0d71a6ea79cb9f566b8e95a090aae1ec8d8803ea44f548d65
Instruction ID: 9ae39b7505511da7d45c72fdef70eff230776207a460cb1acaa6271c70f8e896
Opcode Fuzzy Hash: 100a5d9055fd42e0d71a6ea79cb9f566b8e95a090aae1ec8d8803ea44f548d65
Instruction Fuzzy Hash: 48319461A1978282FA255F21A4302397671AFA4B86FC84435FECEA77D9DF7EE4018300

Function 00007FF6CE502A60 Relevance: 19.7, APIs: 13, Instructions: 159COMMON

Download Yara Rule

APIs

?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6CE502AA2
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF6CE502ABC
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF6CE502ADD
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6CE502B2F
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6CE502B44
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF6CE502B63
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6CE502B82
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6CE502B8B
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6CE502C08
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6CE502C11
?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF6CE502C3C
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6CE502C59
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF6CE502C6B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@?width@ios_base@std@@D@std@@@2@V?$basic_streambuf@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
String ID:
API String ID: 3119022203-0
Opcode ID: fcbd4062a5c34ff19849290e96dca4d659f73e43909e53f5dd13756736b95600
Instruction ID: 6cd665a76035fbcc3bb5e1952fbab3ad6e735bc3e1aa2809d464932a4c0f99d4
Opcode Fuzzy Hash: fcbd4062a5c34ff19849290e96dca4d659f73e43909e53f5dd13756736b95600
Instruction Fuzzy Hash: 7C618B26B09A8181DB54CF16E5A023977B0FF95F9AB858531FE9E937A1CF3ED0548340

Function 00007FF6CE53FF53 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 290COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE540053

Strings

TFTP buffer too small for options, xrefs: 00007FF6CE54014F, 00007FF6CE540298
%I64d, xrefs: 00007FF6CE5400E6
blksize, xrefs: 00007FF6CE540228
TFTP file name too long, xrefs: 00007FF6CE54003F
%s%c%s%c, xrefs: 00007FF6CE54006A
timeout, xrefs: 00007FF6CE540315
tsize, xrefs: 00007FF6CE540162

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$timeout$tsize
API String ID: 1294909896-3837278924
Opcode ID: 7ec6c5d6a3ff59786ba722c0e9dd02ab78e7bc519b15799cd4420d422ff9ec3c
Instruction ID: 9092c16facec3f084f151673f87a56bd915b8ddc2cc46f49c2d4574adb2a0a6f
Opcode Fuzzy Hash: 7ec6c5d6a3ff59786ba722c0e9dd02ab78e7bc519b15799cd4420d422ff9ec3c
Instruction Fuzzy Hash: 47D1A0B2A08A8281EB11CF24D0603B977B1FB65B89FD49132EA8DA7785DF7ED515C310

Function 00007FF6CE5407D0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 222networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF6CE540943
sendto.WS2_32 ref: 00007FF6CE5409FC
WSAGetLastError.WS2_32 ref: 00007FF6CE540A0A

Strings

tftp_tx: giving up waiting for block %d ack, xrefs: 00007FF6CE5409B4
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF6CE54083D
tftp_tx: internal error, event: %i, xrefs: 00007FF6CE540828
Received ACK for block %d, expecting %d, xrefs: 00007FF6CE540995

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: sendto$ErrorLast
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 4042023021-4197595102
Opcode ID: 65eefe5e27c87df2d3a75b0703fe83b340d7fecbdf59bec97b9263cd900bd5df
Instruction ID: bae227be4308c6f6f8061a4f176620eb5ba65f100c6056769be677bdafa3791a
Opcode Fuzzy Hash: 65eefe5e27c87df2d3a75b0703fe83b340d7fecbdf59bec97b9263cd900bd5df
Instruction Fuzzy Hash: 1FB1A172608682C6E721CF29D4603AD37B0FB98B8AF944132EE8D9B758DF3AD441C751

Function 00007FF6CE53FBB0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF6CE53FD28
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF6CE53FD43
sendto.WS2_32 ref: 00007FF6CE53FDAA
sendto.WS2_32 ref: 00007FF6CE53FE61
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF6CE53FE99

Strings

Received last DATA packet block %d again., xrefs: 00007FF6CE53FDF5
Received unexpected DATA packet block %d, expecting block %d, xrefs: 00007FF6CE53FEA1
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF6CE53FC22
tftp_rx: internal error, xrefs: 00007FF6CE53FBFE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: sendto$_time64
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 2327272419-1785996722
Opcode ID: 89229f8d29204033db2aadbae2a754e7839df9844307faa5689997886ab2f216
Instruction ID: 653bee21470a22c9a73cd19d8f92f32ff8ac1c5f07c2d971937384fde23450f3
Opcode Fuzzy Hash: 89229f8d29204033db2aadbae2a754e7839df9844307faa5689997886ab2f216
Instruction Fuzzy Hash: 5C916E72618781C5D761CF29D4613A977B0FBA8B89F848132EE8D9B758DF3AD406C720

Function 00007FF6CE5177A0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5177DD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51785F
strchr.VCRUNTIME140 ref: 00007FF6CE5178DE
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE51790C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51792D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51793F

Strings

%25, xrefs: 00007FF6CE517855
Please URL encode %% as %%25, see RFC 6874., xrefs: 00007FF6CE517869
Invalid IPv6 address format, xrefs: 00007FF6CE5178C7
No valid port number in connect to host string (%s), xrefs: 00007FF6CE51796B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$freestrchrstrncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 2070079882-2404041592
Opcode ID: f161a98824ad047bc61e83a6a9d709f49cd731e5f255768661b04e2e13741171
Instruction ID: dab69e129bb6f02bba1bd774eb102c7582c99601de38353e5c9c5ef712447061
Opcode Fuzzy Hash: f161a98824ad047bc61e83a6a9d709f49cd731e5f255768661b04e2e13741171
Instruction Fuzzy Hash: 68510561E0C7964AFB119F69943037967F1AF22796F884031FECD962C1EE2EE545C300

Function 00007FF6CE50D7B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50D7EE
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50D80E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50D840
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50D85D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50D87B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50D88C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE50D8AC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CE507A00), ref: 00007FF6CE50D95F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CE507A00), ref: 00007FF6CE50D975

Strings

Set-Cookie:, xrefs: 00007FF6CE50D8E6
none, xrefs: 00007FF6CE50D803

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
String ID: Set-Cookie:$none
API String ID: 4109794434-3629594122
Opcode ID: 64170cdf92fb56e899e1510f54d3ee927d434ba8789ac50f8d66b4514f019bdc
Instruction ID: 4259529d32ffee4b1683d24d401409a852afabc0cfe5391d42c2a37a1db50818
Opcode Fuzzy Hash: 64170cdf92fb56e899e1510f54d3ee927d434ba8789ac50f8d66b4514f019bdc
Instruction Fuzzy Hash: D1519621A0D7C242FB559F21653027966F0AF65B9AF884834FECEA6781DF3EE4458740

Function 00007FF6CE517F40 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F34
Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F4A
Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F5E
Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F72
Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F86
Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F9A
Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518FAE
Part of subcall function 00007FF6CE518F20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518FC2

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517FC2

Part of subcall function 00007FF6CE541EF0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F05
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F1F
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F3A
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F56
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F72
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F8A
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FA2
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FBA
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FD2
Part of subcall function 00007FF6CE541EF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FEA
Part of subcall function 00007FF6CE541EF0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE542004

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5181C6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE518209
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE51834E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5183CB

Strings

file, xrefs: 00007FF6CE5182B3, 00007FF6CE51832C
Protocol "%s" not supported or disabled in libcurl, xrefs: 00007FF6CE51810F
%s://%s, xrefs: 00007FF6CE517FCF

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$free$callocstrtoul
String ID: %s://%s$Protocol "%s" not supported or disabled in libcurl$file
API String ID: 954404409-4150109901
Opcode ID: 4d71343cc8e9c771a04bdd6a4e35518a46228df87ed26e91117d0ae160dc71d8
Instruction ID: 20ae8ef090960e8e25a042bb9eaa21d2da72252e8d98f1d0ea89c1eae78548e3
Opcode Fuzzy Hash: 4d71343cc8e9c771a04bdd6a4e35518a46228df87ed26e91117d0ae160dc71d8
Instruction Fuzzy Hash: 8EC17232B08A8286EB798F65D9603F923B1FB65746F940035EA9DE7685DF3EE514C300

Function 00007FF6CE4F2780 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F2B40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2C39
Part of subcall function 00007FF6CE4F2B40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2C78

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

Part of subcall function 00007FF6CE4F5220: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF6CE4F255B), ref: 00007FF6CE4F5266

Part of subcall function 00007FF6CE4F7480: memcpy.VCRUNTIME140(?,?,?,00007FF6CE4F258A), ref: 00007FF6CE4F7511

Part of subcall function 00007FF6CE4F52A0: memcpy.VCRUNTIME140 ref: 00007FF6CE4F52F3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F28F1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2941
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2992
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F29D2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2A24
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2A63
__std_exception_copy.VCRUNTIME140 ref: 00007FF6CE4F2AB6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2B07

Strings

parse error, xrefs: 00007FF6CE4F280B
parse_error, xrefs: 00007FF6CE4F27E1

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$__std_exception_copy
String ID: parse error$parse_error
API String ID: 2484256320-1820534363
Opcode ID: 872615393e60536cf0fdb048e6fefe99b16f7abf7942900c64bb644bcd49a26a
Instruction ID: 596d66059b45994fb235cb4371d3e0622721cb75b50f24062a79e81633e34876
Opcode Fuzzy Hash: 872615393e60536cf0fdb048e6fefe99b16f7abf7942900c64bb644bcd49a26a
Instruction Fuzzy Hash: 7AB1A062E14B8685FB00CF64E4443AD3771EB64BA5F509621EAAD62AE9DF7CE0C1C304

Function 00007FF6CE521B10 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE521BA1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE521BE8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE521C84
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE521C9A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE521CBB
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE521D0A
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF6CE521D5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE521D8F

Strings

:%u, xrefs: 00007FF6CE521D1E
Shuffling %i addresses, xrefs: 00007FF6CE521B8A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$_time64calloctolower
String ID: :%u$Shuffling %i addresses
API String ID: 133842801-338667637
Opcode ID: b254895a411a1bb72c9a68ccd39e5ac0568eb9fe9291788dac0897c1c0e83ef1
Instruction ID: 98e670e99f3028109ef6d3db3843ced038dd333dc305c2d8615f62fff048e51c
Opcode Fuzzy Hash: b254895a411a1bb72c9a68ccd39e5ac0568eb9fe9291788dac0897c1c0e83ef1
Instruction Fuzzy Hash: 3771C736A19A9281EB148F11E6647BA33B4FB68B95F804531EF8EA7394DF3ED445C300

Function 00007FF6CE51F780 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51F7FA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51F815
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51F892
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51F91C

Strings

Switch to %s, xrefs: 00007FF6CE51F9A7
GET, xrefs: 00007FF6CE51F98E
HEAD, xrefs: 00007FF6CE51F987
Maximum (%ld) redirects followed, xrefs: 00007FF6CE51F8E7
Switch from POST to GET, xrefs: 00007FF6CE51F9E6
Issue another request to this URL: '%s', xrefs: 00007FF6CE51F927

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
API String ID: 1865132094-1312055526
Opcode ID: 9ce5097fec653cc47e3efa6e9b03e8c9e5773c358994eb20c923880c0cc65715
Instruction ID: 503d64463ca3d1e1e9e4b5841d60c98710dfb89f313398bd84ee8aaa5d003734
Opcode Fuzzy Hash: 9ce5097fec653cc47e3efa6e9b03e8c9e5773c358994eb20c923880c0cc65715
Instruction Fuzzy Hash: 49719262A0C78290E7609F64D4612BD27B1EFA5B95F980035EACDE76A5CF3FD4818320

Function 00007FF6CE514920 Relevance: 17.6, APIs: 14, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE51499D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE5149BA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE5149CE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE5149EA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A07
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A2A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A3E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A52
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A78
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514A8C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514AA0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514AEF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514AFC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE514B25

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 340a58b6c03933ee5c38f7373fab72ede4f501a6453ad0e5311dc76b628382d7
Instruction ID: 1b567973cd7c73cc54c3b93ab4a462c629545a79c1fad9ed01da2517c3fc1ec9
Opcode Fuzzy Hash: 340a58b6c03933ee5c38f7373fab72ede4f501a6453ad0e5311dc76b628382d7
Instruction Fuzzy Hash: 12510F71918A8281EB14DF61E4A12FD2374FF94F86F885431EE8F9B755CE3AD0518320

Function 00007FF6CE54F030 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 279COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54F4FB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54F553

Strings

LOGIN, xrefs: 00007FF6CE54F473
OAUTHBEARER, xrefs: 00007FF6CE54F342
DIGEST-MD5, xrefs: 00007FF6CE54F263
XOAUTH2, xrefs: 00007FF6CE54F3B5
GSSAPI, xrefs: 00007FF6CE54F1C6
PLAIN, xrefs: 00007FF6CE54F40A
NTLM, xrefs: 00007FF6CE54F2B9
EXTERNAL, xrefs: 00007FF6CE54F14B
CRAM-MD5, xrefs: 00007FF6CE54F282

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: CRAM-MD5$DIGEST-MD5$EXTERNAL$GSSAPI$LOGIN$NTLM$OAUTHBEARER$PLAIN$XOAUTH2
API String ID: 1294909896-1896214517
Opcode ID: cd88872d4a6fe51d0876285e9ef49b9cd2078b152f76005ffac7db73de5e62a3
Instruction ID: fafd9880358bc6501668ff423aa99ac3c9583a182b91434ffc65b00e5e0f27cc
Opcode Fuzzy Hash: cd88872d4a6fe51d0876285e9ef49b9cd2078b152f76005ffac7db73de5e62a3
Instruction Fuzzy Hash: 61D1BC72A08B8285EB61CF14E8513A977B0FB94799F841136EE8CA7798CF3ED454C720

Function 00007FF6CE531060 Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE52FA30: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF6CE516DBF), ref: 00007FF6CE52FA5E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5312FE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE531308
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE531363
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53136D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53137A

Strings

PARTIAL, xrefs: 00007FF6CE5312B6
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_, xrefs: 00007FF6CE531068
SECTION, xrefs: 00007FF6CE531278
MAILINDEX, xrefs: 00007FF6CE531237
UIDVALIDITY, xrefs: 00007FF6CE5311B5
UID, xrefs: 00007FF6CE5311F6

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_$MAILINDEX$PARTIAL$SECTION$UID$UIDVALIDITY
API String ID: 2190258309-1670639106
Opcode ID: 67cc25c653c019c68edb10205389acf8d6a06812a7f26fc1d5dd01ed8d485a3b
Instruction ID: f1eafff92890a1efe76e7464798462b422f579cbc2de7eabff2811cd2637dafb
Opcode Fuzzy Hash: 67cc25c653c019c68edb10205389acf8d6a06812a7f26fc1d5dd01ed8d485a3b
Instruction Fuzzy Hash: AFA17563909A8285EB658F31D5643B867B0FB6478AF841131FACEE7A85DF3AD491C310

Function 00007FF6CE542BA1 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542B11
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542B1F
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542C1D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542C86
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542C9E

Part of subcall function 00007FF6CE541BF0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE541C00

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542CC6
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542CDD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542D02
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542D4F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542D64

Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EAC
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EB6
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EC0
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542ECA
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542ED4
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EDE
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EE8
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EF2
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EFC
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542F06
Part of subcall function 00007FF6CE542EA0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542F10

Strings

:, xrefs: 00007FF6CE542BC7
,, xrefs: 00007FF6CE542BE4

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$calloc$_strdup
String ID: ,$:
API String ID: 2460172880-4193410690
Opcode ID: 9fc9f10a5d97b44390ba30cad8ebf6bc625cf12063cbf7b46e71b17a76415179
Instruction ID: 68343e50dd67d34d882feb7a5f62d9f79507c212fb779f015cb00fcc3400dd6a
Opcode Fuzzy Hash: 9fc9f10a5d97b44390ba30cad8ebf6bc625cf12063cbf7b46e71b17a76415179
Instruction Fuzzy Hash: 1A51C516E1CA8642F7219F3595213B963B0BF65785F449231EECEA2656EF2EF1E48300

Function 00007FF6CE541EF0 Relevance: 16.6, APIs: 11, Instructions: 89COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F05
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F1F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F3A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F56
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F72
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541F8A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FA2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FBA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FD2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE541FEA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE517F65,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE542004

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$callocfree
String ID:
API String ID: 1183638330-0
Opcode ID: 36a892255754302b1de67aeceaef65683c6eea63486ce9a4ba4bed585b87ef12
Instruction ID: e0c65e4dbacef1c9e7e41a1f7c37c4046216563d66965295657bc37a216ec8fb
Opcode Fuzzy Hash: 36a892255754302b1de67aeceaef65683c6eea63486ce9a4ba4bed585b87ef12
Instruction Fuzzy Hash: DE313736E1AB4291EE69CF55E17023822F4FF58B06B481436EA8ED2744DF3EF4709220

Function 00007FF6CE515610 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF6CE515648
strchr.VCRUNTIME140 ref: 00007FF6CE51566F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515724
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51574A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51576B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51577C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515785
memcpy.VCRUNTIME140 ref: 00007FF6CE5157A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5157B7
memcpy.VCRUNTIME140 ref: 00007FF6CE5157D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5157E9
memcpy.VCRUNTIME140 ref: 00007FF6CE515801
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE515816

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy$strchr
String ID:
API String ID: 1615377186-0
Opcode ID: aa0ecedb91e18d2e0f992861b877a5e479a5e731e3f0740ec1a9ef4aef4d96ca
Instruction ID: f3e1ee6b8361cd5e4a6d3f38cdca1469b448a400699c7b0babd6e7d46e7ef352
Opcode Fuzzy Hash: aa0ecedb91e18d2e0f992861b877a5e479a5e731e3f0740ec1a9ef4aef4d96ca
Instruction Fuzzy Hash: 6651B025B0EB8585EE25CF55A52527963B1BF64BC2F885430EECEA7748EF3EE4058310

Function 00007FF6CE537F40 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

LIST, xrefs: 00007FF6CE538042
NLST, xrefs: 00007FF6CE53803B
%s%s%s, xrefs: 00007FF6CE538065
Couldn't set desired mode, xrefs: 00007FF6CE537F5E
Got a %03d response code instead of the assumed 200, xrefs: 00007FF6CE537F80

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
API String ID: 0-1262176364
Opcode ID: fdcf8f4fb6526b880c534ee3e1f288543f22453b2957d1f778731b14c9a4f5f2
Instruction ID: be38ce935d15075ce397c0ebbb148cd9e1f69b423fe5fb2e69bce0db1c6050e5
Opcode Fuzzy Hash: fdcf8f4fb6526b880c534ee3e1f288543f22453b2957d1f778731b14c9a4f5f2
Instruction Fuzzy Hash: C341B236B0C64286EB289F55E4601BAB371BB60B92FC44035FACDA7691DF7FE8448700

Function 00007FF6CE51BE50 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF6CE527EBA), ref: 00007FF6CE51BECF
strchr.VCRUNTIME140(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF6CE527EBA), ref: 00007FF6CE51BF21
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF6CE527EBA), ref: 00007FF6CE51BF45
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF6CE527EBA), ref: 00007FF6CE51BF95
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,Digest,?,00007FF6CE527EBA), ref: 00007FF6CE51BFD8

Strings

%.*s, xrefs: 00007FF6CE51BF2E
%sAuthorization: Digest %s, xrefs: 00007FF6CE51BFB5
Proxy-, xrefs: 00007FF6CE51BFAB
Digest, xrefs: 00007FF6CE51BE5B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupstrchr
String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
API String ID: 153040452-3976116069
Opcode ID: ed90737fc67f69d9f7bd73876c24f222606864a60142b45a307b1d9c19a193b8
Instruction ID: 723e2e1bab17dcf665233b7ba8c3c5eb2187573ed5facb849a6aeff857290036
Opcode Fuzzy Hash: ed90737fc67f69d9f7bd73876c24f222606864a60142b45a307b1d9c19a193b8
Instruction Fuzzy Hash: BE41BB22A08B8692EA608F52E4503AA77B4FB95B85F840035FECD977A0DF3ED556C700

Function 00007FF6CE54AF7E Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54AFB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B4A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B572

Strings

TRUE, xrefs: 00007FF6CE54AFA0
Expire Date, xrefs: 00007FF6CE54B47D
Public Key Algorithm, xrefs: 00007FF6CE54B528
Expire Date: %s, xrefs: 00007FF6CE54B497
Public Key Algorithm: %s, xrefs: 00007FF6CE54B542
FALSE, xrefs: 00007FF6CE54AFA7

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$FALSE$Public Key Algorithm$TRUE
API String ID: 2653869212-571364039
Opcode ID: d42a0c74dc1f5ac63ecb98a4d68705edbe97a79fea793a6ec2c416178d0cc8f9
Instruction ID: d1ed12ce5e6f2504948efc007103833e2f82268b3e869721be8d864834860c2f
Opcode Fuzzy Hash: d42a0c74dc1f5ac63ecb98a4d68705edbe97a79fea793a6ec2c416178d0cc8f9
Instruction Fuzzy Hash: 3C4190B5E0878245EB518F61A4242F937B5BB6978AF841432FE8EA7359DF3EE154C300

Function 00007FF6CE50580A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

%s (0x%08X), xrefs: 00007FF6CE505745
SEC_E_BUFFER_TOO_SMALL, xrefs: 00007FF6CE50580A
%s - %s, xrefs: 00007FF6CE505C49

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 600764987-1965992168
Opcode ID: 0a9bb94958cab05c62ced13aef4a4dd1eb62255108913f9fce7ca65002aab040
Instruction ID: 98caceba0a3b7c5c5b67c2d658aca2353e557d6d38657249db931ab6a3621a5b
Opcode Fuzzy Hash: 0a9bb94958cab05c62ced13aef4a4dd1eb62255108913f9fce7ca65002aab040
Instruction Fuzzy Hash: 8C318022A0D6C186E6718F60E4643AA73B0FB94746FC40435EACDA2A99DF3ED544CB10

Function 00007FF6CE5057FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

%s (0x%08X), xrefs: 00007FF6CE505745
SEC_E_BAD_PKGID, xrefs: 00007FF6CE5057FE
%s - %s, xrefs: 00007FF6CE505C49

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
API String ID: 600764987-1052566392
Opcode ID: 10349e349b463c91b3e45d2b73b9638b1978f801fd2bfbc886d290c8f1e25f45
Instruction ID: 9a47413f2dcc1f0b7f365054304e94a3462e6056087511cde9549289cc1fae07
Opcode Fuzzy Hash: 10349e349b463c91b3e45d2b73b9638b1978f801fd2bfbc886d290c8f1e25f45
Instruction Fuzzy Hash: BE316022A1D6C186E6718F60E4643AA73B4FB94746FC40435EACDA2A99DF3ED544CB10

Function 00007FF6CE50582E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

%s (0x%08X), xrefs: 00007FF6CE505745
%s - %s, xrefs: 00007FF6CE505C49
SEC_E_CERT_EXPIRED, xrefs: 00007FF6CE50582E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
API String ID: 600764987-3862749013
Opcode ID: 7e573bd92b9d43ac4b00c980f2996411393b2ba7c3b462260107ad405c1a3afa
Instruction ID: 7af119262675ed4e1609a869f64814106983f5472ed7a9fa53d1d2204a4cdfb4
Opcode Fuzzy Hash: 7e573bd92b9d43ac4b00c980f2996411393b2ba7c3b462260107ad405c1a3afa
Instruction Fuzzy Hash: DF316122A1D7C186E7718F60E4643AA73B4FB94746FC40435EACDA2A99DF3ED544CB10

Function 00007FF6CE505822 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

%s (0x%08X), xrefs: 00007FF6CE505745
%s - %s, xrefs: 00007FF6CE505C49
SEC_E_CANNOT_PACK, xrefs: 00007FF6CE505822

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
API String ID: 600764987-1502336670
Opcode ID: 86c921f2142e600db52fea1572ca250adc076ea2aceaf02060be38b575d46afa
Instruction ID: 936540f7ef0a19de9404d35693c34f74b660debacadc2d55b9d537e30dd31922
Opcode Fuzzy Hash: 86c921f2142e600db52fea1572ca250adc076ea2aceaf02060be38b575d46afa
Instruction Fuzzy Hash: 84316022A1D6C186E6718F60E4643AA73B4FB94746FC40435EACDA2A99DF3ED544CB10

Function 00007FF6CE505816 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

SEC_E_CANNOT_INSTALL, xrefs: 00007FF6CE505816
%s (0x%08X), xrefs: 00007FF6CE505745
%s - %s, xrefs: 00007FF6CE505C49

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
API String ID: 600764987-2628789574
Opcode ID: 7275d5a1b32069eb92776363a42aaa11e3605dda69d1069f9f4704188d27d934
Instruction ID: a86dd77d0cdd0bbca7375efa8a3da49908d1120156182d12c8d52cd069981e1b
Opcode Fuzzy Hash: 7275d5a1b32069eb92776363a42aaa11e3605dda69d1069f9f4704188d27d934
Instruction Fuzzy Hash: 63316122A1D7C186E7718F60E4643AA73B4FB94746FC40435EACDA2A99DF3ED544CB10

Function 00007FF6CE5057F2 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

%s (0x%08X), xrefs: 00007FF6CE505745
%s - %s, xrefs: 00007FF6CE505C49
SEC_E_BAD_BINDINGS, xrefs: 00007FF6CE5057F2

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
API String ID: 600764987-2710416593
Opcode ID: c9cf7ba51cfa555b86d8c3fe839f14dbdffb7e57fa049164605550cf7a62e235
Instruction ID: 52dd37a637ece7dd6455b219d7ac30ee0a00d151781ce20f0e21b10a1cb02bef
Opcode Fuzzy Hash: c9cf7ba51cfa555b86d8c3fe839f14dbdffb7e57fa049164605550cf7a62e235
Instruction Fuzzy Hash: B0316122A1D7C186E7718F60E4643AA73B4FB94746FC40435EACDA2A99DF3ED544CB10

Function 00007FF6CE50583A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

%s (0x%08X), xrefs: 00007FF6CE505745
SEC_E_CERT_UNKNOWN, xrefs: 00007FF6CE50583A
%s - %s, xrefs: 00007FF6CE505C49

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
API String ID: 600764987-1381340633
Opcode ID: 624e5b73e9b7fadd8b532eb4177c8ca66fcde0382b4aa183f3ea07b19814a7d7
Instruction ID: 17e8b0ec5c4ae0279f386bbde03bf5ed445a319dfb9c9ee145b784b4c945f54c
Opcode Fuzzy Hash: 624e5b73e9b7fadd8b532eb4177c8ca66fcde0382b4aa183f3ea07b19814a7d7
Instruction Fuzzy Hash: 9C316022A1D6C186E6718F60E4643AA73B4FB94746FC40435EACEA2A99DF3ED544CB10

Function 00007FF6CE50573E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF6CE505799
strchr.VCRUNTIME140 ref: 00007FF6CE5057C0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE505C5F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C6A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE505C75
GetLastError.KERNEL32 ref: 00007FF6CE505C7E
SetLastError.KERNEL32 ref: 00007FF6CE505C8A

Strings

%s (0x%08X), xrefs: 00007FF6CE505745
SEC_E_ALGORITHM_MISMATCH, xrefs: 00007FF6CE50573E
%s - %s, xrefs: 00007FF6CE505C49

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 600764987-618797061
Opcode ID: e9da9d653fdb1614238eb1cb5ecd4d7072818c9c7e3e3b48656d1444eb17cff5
Instruction ID: 25f56f8ea5bfa45ca7547a4786f0c3437ca5f5387f1dfdf77af46dfe9405a6ae
Opcode Fuzzy Hash: e9da9d653fdb1614238eb1cb5ecd4d7072818c9c7e3e3b48656d1444eb17cff5
Instruction Fuzzy Hash: 84317022A0D7C186E7718F60E4643AA73B0FB94746FC40435EACDA2A99DF3ED544CB10

Function 00007FF6CE501F20 Relevance: 15.1, APIs: 10, Instructions: 128COMMON

Download Yara Rule

APIs

ConvertSidToStringSidA.ADVAPI32 ref: 00007FF6CE501F67
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,?,00007FF6CE50233F), ref: 00007FF6CE501FE9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,?,00007FF6CE50233F), ref: 00007FF6CE501FFC
memcpy.VCRUNTIME140(?,?,?,?,00000000,?,?,00007FF6CE50233F), ref: 00007FF6CE502012
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,?,00007FF6CE50233F), ref: 00007FF6CE502051
LocalFree.KERNEL32(?,?,?,?,00000000,?,?,00007FF6CE50233F), ref: 00007FF6CE502079

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _errno$ConvertFreeLocalString_invalid_parameter_noinfomemcpy
String ID:
API String ID: 3026804155-0
Opcode ID: 0f4b64368f9d2f7a7760f622469a95e7b617d3fa57f3ffe6efce889550e6e94f
Instruction ID: a8f78ebbf86e40bc85b8e225e95f89b36538fc0c9927cc7077e8f66d04401237
Opcode Fuzzy Hash: 0f4b64368f9d2f7a7760f622469a95e7b617d3fa57f3ffe6efce889550e6e94f
Instruction Fuzzy Hash: DC51EE36A09B8682FA109F11D57423973B0AF64B8AF804135FA8EA7796CF3EE541C701

Function 00007FF6CE4F8BC9 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

invalid number; expected '+', '-', or digit after exponent, xrefs: 00007FF6CE4F9117
invalid number; expected digit after '.', xrefs: 00007FF6CE4F8F67

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '.'
API String ID: 0-808606891
Opcode ID: 9a448cd571a5d14d77db0277002d21efe71a7764dbd5e1c13aebef6ccb53991f
Instruction ID: 9d67d39b06dd23622e210aa0fa647058c8c3bd3dcce02e12eb0656e12eaddad0
Opcode Fuzzy Hash: 9a448cd571a5d14d77db0277002d21efe71a7764dbd5e1c13aebef6ccb53991f
Instruction Fuzzy Hash: 8BB17372909A8285E724CF28D04427C3771FB29F49FA49636E68E972D9CF3DE985C350

Function 00007FF6CE551BF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551CBA
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551D08
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551D6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE551EA9

Part of subcall function 00007FF6CE545C50: strchr.VCRUNTIME140(00000000,?,?,00007FF6CE54520F), ref: 00007FF6CE545C96
Part of subcall function 00007FF6CE545C50: strchr.VCRUNTIME140(00000000,?,?,00007FF6CE54520F), ref: 00007FF6CE545CA6
Part of subcall function 00007FF6CE545C50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00007FF6CE54520F), ref: 00007FF6CE545CD0
Part of subcall function 00007FF6CE545C50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545D05
Part of subcall function 00007FF6CE545C50: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE545D2A
Part of subcall function 00007FF6CE545C50: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE545D4C

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE551F34

Strings

GSSAPI, xrefs: 00007FF6CE551BF3
GSSAPI handshake failure (empty challenge message), xrefs: 00007FF6CE551DB3
Kerberos, xrefs: 00007FF6CE551C83, 00007FF6CE551D25

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$callocmallocstrchr$freestrncpy
String ID: GSSAPI$GSSAPI handshake failure (empty challenge message)$Kerberos
API String ID: 370574955-353107822
Opcode ID: d8a302bfc17b2b022773a9bb669af3435789545df0ee809dd69a92692376ef60
Instruction ID: b7820cde2048d0107412527cd47c31f27aef86a70ec1380cbd80291ece4dbe8a
Opcode Fuzzy Hash: d8a302bfc17b2b022773a9bb669af3435789545df0ee809dd69a92692376ef60
Instruction Fuzzy Hash: 4DA16B33A09F458AEB508F65E4602AD37B5FB54B89F800036EE8DA7B58DF3AE445C750

Function 00007FF6CE50CB65 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CBAA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CBCA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CC1B

Part of subcall function 00007FF6CE50E430: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50E436

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CD21

Strings

Replaced, xrefs: 00007FF6CE50CFB1
Added, xrefs: 00007FF6CE50CFBD
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF6CE50CFC7
FALSE, xrefs: 00007FF6CE50CCFB

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: 8515126be97b4bf8c747823858f4f67fa6dfac8e3fdadc53ef2f576fb2d629af
Instruction ID: 1266cfb263db6f27d61f7e75733f58f9f526cb8b702ae78d79e5dea2112bc3e5
Opcode Fuzzy Hash: 8515126be97b4bf8c747823858f4f67fa6dfac8e3fdadc53ef2f576fb2d629af
Instruction Fuzzy Hash: 61915F62A0D7C649FEB18F21946437977B5EF6674AF880035FACEA2691DE2EE4448310

Function 00007FF6CE525E60 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE525F2C

Strings

Basic, xrefs: 00007FF6CE526021
Negotiate, xrefs: 00007FF6CE525ED6
Ignoring duplicate digest auth header., xrefs: 00007FF6CE525FDD
Digest, xrefs: 00007FF6CE525FC4
Authentication problem. Ignoring this., xrefs: 00007FF6CE52606D
NTLM, xrefs: 00007FF6CE525F5C
Bearer, xrefs: 00007FF6CE526048

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID: Authentication problem. Ignoring this.$Basic$Bearer$Digest$Ignoring duplicate digest auth header.$NTLM$Negotiate
API String ID: 1169197092-907567932
Opcode ID: 7e383517d18e6633fecbc07f2e436271aabf50af60d7cbf5d3dec0b2297880b1
Instruction ID: 1a984399ab69448aa87e52bb874fd6ce9cbd9aa6f4982dce60a815d0628496b3
Opcode Fuzzy Hash: 7e383517d18e6633fecbc07f2e436271aabf50af60d7cbf5d3dec0b2297880b1
Instruction Fuzzy Hash: 5471F76190C29286FB188E22956827977F1AF71786FC44035FECAEA2C2DF6FE5149301

Function 00007FF6CE50CC73 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CC76
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CD21

Strings

__Secure-, xrefs: 00007FF6CE50CC90
Replaced, xrefs: 00007FF6CE50CFB1
Added, xrefs: 00007FF6CE50CFBD
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF6CE50CFC7
FALSE, xrefs: 00007FF6CE50CCFB
__Host-, xrefs: 00007FF6CE50CCAD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$__Host-$__Secure-
API String ID: 1169197092-978722393
Opcode ID: 99665cb1b30f1ca75d68309958105519bf23c389b0a2f1d2f50058e469b29811
Instruction ID: 23dbcf03ff72fb9e9a9525dd46c347743e7e7761df53041132d4b7055ed5cbbe
Opcode Fuzzy Hash: 99665cb1b30f1ca75d68309958105519bf23c389b0a2f1d2f50058e469b29811
Instruction Fuzzy Hash: 4D716F61A0D7C645FF718F21D4643BA67B1AF2675AF880436FACEA2691DF2EE4448300

Function 00007FF6CE5179A0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517A7C
strchr.VCRUNTIME140 ref: 00007FF6CE517AB0
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE517AD0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE517B54

Strings

Connecting to hostname: %s, xrefs: 00007FF6CE517B2B
anonymous, xrefs: 00007FF6CE5179B0
%s%s%s, xrefs: 00007FF6CE517A3F
Connecting to port: %d, xrefs: 00007FF6CE517B70

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$strchrstrtol
String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d$anonymous
API String ID: 137861075-1224060940
Opcode ID: a34ba1fcc5c3b91e2207fde4e65e0f255651f9bb7b78014b8bc6fa6bf73578dc
Instruction ID: 140883a87fb5220d92960d44c733b3612069cadf343c81fc7200cf02546c6ee8
Opcode Fuzzy Hash: a34ba1fcc5c3b91e2207fde4e65e0f255651f9bb7b78014b8bc6fa6bf73578dc
Instruction Fuzzy Hash: DB51F522608BC248EB219F55E8103AA67B4FB62B99F844135FECD97794DF3ED645C300

Function 00007FF6CE534050 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 135stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE53410F
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE534154
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE534210

Strings

SMTPUTF8, xrefs: 00007FF6CE5340BD, 00007FF6CE5341C5
%s %s%s, xrefs: 00007FF6CE5340D9
VRFY %s%s%s%s, xrefs: 00007FF6CE5341DE
HELP, xrefs: 00007FF6CE534245
EXPN, xrefs: 00007FF6CE534097

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreestrpbrk
String ID: SMTPUTF8$%s %s%s$EXPN$HELP$VRFY %s%s%s%s
API String ID: 1812939018-2300960079
Opcode ID: a711f49ee8665fb8d392a8ec7646bbea733b882eec0773715f2169ed68c6cef6
Instruction ID: 70d318ddc84f7c9107d3b65190a6b83587b79b557291ff4b14cdea8ddf0434fb
Opcode Fuzzy Hash: a711f49ee8665fb8d392a8ec7646bbea733b882eec0773715f2169ed68c6cef6
Instruction Fuzzy Hash: 18517C22B1CBC181EA518F15E4207B967B0ABA6B85FC44132FACDA7785DF3EE944C300

Function 00007FF6CE507A17 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 109COMMON

Download Yara Rule

Strings

SESS, xrefs: 00007FF6CE507A63
FLUSH, xrefs: 00007FF6CE507AA3
Set-Cookie:, xrefs: 00007FF6CE507B38
RELOAD, xrefs: 00007FF6CE507AC5
ALL, xrefs: 00007FF6CE507A23

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: ALL$FLUSH$RELOAD$SESS$Set-Cookie:
API String ID: 1294909896-1147549499
Opcode ID: 9d1365ddcf2a3d7a4543258a8046ac45d9ecdd769ef46670542d7a2bf49c59b9
Instruction ID: c2d462b70c1213367d929c108dbfdba592f7c24d402aab968683c83a9b196642
Opcode Fuzzy Hash: 9d1365ddcf2a3d7a4543258a8046ac45d9ecdd769ef46670542d7a2bf49c59b9
Instruction Fuzzy Hash: 57418020F0C69281F968AF2595712B96271AF64BC6F984431FE8EE77C2DF3EE4018740

Function 00007FF6CE539D21 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140 ref: 00007FF6CE539D33
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE539D4E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE539D7A
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE539D9F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE539E7C

Strings

Wildcard - Parsing started, xrefs: 00007FF6CE539E17

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$callocfreestrrchr
String ID: Wildcard - Parsing started
API String ID: 2641349667-2274641867
Opcode ID: bfdcd8a58e5c8a27267d7c664a0b8ec6978e10333f28a9e707146a0d00621057
Instruction ID: 5eeb5db8dc6ecf0f7ed3544c4dce008d21c78cc430011ed3cbf93c37ac45b20c
Opcode Fuzzy Hash: bfdcd8a58e5c8a27267d7c664a0b8ec6978e10333f28a9e707146a0d00621057
Instruction Fuzzy Hash: 55517FB6A09B42C1EB15CF11E4601BC37B5FBA4B46F859435EA8E9B358EF3AE450D310

Function 00007FF6CE50D050 Relevance: 13.8, APIs: 11, Instructions: 52COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D07D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0A7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0B1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0BB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0C5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0D9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0E3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0ED
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D0F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6CE514A69,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE50D111

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: af0160b92c750456279e93c005bd0556b293e5d323cef995ca8b7c7c9b7a9386
Instruction ID: 3fb65b0d2f5a48717278ea00ad868d8f5d8d6f1c46c3139d8e770c01e8ff3c5c
Opcode Fuzzy Hash: af0160b92c750456279e93c005bd0556b293e5d323cef995ca8b7c7c9b7a9386
Instruction Fuzzy Hash: 6F21FA76A18A4182DB20DF61F8652286374FB98F96F441431EEDFA3728CE3ED8559320

Function 00007FF6CE542EA0 Relevance: 13.8, APIs: 11, Instructions: 29COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EAC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EB6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EC0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542ECA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542ED4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EDE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EF2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542EFC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542F06
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE541ED2,?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE542F10

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c7d199e31ac56aff1b80e80862ff45fb751bba835749bc4e651b7619f6ea5b7e
Instruction ID: 43acc81b9c63a2f0634abe180fd549fd8087692eb0271fec945513a201820613
Opcode Fuzzy Hash: c7d199e31ac56aff1b80e80862ff45fb751bba835749bc4e651b7619f6ea5b7e
Instruction Fuzzy Hash: A001F966E28901C2DB24DF65F8651382334FF98F56B402431DE9FD2324CE2BD865D360

Function 00007FF6CE54DEB0 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 211COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6CE54DF58
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54DF69
memcpy.VCRUNTIME140 ref: 00007FF6CE54E0A9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54E104
memcpy.VCRUNTIME140 ref: 00007FF6CE54E121

Strings

response reading failed, xrefs: 00007FF6CE54E141
Excessive server response line length received, %zd bytes. Stripping, xrefs: 00007FF6CE54E081
8, xrefs: 00007FF6CE54E153
cached response data too big to handle, xrefs: 00007FF6CE54E1A1

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$freemalloc
String ID: 8$Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed
API String ID: 3313557100-1003742340
Opcode ID: 625c893156e9c0e7f210fb3cbd4711928e2d388c058d3c6dcd2bc63dc3d61b4f
Instruction ID: c664bb2153f3f262edbe70c34b01263be701aff7e9c2ec81cfb131bea57ff1d6
Opcode Fuzzy Hash: 625c893156e9c0e7f210fb3cbd4711928e2d388c058d3c6dcd2bc63dc3d61b4f
Instruction Fuzzy Hash: 1C81B172708B8192EA548F16D4603A96370FB65B85F849436EFCEAB745DF3EE4A0C341

Function 00007FF6CE54A786 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 169COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A7BF
memcpy.VCRUNTIME140 ref: 00007FF6CE54A7EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A92E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A9D3

Strings

Signature Algorithm: %s, xrefs: 00007FF6CE54A9C1
Serial Number, xrefs: 00007FF6CE54A902
Signature Algorithm, xrefs: 00007FF6CE54A9A7
Serial Number: %s, xrefs: 00007FF6CE54A91C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: e6d43b0ca54be161a82e472a31f56152227362cbd8ef9b4dfe647629dd50b239
Instruction ID: 08fc07a84036d1aa284617bc70e920ca595a95bf833ba4c59a7164d0a4402e36
Opcode Fuzzy Hash: e6d43b0ca54be161a82e472a31f56152227362cbd8ef9b4dfe647629dd50b239
Instruction Fuzzy Hash: D6611565E0868245FF588F6184342B927B1EF25786F844437EA9FB7786EE2EE1658300

Function 00007FF6CE544830 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF6CE527E98), ref: 00007FF6CE5449C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF6CE527E98), ref: 00007FF6CE5449F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF6CE527E98), ref: 00007FF6CE544A1E

Strings

HTTP, xrefs: 00007FF6CE544846
%sAuthorization: NTLM %s, xrefs: 00007FF6CE5449D8, 00007FF6CE544A84
Proxy-, xrefs: 00007FF6CE5449CE, 00007FF6CE544A7A
NTLM, xrefs: 00007FF6CE544836

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1294909896-3948863929
Opcode ID: 3218e1cb5eaa418985d7c841f200a9c7ff7061579c46474744507d867e542b1b
Instruction ID: 2fb5b03890ce4aa0c351c973061f47fac5637efc11646831bb76b51ef0bbbd73
Opcode Fuzzy Hash: 3218e1cb5eaa418985d7c841f200a9c7ff7061579c46474744507d867e542b1b
Instruction Fuzzy Hash: 6C618D32A08B8285EB60CF05E4687AA73F9FB54B85F840136EA8D97798DF3ED451C700

Function 00007FF6CE539F29 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF6CE539FC7

Part of subcall function 00007FF6CE53A570: strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CE53A5A6
Part of subcall function 00007FF6CE53A570: _open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CE53A5FB

Strings

Accept-ranges: bytes, xrefs: 00007FF6CE53A05E
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s, xrefs: 00007FF6CE53A12B
failed to resume file:// transfer, xrefs: 00007FF6CE53A326
Can't get the size of file., xrefs: 00007FF6CE53A1A9
Content-Length: %I64d, xrefs: 00007FF6CE53A023

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _fstat64_openstrchr
String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s$failed to resume file:// transfer
API String ID: 3410096895-1509146019
Opcode ID: a381724c99ff37eb3222d012fa12497946043f89d641a5aac803b28b72d52383
Instruction ID: 4b4b987c32bdc5112c9a17589c3e41ee2ad89fffb81f22607c09a86a65fdc698
Opcode Fuzzy Hash: a381724c99ff37eb3222d012fa12497946043f89d641a5aac803b28b72d52383
Instruction Fuzzy Hash: 99C19776A0C68285EB659F6594603BA63B1FFA4785F844031FE8DE7756EE3EE4018700

Function 00007FF6CE520D20 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE520D7A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE520E7E
WSAIoctl.WS2_32 ref: 00007FF6CE520FD7
setsockopt.WS2_32 ref: 00007FF6CE520FFF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5210F6

Strings

Failed to alloc scratch buffer!, xrefs: 00007FF6CE520E90
We are completely uploaded and fine, xrefs: 00007FF6CE52106A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: malloc$Ioctlsetsockopt
String ID: Failed to alloc scratch buffer!$We are completely uploaded and fine
API String ID: 3352517165-607151321
Opcode ID: 511f203f5d5314bd71be661a8393197f6a7c012e43a87a46478043cd8a218db2
Instruction ID: 8d95048de425581e98b9a75c77d16643a4d1c6f6acf98e2ede3f7a7ce16f071f
Opcode Fuzzy Hash: 511f203f5d5314bd71be661a8393197f6a7c012e43a87a46478043cd8a218db2
Instruction Fuzzy Hash: 06B1A332A09BC585EB658F24D5283FA33A0EB64F99F480131EE8D9A785DF3E9495C310

Function 00007FF6CE5418A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5418E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54194B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE541A7F

Part of subcall function 00007FF6CE52FA30: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,?,00000000,00007FF6CE516DBF), ref: 00007FF6CE52FA5E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54197E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE541ABD

Strings

Failed sending Gopher request, xrefs: 00007FF6CE541A85
%s?%s, xrefs: 00007FF6CE5418D9

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: %s?%s$Failed sending Gopher request
API String ID: 111713529-132698833
Opcode ID: f701b89ca598be0c79add737d892064d220f0fede9963aa146444fe3606fa74c
Instruction ID: 9526f04f84b4de6f3e80860254456b2be2d71218d59f2fc9157c4edba5c75920
Opcode Fuzzy Hash: f701b89ca598be0c79add737d892064d220f0fede9963aa146444fe3606fa74c
Instruction Fuzzy Hash: E251E622A0CA8282F6109F66A5201B963A4BF54BE5F840232FEEED37D5DF3DD5529700

Function 00007FF6CE4FACA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC1AD
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FC1DB
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6CE4FC1E9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC223
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FC274

Strings

value, xrefs: 00007FF6CE4FC119

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: value
API String ID: 1346393832-494360628
Opcode ID: e8a9ca86550b2b2b1146deeefcf538699ff4cb9f6ecadcd57ff50e59521f5678
Instruction ID: a3c4c74c64bfc9814db3537cb0b64152d6e94e8fae88af57e24e45092eb006a7
Opcode Fuzzy Hash: e8a9ca86550b2b2b1146deeefcf538699ff4cb9f6ecadcd57ff50e59521f5678
Instruction Fuzzy Hash: F061A372E18A8685EB10CF68E4443ED3370EB957A5F504335EAAD62AE9DF7CE081C700

Function 00007FF6CE555100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 153COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE55515D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5551CD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE55523D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE5552AD

Strings

1.0, xrefs: 00007FF6CE555261
uaHQW8FPzW, xrefs: 00007FF6CE555181
valorantplus, xrefs: 00007FF6CE555111

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 1.0$uaHQW8FPzW$valorantplus
API String ID: 3668304517-3915017969
Opcode ID: 8d54d66f9210c5d3dd33c28a62f52743d1434943afd998f7c6f900b075d3744a
Instruction ID: 333ddffa950308b7079d4a35dace645c68fed18b155436b4c327ecbc47ca4cba
Opcode Fuzzy Hash: 8d54d66f9210c5d3dd33c28a62f52743d1434943afd998f7c6f900b075d3744a
Instruction Fuzzy Hash: 505170A1E1A68680FA049F55E8653383371AF75B87FD05435F9CDE6769EE6FA4808300

Function 00007FF6CE53A570 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CE53A5A6
_open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CE53A5FB
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CE53A66C
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CE53A679
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6CE53A78B

Strings

Can't open %s for writing, xrefs: 00007FF6CE53A60B
Can't get the size of %s, xrefs: 00007FF6CE53A682

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _close$_fstat64_openstrchr
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 423814720-3544860555
Opcode ID: b9fa68d0ded3ae7f2fc9d4ca694eb432e134fc7ff2c929bc374f702eaa2bdbae
Instruction ID: 8772c21fbf239343df0495c9063758ab3c0be0abf3e19484ea5564ad46086b51
Opcode Fuzzy Hash: b9fa68d0ded3ae7f2fc9d4ca694eb432e134fc7ff2c929bc374f702eaa2bdbae
Instruction Fuzzy Hash: BE51BA65B09A4281EA149F25D4603B963F5BFA4BD5FD44035FE9EE7396EE3EE4018300

Function 00007FF6CE5427E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6CE5427F0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdupstrtol
String ID: %%%02x
API String ID: 2999891020-4020994737
Opcode ID: b15b70184c1b3d9fec6bca39b3ad5e011db36c3f1746e7354bed85ed88af4da8
Instruction ID: 2ee11418a74dc8cbdabdd9b1613c7390575a72904b62ff4d543394d72e88a300
Opcode Fuzzy Hash: b15b70184c1b3d9fec6bca39b3ad5e011db36c3f1746e7354bed85ed88af4da8
Instruction Fuzzy Hash: 3251B319E0D6A245FB728F1150343782AE1AF65B92F884132EECEA77C1DE2FE555C310

Function 00007FF6CE5427B6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5427C3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$_strdup
String ID: %%%02x
API String ID: 1496848336-4020994737
Opcode ID: b862226a7b4cd3a12c0a69f1fbc6cae677337f6b2c10cbb8bbc94ca222c2b0f4
Instruction ID: c9f45866f3bc8399516450a47e9f1dd9648258dd34fb4a452d047cfa9dd76420
Opcode Fuzzy Hash: b862226a7b4cd3a12c0a69f1fbc6cae677337f6b2c10cbb8bbc94ca222c2b0f4
Instruction Fuzzy Hash: 2041C216D0D6A245EB728F1160343782BE1AF66B92F884572EEDEA73C1DE2FE454C310

Function 00007FF6CE53E050 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF6CE53E0BC
htons.WS2_32 ref: 00007FF6CE53E0D2
send.WS2_32 ref: 00007FF6CE53E178
WSAGetLastError.WS2_32 ref: 00007FF6CE53E18C
send.WS2_32 ref: 00007FF6CE53E1CE
WSAGetLastError.WS2_32 ref: 00007FF6CE53E1D8

Strings

Sending data failed (%d), xrefs: 00007FF6CE53E192, 00007FF6CE53E1DE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLasthtonssend
String ID: Sending data failed (%d)
API String ID: 2027122571-2319402659
Opcode ID: 82fad93c0eb16bf3174ce1cf06c355e3951157a6625748c65faa105dfe9072b2
Instruction ID: ad774c0b777aaf5d523af40a946c83cd207155110c69ffc47b1e35595f5881db
Opcode Fuzzy Hash: 82fad93c0eb16bf3174ce1cf06c355e3951157a6625748c65faa105dfe9072b2
Instruction Fuzzy Hash: F9419E32708AD681E7005F75D420AA87771F764F8AF844632EB8993795DFBEE05AC302

Function 00007FF6CE54B06E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54B078
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B4A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B572

Part of subcall function 00007FF6CE513BF0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513C42

Strings

Expire Date, xrefs: 00007FF6CE54B47D
Public Key Algorithm, xrefs: 00007FF6CE54B528
Expire Date: %s, xrefs: 00007FF6CE54B497
Public Key Algorithm: %s, xrefs: 00007FF6CE54B542

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 111713529-2901970132
Opcode ID: 9e26764737d080c2be073f7b442ecbd205ca1846c73b6eaf564e30eeedecee04
Instruction ID: 5df33ac57455fbe8621f1a7f94d7fef85890e417350cb1b3f0ec6f0a405e01d3
Opcode Fuzzy Hash: 9e26764737d080c2be073f7b442ecbd205ca1846c73b6eaf564e30eeedecee04
Instruction Fuzzy Hash: 9731AEA1E0878245EB508F6194200F937B5BF6978AF841432FE8EAB359EF3EE014C310

Function 00007FF6CE54A60D Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A92E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A9D3

Strings

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF6CE54A731
Signature Algorithm: %s, xrefs: 00007FF6CE54A9C1
Serial Number, xrefs: 00007FF6CE54A902
Signature Algorithm, xrefs: 00007FF6CE54A9A7
Serial Number: %s, xrefs: 00007FF6CE54A91C
GMT, xrefs: 00007FF6CE54A6BE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Serial Number$Signature Algorithm
API String ID: 1294909896-599393795
Opcode ID: 06ddf24efd0fa076a48eabcff3497a828a47eb1f4d2602eff598713185c4c4ed
Instruction ID: d5b6f652a632c058b38112781758e9bc1258567b5aba6834d1a7dfa885bf49fb
Opcode Fuzzy Hash: 06ddf24efd0fa076a48eabcff3497a828a47eb1f4d2602eff598713185c4c4ed
Instruction Fuzzy Hash: 396100A5E087D244EB908F2094241B877B8BB21786FC44436EACDB7796EF3EE125C300

Function 00007FF6CE54B905 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B948
memcpy.VCRUNTIME140 ref: 00007FF6CE54B96E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BA42
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAA9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAFC

Strings

Signature: %s, xrefs: 00007FF6CE54BA97
Signature, xrefs: 00007FF6CE54BA7F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$memcpy
String ID: Signature: %s$Signature
API String ID: 901724546-1663925961
Opcode ID: f1d4bb2958285a5254e6134ec3c51c69a933ce07328d442b90527371da471c2e
Instruction ID: 5ddc3b3a71e58301d21192b5a4482c7e94a59efeb8403c643b78f0c41f4a893f
Opcode Fuzzy Hash: f1d4bb2958285a5254e6134ec3c51c69a933ce07328d442b90527371da471c2e
Instruction Fuzzy Hash: 66512621E096C242EE598F1690283B927B1FB657E5F840236FADFA7795EE2ED0558300

Function 00007FF6CE502880 Relevance: 12.1, APIs: 8, Instructions: 144COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE5028CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE5028D0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE50292F
GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE50296F
IsValidSid.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE5029BD
GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE5029CA
CopySid.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE5029E2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6CE50232E), ref: 00007FF6CE502A06

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: InformationToken$CopyErrorLastLengthValidfreemalloc
String ID:
API String ID: 2357097940-0
Opcode ID: 883d09a2e1d9e6515a238c47c2a98e1b8723ffc81f77615898d8bdd3299b4e0f
Instruction ID: 281be22ed137fc1c8982f83ee7f0fbb9af867b5aca6ce81e93124e4b6e9cc162
Opcode Fuzzy Hash: 883d09a2e1d9e6515a238c47c2a98e1b8723ffc81f77615898d8bdd3299b4e0f
Instruction Fuzzy Hash: 62519426A086C296EB509F21D4602AC33B0FB24B59FC44934FA9DE7BD6DF7EE5558300

Function 00007FF6CE54B0A4 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 130COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B4A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B572

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF6CE54B159
GMT, xrefs: 00007FF6CE54B106
Expire Date, xrefs: 00007FF6CE54B47D
Public Key Algorithm, xrefs: 00007FF6CE54B528
Public Key Algorithm: %s, xrefs: 00007FF6CE54B542
Expire Date: %s, xrefs: 00007FF6CE54B497

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$Expire Date$GMT$Public Key Algorithm
API String ID: 1294909896-1642401773
Opcode ID: c572c20152171c174984951bebc71deb12c6684c520613349d18e0525208315b
Instruction ID: 3fa8d347795153fceafd16bdbf1ab767d412ac9bf2b6ea1a56e47228be5388db
Opcode Fuzzy Hash: c572c20152171c174984951bebc71deb12c6684c520613349d18e0525208315b
Instruction Fuzzy Hash: E2518F71E09B8645EB508F6094201F977B5BB6578AFC81432FA8DAB359DF3EE514C300

Function 00007FF6CE512850 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE512896
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5128C2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5128EE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID:
API String ID: 1169197092-0
Opcode ID: 30de8a466343c07363e89482a927076ed63d3cdfbea0eadda4a13491a2fc4e3b
Instruction ID: e407c504766b4ebd4ebf1d04f29aed4ab4885004a04263c3982b1b676936dda7
Opcode Fuzzy Hash: 30de8a466343c07363e89482a927076ed63d3cdfbea0eadda4a13491a2fc4e3b
Instruction Fuzzy Hash: 0E516D36A1AB8082EB55CF59F06012C37B4FB58B85B481535EF8E93B48EF39E4E19710

Function 00007FF6CE54A547 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A92E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A9D3

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF6CE54A5F9
GMT, xrefs: 00007FF6CE54A5A6
Signature Algorithm: %s, xrefs: 00007FF6CE54A9C1
Serial Number, xrefs: 00007FF6CE54A902
Signature Algorithm, xrefs: 00007FF6CE54A9A7
Serial Number: %s, xrefs: 00007FF6CE54A91C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Serial Number$Signature Algorithm
API String ID: 1294909896-3876350232
Opcode ID: 3c189779aaa59688ae4847ca8b8f2708891fa9f94296abc0994125ba12fb05d9
Instruction ID: 1a09095cd6150c104c5bfce0ca97c07ca98675719e67f2de6283f8d10c21db4e
Opcode Fuzzy Hash: 3c189779aaa59688ae4847ca8b8f2708891fa9f94296abc0994125ba12fb05d9
Instruction Fuzzy Hash: 5E51A165A0878284EB508F6094201F967B5FB65786FC80436EACEBB35AEF3EE554C300

Function 00007FF6CE547050 Relevance: 10.9, APIs: 5, Strings: 2, Instructions: 424stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF6CE546463), ref: 00007FF6CE5470F8
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF6CE546463), ref: 00007FF6CE54713A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00007FF6CE546463), ref: 00007FF6CE5471DF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00007FF6CE546463), ref: 00007FF6CE5471F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5476D7

Strings

Failed to encode DOH packet [%d], xrefs: 00007FF6CE547231
%s?dns=%s, xrefs: 00007FF6CE5471C8

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$memcpystrchr
String ID: %s?dns=%s$Failed to encode DOH packet [%d]
API String ID: 1438451818-3030351490
Opcode ID: f85ae67141ccd2159f730b8912617362899918de70a0573beded492c5e2fd068
Instruction ID: 6d69ba9afc2e782eda75f920e233483d1ac837f9c9b6a2903f61b8c326be5067
Opcode Fuzzy Hash: f85ae67141ccd2159f730b8912617362899918de70a0573beded492c5e2fd068
Instruction Fuzzy Hash: 2F02C491B08BC34AE7519E71D8647B927A6EBA579DF804032FE8CE7786DE7ED4108700

Function 00007FF6CE5478D0 Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE50F5B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50F5E6
Part of subcall function 00007FF6CE50F5B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50F5F6
Part of subcall function 00007FF6CE50F5B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50F604
Part of subcall function 00007FF6CE50F5B0: memset.VCRUNTIME140 ref: 00007FF6CE50F63F

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE547999
memcpy.VCRUNTIME140 ref: 00007FF6CE5479B4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5479CE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpymemset
String ID:
API String ID: 1579693990-0
Opcode ID: 8a0961b594d8897c1cfbaab559b24f0fd647447cd01965fe8d278f0924e5ba90
Instruction ID: 556e46783a481adb9691ecd8c874d827bbec333edf519621ab7405bfb9d7bb76
Opcode Fuzzy Hash: 8a0961b594d8897c1cfbaab559b24f0fd647447cd01965fe8d278f0924e5ba90
Instruction Fuzzy Hash: 5B918151B0D7824AFA559F52946037A23F0AF65BC6F844036FE8DE7781EF2EE4609B40

Function 00007FF6CE51C990 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 217stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CAA5
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CABF

Strings

Internal error removing splay node = %d, xrefs: 00007FF6CE51C9A2
I64, xrefs: 00007FF6CE51CAB5, 00007FF6CE51CB1F
I32, xrefs: 00007FF6CE51CA95, 00007FF6CE51CAF5

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strncmp
String ID: I32$I64$Internal error removing splay node = %d
API String ID: 1114863663-13178787
Opcode ID: 0bd6f3ce0eb9efa559762f6cd6d83293cff1563dfc034f1505ff0ae0cd07bc7b
Instruction ID: 64df0f963ec9dbf65791cc997962f13d6ea5c2b7a76215d7a6db2f1723122b83
Opcode Fuzzy Hash: 0bd6f3ce0eb9efa559762f6cd6d83293cff1563dfc034f1505ff0ae0cd07bc7b
Instruction Fuzzy Hash: 80A1D232A09A8286EB25CF14E46477D7BB4FB58B49F854136EACDA3654DF3ED208C700

Function 00007FF6CE54CFDA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2E3
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54D35E

Strings

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF6CE54D101
TRUE, xrefs: 00007FF6CE54D2BD
GMT, xrefs: 00007FF6CE54D08E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: isupper$free
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
API String ID: 573759493-910067264
Opcode ID: 54b26b050531f9d3962397418c673469a9ae189796eac94304e68ba209cc031d
Instruction ID: 9df51dabac61ebba9df1b489a0138a6a79efc0a4c14adc942dce88abd9172fd2
Opcode Fuzzy Hash: 54b26b050531f9d3962397418c673469a9ae189796eac94304e68ba209cc031d
Instruction Fuzzy Hash: FB61C162A0D6D244FB128F24952427D7BB5AB21782FC44433E6CDE3694DF3EE556C700

Function 00007FF6CE50CB2C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CB32
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CD21

Strings

Replaced, xrefs: 00007FF6CE50CFB1
Added, xrefs: 00007FF6CE50CFBD
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF6CE50CFC7
FALSE, xrefs: 00007FF6CE50CCFB

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 1169197092-2292467869
Opcode ID: fbca9a31774d3948abfc8bde6385b24e9c13405d3297c77e617c12b389925420
Instruction ID: 55a71af124d4422ccf935d27fde58974655b621f84a65a1767601eb677fb6f64
Opcode Fuzzy Hash: fbca9a31774d3948abfc8bde6385b24e9c13405d3297c77e617c12b389925420
Instruction Fuzzy Hash: D2618261E097C245FF718F11946437A67B1EF6675AF880436FACDA2691DF2EE4448300

Function 00007FF6CE50CCC9 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CCCC

Part of subcall function 00007FF6CE52B0A0: strchr.VCRUNTIME140 ref: 00007FF6CE52B0D6

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CD21

Strings

Replaced, xrefs: 00007FF6CE50CFB1
Added, xrefs: 00007FF6CE50CFBD
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF6CE50CFC7
FALSE, xrefs: 00007FF6CE50CCFB

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdup$strchr
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 3404610657-2292467869
Opcode ID: ed15935b41d9716d9209843b1d74f40e2e5b31e4e241751d3180b25554e6e972
Instruction ID: 2500bb49e76b2c53df883ec7983394ed30148d5b874c1d71990ad3a560e54569
Opcode Fuzzy Hash: ed15935b41d9716d9209843b1d74f40e2e5b31e4e241751d3180b25554e6e972
Instruction Fuzzy Hash: 46617362E097C245FF718F25946437A77B1EF6675AF880436FACEA2691DF2EE4448300

Function 00007FF6CE536DB0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 146stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF6CE536E73

Strings

Maxdownload = %I64d, xrefs: 00007FF6CE536F0C, 00007FF6CE536FAB
Getting file with size: %I64d, xrefs: 00007FF6CE536F25
Data conn was not available immediately, xrefs: 00007FF6CE536F67
, xrefs: 00007FF6CE536E17
bytes, xrefs: 00007FF6CE536E69
RETR response: %03d, xrefs: 00007FF6CE536E08

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strstr
String ID: $ bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
API String ID: 1392478783-2096918210
Opcode ID: 844a1a8c31489c3efac71edcf4aae03b41e9cbc86e7a0cba2f1709ef24d1e145
Instruction ID: 62ee932b2e7fa6789bf789e367e12c7eb5f15742e3606cf1674bb76ce69ac72d
Opcode Fuzzy Hash: 844a1a8c31489c3efac71edcf4aae03b41e9cbc86e7a0cba2f1709ef24d1e145
Instruction Fuzzy Hash: B5512B62A0978581EA24CF14E4642B973B0EB65375FC4023AFADC936C5DFBEE485D300

Function 00007FF6CE533C70 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE533CBA
memcpy.VCRUNTIME140 ref: 00007FF6CE533DD1
memcpy.VCRUNTIME140 ref: 00007FF6CE533E42
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE533E6E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE533E80

Strings

Failed to alloc scratch buffer!, xrefs: 00007FF6CE533CD0

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freememcpy$malloc
String ID: Failed to alloc scratch buffer!
API String ID: 169112436-1446904845
Opcode ID: f07d16c8db75daab703eda920ca8bee5a1d60bad19846edda8dad97a1c8747b6
Instruction ID: 0454087d26017ee3d4c9b8f7de6c97b99c3d1b006e63488bf26be64d393f8219
Opcode Fuzzy Hash: f07d16c8db75daab703eda920ca8bee5a1d60bad19846edda8dad97a1c8747b6
Instruction Fuzzy Hash: 80519C72A187C18AEB258F65E4102AAB7B0FB29786F840435EF9DA7755CF3DE164C300

Function 00007FF6CE536B80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF6CE536D26

Part of subcall function 00007FF6CE54DEB0: memcpy.VCRUNTIME140 ref: 00007FF6CE54DF58
Part of subcall function 00007FF6CE54DEB0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54DF69

Strings

*, xrefs: 00007FF6CE536CF4
FTP response aborted due to select/poll error: %d, xrefs: 00007FF6CE536D34
FTP response timeout, xrefs: 00007FF6CE536D93
QUOT string not accepted: %s, xrefs: 00007FF6CE536D4F
We got a 421 - timeout!, xrefs: 00007FF6CE536D65

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastfreememcpy
String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout!
API String ID: 1248052217-2335292235
Opcode ID: b537cd0686db900729d60750a7bab37339ded9b30baf1a0b0bc80de19cd80e4e
Instruction ID: 8f09ab2e169770b4c7c6ce46ef1c66685823aeab41e009a26012932d4fe37a72
Opcode Fuzzy Hash: b537cd0686db900729d60750a7bab37339ded9b30baf1a0b0bc80de19cd80e4e
Instruction Fuzzy Hash: D351F061B0868281FB64DF2595203B923B0BF657A6F844539FECDE72C5EFAEE4458300

Function 00007FF6CE54B77B Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAA9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAFC

Strings

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF6CE54B89F
Signature: %s, xrefs: 00007FF6CE54BA97
Signature, xrefs: 00007FF6CE54BA7F
GMT, xrefs: 00007FF6CE54B82E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Signature
API String ID: 2190258309-3231818857
Opcode ID: ffaf596b14581a51dbec7e1e939417e7a00235b6deeb473628b968afd7d20675
Instruction ID: d4a6c75d93eb1644f9bdac0b1f6b097ae7febeb66a7f9dac81e793bf42366b1c
Opcode Fuzzy Hash: ffaf596b14581a51dbec7e1e939417e7a00235b6deeb473628b968afd7d20675
Instruction Fuzzy Hash: 5551A172E0C6C245EB618F25A4642B9A7B4FB65B92F940032FACDA3B54DF3ED155C700

Function 00007FF6CE51BDD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545AF4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545B1A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545B28

Strings

Digest, xrefs: 00007FF6CE51BDF8
true, xrefs: 00007FF6CE545A94
stale, xrefs: 00007FF6CE545A7F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Digest$stale$true
API String ID: 1294909896-2487968700
Opcode ID: 9872ef22fbc7acb70b1996d9569a3875116c09c5c4c57022450102bbd1a66648
Instruction ID: 9cb1870cc22f03cac75c635c4fb86f561ddbef5d235e47b7a5165657cb144c80
Opcode Fuzzy Hash: 9872ef22fbc7acb70b1996d9569a3875116c09c5c4c57022450102bbd1a66648
Instruction Fuzzy Hash: CD517022A0CA4681EF208F25A4603B923B0FF64B86F945132FADED76D5DF2ED565C710

Function 00007FF6CE53F960 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

recvfrom.WS2_32 ref: 00007FF6CE53F9C0
memcpy.VCRUNTIME140 ref: 00007FF6CE53F9E6
memchr.VCRUNTIME140 ref: 00007FF6CE53FAE3

Strings

Received too short packet, xrefs: 00007FF6CE53FA12
TFTP error: %s, xrefs: 00007FF6CE53FB00
Internal error: Unexpected packet, xrefs: 00007FF6CE53FA88

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memchrmemcpyrecvfrom
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 3107918033-477593554
Opcode ID: e30255a1e197dfbe4226e61a6f75f7ca35337a9a1cb9ce9eb7594185eea2c60c
Instruction ID: ed738ba42d0a99d44c5e06d5f793d3f3fa8bfcbedd53293dc46b89b7d090427d
Opcode Fuzzy Hash: e30255a1e197dfbe4226e61a6f75f7ca35337a9a1cb9ce9eb7594185eea2c60c
Instruction Fuzzy Hash: AB51D4B2A086C285EB648F2594313F973B0EB95B46F884132EA8ED7785DE3EE445C710

Function 00007FF6CE4F2B40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F85A0: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF6CE4F2B9B), ref: 00007FF6CE4F861E
Part of subcall function 00007FF6CE4F85A0: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF6CE4F2B9B), ref: 00007FF6CE4F862C
Part of subcall function 00007FF6CE4F85A0: memcpy.VCRUNTIME140(?,?,?,?,00000000,00007FF6CE4F2B9B), ref: 00007FF6CE4F8642

Part of subcall function 00007FF6CE4F5220: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF6CE4F255B), ref: 00007FF6CE4F5266

Part of subcall function 00007FF6CE4F7480: memcpy.VCRUNTIME140(?,?,?,00007FF6CE4F258A), ref: 00007FF6CE4F7511

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2C39
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2C78
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2CC6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2D14

Strings

, column , xrefs: 00007FF6CE4F2BC9
at line , xrefs: 00007FF6CE4F2B8C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: at line $, column
API String ID: 2665656946-191570568
Opcode ID: 1cbd65d2ad6282b726e0432499286016b7bdefc2c4b8b55621109d597560904c
Instruction ID: 197f3b90ec10e60a95795ee192f42a3b06edb583cbdb77bbd6024e2955cf4b70
Opcode Fuzzy Hash: 1cbd65d2ad6282b726e0432499286016b7bdefc2c4b8b55621109d597560904c
Instruction Fuzzy Hash: E151A472B14A8285FB04DF64E4443AD2371EB54BA9F409235EAAD63BD9DE3CE486D304

Function 00007FF6CE542837 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: ee8256e6c641fc7acf54d835f91dd107ffffd04d9b8e21e3da9a6e28498182d3
Instruction ID: e02a34dc1bdf56a24749f1107ed2927682f933d0f55707d58b97f49c0e19235f
Opcode Fuzzy Hash: ee8256e6c641fc7acf54d835f91dd107ffffd04d9b8e21e3da9a6e28498182d3
Instruction Fuzzy Hash: 9241F515D0D6A244EB728F1160343792BE0AF65796F884572EECEA73C1DE2FE454C310

Function 00007FF6CE542827 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 1f06ac2c2db2ed292e1209add7e7fdc6f5bee92097317e6e5c9bf9d8505bdf6e
Instruction ID: 4e9b3d8e391f755db31573f3d0bac4120ffe106558895fbefe23ce2f9c6f960c
Opcode Fuzzy Hash: 1f06ac2c2db2ed292e1209add7e7fdc6f5bee92097317e6e5c9bf9d8505bdf6e
Instruction Fuzzy Hash: DF41C116D0D6A244FB728F1160343782AE1AF66B92F884572EEDEA77C1DE2FE454C310

Function 00007FF6CE54279A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: e5d2b920f6fad23b7d857adecd6d9ce75d44ef241f253d21975143f90b7f960b
Instruction ID: e398eb6426d0fb26842169d020be21e1f517e5bb2e73d47c4cc866a815e200ba
Opcode Fuzzy Hash: e5d2b920f6fad23b7d857adecd6d9ce75d44ef241f253d21975143f90b7f960b
Instruction Fuzzy Hash: F841C215D0D6A245EB728F1160343782AE19F66B92F884572EEDEA73C1DE2FE454C310

Function 00007FF6CE5427A8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: f9e765357c992b02e2218c78d6b7491856dec5e75eb9dee0735e4099ee135759
Instruction ID: ce33bbfd591746f3d15f4312cc1e8d7330d2019d6155a2be3f0d8aee5aa53df9
Opcode Fuzzy Hash: f9e765357c992b02e2218c78d6b7491856dec5e75eb9dee0735e4099ee135759
Instruction Fuzzy Hash: D141D21AD0D6A244FB728F1160343782AE19F66B92F884572EEDEA73C1DE2FE454C310

Function 00007FF6CE54278C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: f003c0c23f757f9835ce5411ef82e8ecd9bda05e3f4b176c9f732a7e5e21500d
Instruction ID: da43ffafd97f88ed6f6f191b6f04773043cfa2968fb970bcff67be2591760f03
Opcode Fuzzy Hash: f003c0c23f757f9835ce5411ef82e8ecd9bda05e3f4b176c9f732a7e5e21500d
Instruction Fuzzy Hash: B841D21AD0D6A244FB728F1160343782AE19F66B92F884572EEDEA73C1DE2FE454C310

Function 00007FF6CE5427D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: d73fb743654f17fb8901fe81bc0a87751306d9d183506669951af1b5a1e1865e
Instruction ID: e74722bda99d411f6d4c93c8d8745c5c50666a6a4f11553adfa2c9902efe52cc
Opcode Fuzzy Hash: d73fb743654f17fb8901fe81bc0a87751306d9d183506669951af1b5a1e1865e
Instruction Fuzzy Hash: F141B216D0D6A244FB728F1160343782AE19F66B92F884572EEDEA73C1DE2FE455D310

Function 00007FF6CE5037A0 Relevance: 10.6, APIs: 7, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,?,?,?,00007FF6CE502BF3), ref: 00007FF6CE50387F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(7FFFFFFFFFFFFFFF,?,?,?,00007FF6CE502BF3), ref: 00007FF6CE5038BC
memcpy.VCRUNTIME140(?,?,00007FF6CE502BF3), ref: 00007FF6CE5038C6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE5038F9
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140(?,?,?,?,?,?,?,?,00007FF6CE502BF3), ref: 00007FF6CE503915
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z.MSVCP140(?,?,?,?,?,?,?,?,00007FF6CE502BF3), ref: 00007FF6CE503921
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF6CE502BF3), ref: 00007FF6CE50392A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$V12@memcpy$?flush@?$basic_ostream@?put@?$basic_ostream@?widen@?$basic_ios@Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2833359088-0
Opcode ID: 15f9be253039e2240bc063e1b11da71aa7b45287e2af7634d6298ad7d8be59dd
Instruction ID: 68c381d10149d15d82f257e44a0ebd4701db0a77eba05fd824b828ca75f1f5c1
Opcode Fuzzy Hash: 15f9be253039e2240bc063e1b11da71aa7b45287e2af7634d6298ad7d8be59dd
Instruction Fuzzy Hash: 2D411222B0A78294EE10DF16A4A02AC6371AF25BD6F884634FE9E57785CF7DE0518300

Function 00007FF6CE54285D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54289D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5428EE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5429AA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542A9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542AAB

Strings

%%%02x, xrefs: 00007FF6CE542953

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$_strdup
String ID: %%%02x
API String ID: 1941130848-4020994737
Opcode ID: 5325258f47ecb0cdc857169e9780d9b3006acdf0ad44a563aa746d9c97f95c7b
Instruction ID: 9b3988eb6e81bb38ccd0a160889c3a036d973d6fa48cba6bc6c4c3e5c440b120
Opcode Fuzzy Hash: 5325258f47ecb0cdc857169e9780d9b3006acdf0ad44a563aa746d9c97f95c7b
Instruction Fuzzy Hash: B941B016E0D6A244EB728F1160343782AE19F66B92F884572EEDEA73C1DE2FE455C310

Function 00007FF6CE527940 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF6CE527A26
strchr.VCRUNTIME140 ref: 00007FF6CE527A39
strchr.VCRUNTIME140 ref: 00007FF6CE527A4B

Strings

Expect, xrefs: 00007FF6CE5279A7
100-continue, xrefs: 00007FF6CE527A66
Expect:, xrefs: 00007FF6CE5279CE
Expect: 100-continue, xrefs: 00007FF6CE527AA8

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr
String ID: 100-continue$Expect$Expect:$Expect: 100-continue
API String ID: 2830005266-711804848
Opcode ID: 851d42c5b0538a36ac9c8d52a6757b20b88b90d20e5ed6bbe32c34a07d881715
Instruction ID: 6bbb1c0d9c642fc91f6e349ced38407945307cb86216e24c0b0e52f4a1d09996
Opcode Fuzzy Hash: 851d42c5b0538a36ac9c8d52a6757b20b88b90d20e5ed6bbe32c34a07d881715
Instruction Fuzzy Hash: 66410321B0D78289EA54DF1AA4240B973B0AF7579AFCC5034FACE97786DF2EE5418700

Function 00007FF6CE54AFC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 106COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B4A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B572

Strings

Expire Date, xrefs: 00007FF6CE54B47D
%s%lx, xrefs: 00007FF6CE54B01D
Public Key Algorithm, xrefs: 00007FF6CE54B528
Expire Date: %s, xrefs: 00007FF6CE54B497
Public Key Algorithm: %s, xrefs: 00007FF6CE54B542

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$%s%lx$Expire Date$Public Key Algorithm
API String ID: 1294909896-3155708153
Opcode ID: ce6692e43ce4d85e4612fff7a1fd1c9a94e34705a187f2fd19fea5fc41e17d7a
Instruction ID: e1fc76e68acd4ba2872ec8aa3629ac2f2f9eba55d62e7088aa7a7989af53813f
Opcode Fuzzy Hash: ce6692e43ce4d85e4612fff7a1fd1c9a94e34705a187f2fd19fea5fc41e17d7a
Instruction Fuzzy Hash: 4541AFA5E0878645EE518F6194201F937B5BB6578AFC41432FE8EAB356EE3EE114C300

Function 00007FF6CE51FD10 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 106COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE51FE5A

Strings

seek callback returned error %d, xrefs: 00007FF6CE51FDAE
ioctl callback returned error %d, xrefs: 00007FF6CE51FE1F
necessary data rewind wasn't possible, xrefs: 00007FF6CE51FE65
Cannot rewind mime/post data, xrefs: 00007FF6CE51FE90
the ioctl callback returned %d, xrefs: 00007FF6CE51FE05

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: fseek
String ID: Cannot rewind mime/post data$ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
API String ID: 623662203-959247533
Opcode ID: dec987291859e4624c16fd747bb98326cd414e23c76ad7932897736b281e4466
Instruction ID: 3753d599cc9f33d6c77c65058041ccb8a0bc4e7f4c571616f9540e5f309f62b5
Opcode Fuzzy Hash: dec987291859e4624c16fd747bb98326cd414e23c76ad7932897736b281e4466
Instruction Fuzzy Hash: 6841A461B1868241E7549F69D4613B823A2EF94B89F882131EE4E9B38ADE3FD481C710

Function 00007FF6CE5337C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5337FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE53386E

Strings

., xrefs: 00007FF6CE533867

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: .
API String ID: 1865132094-916926321
Opcode ID: 5c991e7a33f54c6c18581161dd0593080ff6002acef01b1ad7369ad74ff58d0c
Instruction ID: f0d03392612904270801282428211e19cf6fb364b3d9f29b893fb197a95fb40f
Opcode Fuzzy Hash: 5c991e7a33f54c6c18581161dd0593080ff6002acef01b1ad7369ad74ff58d0c
Instruction Fuzzy Hash: AF417D22E0DB8582F620DF11E42037D63B5EB68B92F894031EA9EA7A50DF7AE4518740

Function 00007FF6CE54A78E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A7BF
memcpy.VCRUNTIME140 ref: 00007FF6CE54A7EA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A92E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A9D3

Strings

Signature Algorithm: %s, xrefs: 00007FF6CE54A9C1
Serial Number, xrefs: 00007FF6CE54A902
Signature Algorithm, xrefs: 00007FF6CE54A9A7
Serial Number: %s, xrefs: 00007FF6CE54A91C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 3401966785-517259162
Opcode ID: 108d7e799b468a7d46d683869f1311f7a02171bc92069e3486388892e8923149
Instruction ID: 0a01af8d4dec477465966ab565486f37791149b439d41cf209524ce70f643f0a
Opcode Fuzzy Hash: 108d7e799b468a7d46d683869f1311f7a02171bc92069e3486388892e8923149
Instruction Fuzzy Hash: 4D41C1A5E0878245FF508F6194241F823B5BF6578AF880436ED8EBB796EF3EA114C300

Function 00007FF6CE543DE0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE52F8F0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F918
Part of subcall function 00007FF6CE52F8F0: GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F93E
Part of subcall function 00007FF6CE52F8F0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F95F
Part of subcall function 00007FF6CE52F8F0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F970

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE543E7F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE543EC8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE543ED1

Strings

%s%s.netrc, xrefs: 00007FF6CE543E3F
HOME, xrefs: 00007FF6CE543E19
%s%s_netrc, xrefs: 00007FF6CE543E94

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$realloc$EnvironmentVariable
String ID: %s%s.netrc$%s%s_netrc$HOME
API String ID: 4174189579-3384076093
Opcode ID: d2ce4dc3e812534eeb9e1d008ad1995355e9f1d6f68227a971d658bd671407bc
Instruction ID: 67727af179a1ea19a29681808f047d300c925ecff87a4e4d4a9524f49ea828d7
Opcode Fuzzy Hash: d2ce4dc3e812534eeb9e1d008ad1995355e9f1d6f68227a971d658bd671407bc
Instruction Fuzzy Hash: E4319622A09B4281EA20DF16B82016663B4BF64BD6FD40432FDCDE7765DF3DE0158700

Function 00007FF6CE54B90D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B948
memcpy.VCRUNTIME140 ref: 00007FF6CE54B96E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAA9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAFC

Strings

Signature: %s, xrefs: 00007FF6CE54BA97
Signature, xrefs: 00007FF6CE54BA7F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$memcpy
String ID: Signature: %s$Signature
API String ID: 3519880569-1663925961
Opcode ID: 1b1385a64952a44483e91997569071a29c027b71a1135d49ae6c5b52ea412f47
Instruction ID: 7488084e18c89bf2e4b0eece57e3540132970d8546fde113a6e8856bfe0d433a
Opcode Fuzzy Hash: 1b1385a64952a44483e91997569071a29c027b71a1135d49ae6c5b52ea412f47
Instruction Fuzzy Hash: 4C31D471F0978282EE51CF16A4242B963B4BFA5BD5F840132FE8DA7795EE3EE0158300

Function 00007FF6CE54AA18 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54AA4C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AF39

Strings

Start Date: %s, xrefs: 00007FF6CE54AF27
TRUE, xrefs: 00007FF6CE54AA3A
Start Date, xrefs: 00007FF6CE54AF0D
FALSE, xrefs: 00007FF6CE54AA41

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: Start Date: %s$FALSE$Start Date$TRUE
API String ID: 1865132094-176635895
Opcode ID: ab1f4ae8c9a38d7471090914ba8ffa7513e267a7a4cade6c341c4b21be4af453
Instruction ID: 5f488d4894a04e61101c6dac215b890ec305fd61ac5f37e63e10904bc4354399
Opcode Fuzzy Hash: ab1f4ae8c9a38d7471090914ba8ffa7513e267a7a4cade6c341c4b21be4af453
Instruction Fuzzy Hash: F621B3A6A0C7C255EB618F11A4642B93375FB55786FC40432EA8EA7756DF2EE055C300

Function 00007FF6CE518FF0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE519025
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE519051
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE519059
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE51907B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6CE51636C), ref: 00007FF6CE519092

Strings

Invalid zoneid: %s; %s, xrefs: 00007FF6CE519064

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_errnostrerrorstrtoul
String ID: Invalid zoneid: %s; %s
API String ID: 439826447-2159854051
Opcode ID: f4ca43e43df7e3bbc22dee19bae3a3e7dabca7d7908a20f9c0ba3a808230b1dc
Instruction ID: 12cb4a97381aa05bc3e55c4a0d5473e13f1706e3102b9036d912fbc6c7b9e1d7
Opcode Fuzzy Hash: f4ca43e43df7e3bbc22dee19bae3a3e7dabca7d7908a20f9c0ba3a808230b1dc
Instruction Fuzzy Hash: 011190B2E1968282EB10DF61E4601B83370EFE5B46F941035EA8DD37A4DE2FE844C700

Function 00007FF6CE518F20 Relevance: 10.0, APIs: 8, Instructions: 36COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F34
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F4A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F5E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F72
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F86
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518F9A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518FAE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE518FC2

Part of subcall function 00007FF6CE541EC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE518FDB,?,?,00000000,00007FF6CE514A23,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE541ED5

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9490af20bca0821dc354af4aae99f169b7203ef8c711842bd6770f711ea81fc3
Instruction ID: 973378ac2bbfde52e265499176a1db0047044035538939c118a1915e2c427d0d
Opcode Fuzzy Hash: 9490af20bca0821dc354af4aae99f169b7203ef8c711842bd6770f711ea81fc3
Instruction Fuzzy Hash: 1F11A436918E80C1DB10DF61F9A51E823B8FBD9B9AB581031EE9B8E754DF3580658220

Function 00007FF6CE512A00 Relevance: 10.0, APIs: 8, Instructions: 33COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A11
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A21
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A3D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A4B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A59
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A67
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE516206), ref: 00007FF6CE512A75

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2c59c0258da59ea11c7abbe764ae23b3f6b2cd009dab738447c14b14124d9ae8
Instruction ID: 5d560cfd08ac8a9f211557ef1b88689c9c4c3ccad18852b182724852973f3209
Opcode Fuzzy Hash: 2c59c0258da59ea11c7abbe764ae23b3f6b2cd009dab738447c14b14124d9ae8
Instruction Fuzzy Hash: 6C01B376918B01C2DB10DF61F5A523C33B8FB98F9A7502525DE9E92718CF3AC4A5C260

Function 00007FF6CE54AD8C Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54ADCF
memcpy.VCRUNTIME140 ref: 00007FF6CE54ADF5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AEC8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AF39

Strings

Start Date: %s, xrefs: 00007FF6CE54AF27
Start Date, xrefs: 00007FF6CE54AF0D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: Start Date: %s$Start Date
API String ID: 3401966785-2389359183
Opcode ID: 9bbd67aaccf9cadf82fb6497df90d81440caf609fd73dc8c32faf7883cc7d217
Instruction ID: 34c70c36abb72ca95cd090c88c81e61e144a711f09bb1bc6d4d3829b3f9be292
Opcode Fuzzy Hash: 9bbd67aaccf9cadf82fb6497df90d81440caf609fd73dc8c32faf7883cc7d217
Instruction Fuzzy Hash: 5D415B55A082C206FF598F1180342B92771EB257A2F844637F6AFB77D6EE2EA0758300

Function 00007FF6CE4FDDD0 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6CE4FDEBA
memcpy.VCRUNTIME140 ref: 00007FF6CE4FDEC9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4FDEFD
memcpy.VCRUNTIME140 ref: 00007FF6CE4FDF04
memcpy.VCRUNTIME140 ref: 00007FF6CE4FDF13
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE4FDF38

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: ec9b73d24a0c34c8da037ef226d6443237174b11aece3f5d776ff66a1c9efe33
Instruction ID: 62d3128a8d70b654031d5e86e2357296deeccf1ac879e8a292224ebc8effe938
Opcode Fuzzy Hash: ec9b73d24a0c34c8da037ef226d6443237174b11aece3f5d776ff66a1c9efe33
Instruction Fuzzy Hash: 2631B162719A8695EE149F16A5142A86371AF64FE1F844B31FEAD577D9CE3CE0418300

Function 00007FF6CE4F6560 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF6CE4F5295,?,?,?,?,?,00007FF6CE4F255B), ref: 00007FF6CE4F6653
memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF6CE4F5295,?,?,?,?,?,00007FF6CE4F255B), ref: 00007FF6CE4F6661
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,0000000F,00007FF6CE4F5295,?,?,?,?,?,00007FF6CE4F255B), ref: 00007FF6CE4F669A
memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF6CE4F5295,?,?,?,?,?,00007FF6CE4F255B), ref: 00007FF6CE4F66A4
memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF6CE4F5295,?,?,?,?,?,00007FF6CE4F255B), ref: 00007FF6CE4F66B2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE4F66E1

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 3750e6bf37c024cd3fff6ea3c2c1d9ca45758413d4f3398dfde53edf71277f15
Instruction ID: 2c70af75de5226fe1a286e80c42e5c2acc1b25c20b5324c1849aa88c788d7a59
Opcode Fuzzy Hash: 3750e6bf37c024cd3fff6ea3c2c1d9ca45758413d4f3398dfde53edf71277f15
Instruction Fuzzy Hash: F941E4A170968685EE249F16A5042AD63B1EB55FE1F848630EFEDA77C9CE3CE0418344

Function 00007FF6CE503610 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6CE503704
memcpy.VCRUNTIME140 ref: 00007FF6CE503712
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50374B
memcpy.VCRUNTIME140 ref: 00007FF6CE503755
memcpy.VCRUNTIME140 ref: 00007FF6CE503763
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE503798

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 058efdf56ccbf18665278e5e554732f5308646915042b8d141bbe00cd9663574
Instruction ID: 4ca9a0072286f2fcb9555076b48454c3e7c9c1032d26694c5198c4bea8088f9f
Opcode Fuzzy Hash: 058efdf56ccbf18665278e5e554732f5308646915042b8d141bbe00cd9663574
Instruction Fuzzy Hash: EE41E262B09A8681EE219F12A4642AA63B1BB15BD5FD40631FFDD9B785DF3DE1418300

Function 00007FF6CE545C50 Relevance: 9.1, APIs: 6, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,?,?,00007FF6CE54520F), ref: 00007FF6CE545C96
strchr.VCRUNTIME140(00000000,?,?,00007FF6CE54520F), ref: 00007FF6CE545CA6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00007FF6CE54520F), ref: 00007FF6CE545CD0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE545D05
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE545D2A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE545D4C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupstrchr$mallocstrncpy
String ID:
API String ID: 2121287944-0
Opcode ID: 5676368ad15ab2044f9e3e0bbe9584b9475c3e99f4f592c46ad953cfdca637da
Instruction ID: 99b8d5d0d8ca710506dbaec06b2708141300b75c94c5857dd109806da7c8c896
Opcode Fuzzy Hash: 5676368ad15ab2044f9e3e0bbe9584b9475c3e99f4f592c46ad953cfdca637da
Instruction Fuzzy Hash: F831C821A09B8686EA64EF21A46037576B0FF69BD1F844635EECE937D5DF3DE0508340

Function 00007FF6CE54A74F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A92E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54A9D3

Strings

Signature Algorithm: %s, xrefs: 00007FF6CE54A9C1
Serial Number, xrefs: 00007FF6CE54A902
Signature Algorithm, xrefs: 00007FF6CE54A9A7
Serial Number: %s, xrefs: 00007FF6CE54A91C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
API String ID: 1294909896-517259162
Opcode ID: a8cf219ff02d1c673cbbf0f42a3d7358e55c00e3b89862292003d1a924f2c463
Instruction ID: 74d37351cb68d1a14f3178061e97713ca398f16be1b8641ba694993718999987
Opcode Fuzzy Hash: a8cf219ff02d1c673cbbf0f42a3d7358e55c00e3b89862292003d1a924f2c463
Instruction Fuzzy Hash: BA41C4A5B087C245EF508F6194241F93775BB6578AF880436EE8EA778AEF3EE114C300

Function 00007FF6CE54B035 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B4A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B572

Strings

Expire Date, xrefs: 00007FF6CE54B47D
Public Key Algorithm, xrefs: 00007FF6CE54B528
Expire Date: %s, xrefs: 00007FF6CE54B497
Public Key Algorithm: %s, xrefs: 00007FF6CE54B542

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 1294909896-2901970132
Opcode ID: 814d87ee8f1a2e64b5af76deddb3e54e775e410a3373916e88a6bec358235fc1
Instruction ID: ee9a066f91f61788dffcb68959bb93987558d4b0c7b46b95cca41b1897c309ff
Opcode Fuzzy Hash: 814d87ee8f1a2e64b5af76deddb3e54e775e410a3373916e88a6bec358235fc1
Instruction Fuzzy Hash: DD31A2A1E0878645EB509F6194201F93775BF6578AF841432FE8EAB356EF3EE124C310

Function 00007FF6CE54B086 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE54C1B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54C1FC

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B4A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B572

Part of subcall function 00007FF6CE513BF0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513C42

Strings

Expire Date, xrefs: 00007FF6CE54B47D
Public Key Algorithm, xrefs: 00007FF6CE54B528
Expire Date: %s, xrefs: 00007FF6CE54B497
Public Key Algorithm: %s, xrefs: 00007FF6CE54B542

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3061335427-2901970132
Opcode ID: cdd494d5907edce78a1b3ad990dd3e5ea0588444b06d4b76ad48cd4fa67fcc66
Instruction ID: bfe7b66975e2dcaef1c901a3e1e54d762985db1fc36ba103152807473c8c278f
Opcode Fuzzy Hash: cdd494d5907edce78a1b3ad990dd3e5ea0588444b06d4b76ad48cd4fa67fcc66
Instruction Fuzzy Hash: C631AFA1E0878245EB508F6194201F937B5BF6578AF841436FE8EAB35AEF3EE114C310

Function 00007FF6CE54B053 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE54DCC0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54DCF5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B4A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54B572

Part of subcall function 00007FF6CE513BF0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513C42

Strings

Expire Date, xrefs: 00007FF6CE54B47D
Public Key Algorithm, xrefs: 00007FF6CE54B528
Expire Date: %s, xrefs: 00007FF6CE54B497
Public Key Algorithm: %s, xrefs: 00007FF6CE54B542

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
API String ID: 3061335427-2901970132
Opcode ID: 7991363a0313ed0dabebba338b8bb3fae589b424e5f1d5319233e0193346de05
Instruction ID: d43f413837f5d26c4207f861b94a744cebe2fba11283e3ddacd96b39c92ef78f
Opcode Fuzzy Hash: 7991363a0313ed0dabebba338b8bb3fae589b424e5f1d5319233e0193346de05
Instruction Fuzzy Hash: FF3190A1E0878245EB509F6194211F937B5BF6578AF841436FE8EAB35AEF3EE114C310

Function 00007FF6CE54B5F0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAA9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAFC

Strings

Signature: %s, xrefs: 00007FF6CE54BA97
%s%lx, xrefs: 00007FF6CE54B64D
Signature, xrefs: 00007FF6CE54BA7F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$%s%lx$Signature
API String ID: 2190258309-1406629954
Opcode ID: 7c2445a437aa6e9c6eedac30248aab740272c2697002318a9ca2fa1cb01766ad
Instruction ID: a0e51bd654a0e7b23449aedf3de1613b0481d8c87f02773b5a6e6e5d7e0f2232
Opcode Fuzzy Hash: 7c2445a437aa6e9c6eedac30248aab740272c2697002318a9ca2fa1cb01766ad
Instruction Fuzzy Hash: 6431C762F0868246EE508F25E4642B963B4FB95B85F840432FECDA7755DE2FD011C700

Function 00007FF6CE503940 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE50396D
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE503987
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE5039B9
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE5039E3
std::_Facet_Register.LIBCPMT ref: 00007FF6CE5039FC
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6CE502AEC), ref: 00007FF6CE503A1B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 295490909-0
Opcode ID: f6e581ddbb454a6584e87d1f25c38fc3f92ab443521ca881e5d300a07bf7bc99
Instruction ID: d1b97df8c1bf45c23c4fddb4f79e2ce87f96846a345aaff055c9ad80ec140a59
Opcode Fuzzy Hash: f6e581ddbb454a6584e87d1f25c38fc3f92ab443521ca881e5d300a07bf7bc99
Instruction Fuzzy Hash: 73317226A0DB8585EA149F11E4A01697370FBA8B99F880631FBDD977A9DF3DE440C700

Function 00007FF6CE50EA20 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6CE50EA53
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6CE50EA67
CloseHandle.KERNEL32 ref: 00007FF6CE50EA74
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF6CE50EA96
closesocket.WS2_32 ref: 00007FF6CE50EAB4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF6CE50EACD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: 602731b9b1b1dca77b9102e7dae472892587333dbf5f7b03975aa90894b5eb42
Instruction ID: 976cf4ac7431c06985658025a70771e900e48cb5faa4fba0d1779f99a3bf1410
Opcode Fuzzy Hash: 602731b9b1b1dca77b9102e7dae472892587333dbf5f7b03975aa90894b5eb42
Instruction Fuzzy Hash: A5213E76708A8186EA20DF52E5642297370FBA8B92F544035EFCE93B55DF7EE461C340

Function 00007FF6CE50CC58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE52B150: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE52B171

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CD21

Strings

Replaced, xrefs: 00007FF6CE50CFB1
Added, xrefs: 00007FF6CE50CFBD
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF6CE50CFC7
FALSE, xrefs: 00007FF6CE50CCFB

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _errno_strdup
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 2151398962-2292467869
Opcode ID: b72f509f3f245e5f82a3544111d7e60eb25a11963bfd4d9dec3e021f281af0ad
Instruction ID: 0fd45ff991e954b4f05c79002ba6ca03ab6030a0f0e6fba869396a19b5f3e24e
Opcode Fuzzy Hash: b72f509f3f245e5f82a3544111d7e60eb25a11963bfd4d9dec3e021f281af0ad
Instruction Fuzzy Hash: 31617461E097C645FF718F2594643BA67B1EF6674AF880436FACDA2691DF2EE844C300

Function 00007FF6CE50CB4D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE52B0A0: strchr.VCRUNTIME140 ref: 00007FF6CE52B0D6

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50CD21

Strings

Replaced, xrefs: 00007FF6CE50CFB1
Added, xrefs: 00007FF6CE50CFBD
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF6CE50CFC7
FALSE, xrefs: 00007FF6CE50CCFB

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupstrchr
String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
API String ID: 3727083984-2292467869
Opcode ID: aebe370b010a1a5f820bbae96d615cec1952ca862e468dcc82989100e0e24757
Instruction ID: ef7d197a66682bded1e9ec6203b26b74db18255790f4d4c87570edf6934a4e69
Opcode Fuzzy Hash: aebe370b010a1a5f820bbae96d615cec1952ca862e468dcc82989100e0e24757
Instruction Fuzzy Hash: F6618262E097C245FF718F21946437A67B1EF6674AF880436FACDA2691DF2EE844C300

Function 00007FF6CE525B50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE525D5D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE525D75

Strings

The requested URL returned error: %d, xrefs: 00007FF6CE525CFE
Forcing HTTP/1.1 for NTLM, xrefs: 00007FF6CE525C19

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: Forcing HTTP/1.1 for NTLM$The requested URL returned error: %d
API String ID: 1865132094-1204028548
Opcode ID: bcbbadb753b415eb2ceb686b909547f30a32b45e311577f7ff9c4637e5aeabd1
Instruction ID: f66bee17b4ad102bd92be7fc01c412220fc0ea5c784da201d21cd0eb7dcc2250
Opcode Fuzzy Hash: bcbbadb753b415eb2ceb686b909547f30a32b45e311577f7ff9c4637e5aeabd1
Instruction Fuzzy Hash: 7551AB31A0C68245FB658F2490683B927B1EB7574AF980035EBCDE66C9DF2FE450C722

Function 00007FF6CE4F2DE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F5980: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1

Part of subcall function 00007FF6CE4F52A0: memcpy.VCRUNTIME140 ref: 00007FF6CE4F52F3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2EB2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2F00
__std_exception_copy.VCRUNTIME140 ref: 00007FF6CE4F2F50
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE4F2F9D

Strings

out_of_range, xrefs: 00007FF6CE4F2E26

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$__std_exception_copy
String ID: out_of_range
API String ID: 2484256320-3053435996
Opcode ID: a34bb542486326b7f0eb5bbab939db0ef8fe0dc2fe9a393e5024e9f116bb4741
Instruction ID: dcc137df5ecd1d8565836efac796fb9a4045a2514c414878e0907190fa9fad99
Opcode Fuzzy Hash: a34bb542486326b7f0eb5bbab939db0ef8fe0dc2fe9a393e5024e9f116bb4741
Instruction Fuzzy Hash: 0F51B132A19B4299FB00CF64D4503AC3375EB64B99F808231EA9D93AD9DF3DE195C300

Function 00007FF6CE542F30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE542FA8
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE542FDA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54304A

Part of subcall function 00007FF6CE52B2B0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6CE50E2DA,?,?,?,?,?,?,?,00007FF6CE50E0A7), ref: 00007FF6CE52B2C1

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5430C5

Strings

0123456789abcdefABCDEF:., xrefs: 00007FF6CE542F9E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _errno_strdupstrcspnstrncmpstrspn
String ID: 0123456789abcdefABCDEF:.
API String ID: 2191890455-446397347
Opcode ID: 0fe5a7b3f98b8b7ba8c4c99c01e3b2948844d30d354f25457daeafb4e39fb8cd
Instruction ID: 70f61c1a97dc451a05d1b5d119e93c8ad7a037b2ae8631c35f8143fa500d68b6
Opcode Fuzzy Hash: 0fe5a7b3f98b8b7ba8c4c99c01e3b2948844d30d354f25457daeafb4e39fb8cd
Instruction Fuzzy Hash: 9141E412A0CAC945EF228F24A42037977B4EB26B52FC40636EACD977D5DF2EE465C701

Function 00007FF6CE54CF18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2E3
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54D35E

Strings

GMT, xrefs: 00007FF6CE54CF74
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF6CE54CFC6

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: isupper$free
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 573759493-632690687
Opcode ID: 578a54f3296da458d1d6ad0bdfdd8588f109dd191744e26feaecc399d90e1ac9
Instruction ID: 4116213513cb7def443dc805490d06ed5f8ef405a746ba8d3d20b26bad38ec1e
Opcode Fuzzy Hash: 578a54f3296da458d1d6ad0bdfdd8588f109dd191744e26feaecc399d90e1ac9
Instruction Fuzzy Hash: C641D522A0DAC695F711CF25916037CBBB1AB65B82FC84132E6CDA2685CF3ED565C700

Function 00007FF6CE4F5980 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F59B1
memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F5A76
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE4F5ACA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE4F5AD1

Part of subcall function 00007FF6CE552CC8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE552CE2

Strings

black, xrefs: 00007FF6CE4F5982

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: black
API String ID: 1155477157-2307242536
Opcode ID: d7a50970d6f6d37e7726b73f9fdb74122679e35b1a9e6901d7e39946806c6e7b
Instruction ID: 99829b35b8cf18e1645e4679052b891bb66c0baf091c44466c76ffa5505f434e
Opcode Fuzzy Hash: d7a50970d6f6d37e7726b73f9fdb74122679e35b1a9e6901d7e39946806c6e7b
Instruction Fuzzy Hash: E6312532F0668748EE19DF15A55427822709F10FF6F484630EEADA7BD5DE7CE8928304

Function 00007FF6CE522900 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE52296A
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5229DB
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF6CE522A3B

Strings

:%u, xrefs: 00007FF6CE52297E, 00007FF6CE5229E4
Hostname in DNS cache was stale, zapped, xrefs: 00007FF6CE522A62

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: tolower$_time64
String ID: :%u$Hostname in DNS cache was stale, zapped
API String ID: 4068448496-2924501231
Opcode ID: c35070c0db4078c23490f5c1a96604c7c221ae84f691727a7c67632279e9d20e
Instruction ID: eeb20c2c941a45a9e823f89e1b6d92ef5321678fc9f56e896362b89051502bd6
Opcode Fuzzy Hash: c35070c0db4078c23490f5c1a96604c7c221ae84f691727a7c67632279e9d20e
Instruction Fuzzy Hash: 4D41D426A1968291EA20CF11E4647B97770FB64B95F844231FE8DA7B95DF3EE005C700

Function 00007FF6CE51DEC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51DF49
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51DFDF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51E007

Strings

Unrecognized content encoding type. libcurl understands %s content encodings., xrefs: 00007FF6CE51DFF5
identity, xrefs: 00007FF6CE51DF03, 00007FF6CE51DF73, 00007FF6CE51DFD8

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: Unrecognized content encoding type. libcurl understands %s content encodings.$identity
API String ID: 3985033223-1703240927
Opcode ID: c932179416f22d1a9e7d57fd4589fd249bf1c03caa6153466f077bf1a759ea68
Instruction ID: b15986630126174e56b2da3145d0a249f1fda1e02e443efc444e08a8ab2b9c47
Opcode Fuzzy Hash: c932179416f22d1a9e7d57fd4589fd249bf1c03caa6153466f077bf1a759ea68
Instruction Fuzzy Hash: 3641B425E09A9281EF118F55D46037867B0EF64BEAF844131EEADA77C5DF2EE502C300

Function 00007FF6CE54CE09 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54CE30
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2E3
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54D35E

Strings

FALSE, xrefs: 00007FF6CE54CE25

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: isupper$_strdupfree
String ID: FALSE
API String ID: 3359907120-3701058176
Opcode ID: 33c320c159b2dd0019efddd7297e992a1e4b8238c05c7671edbfa74a6984c7ba
Instruction ID: 4b32ebb2652046d3bdd7ffa10bec3cc8cc1493d1b4315132b33a18f3e6660390
Opcode Fuzzy Hash: 33c320c159b2dd0019efddd7297e992a1e4b8238c05c7671edbfa74a6984c7ba
Instruction Fuzzy Hash: 28310622E0D69644FB12CF28942433C6BB05B25B66FC40633EADEA56C1CE3ED495C310

Function 00007FF6CE534780 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE5347BB
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE534801
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE534866

Strings

RCPT TO:<%s@%s>, xrefs: 00007FF6CE53483D
RCPT TO:<%s>, xrefs: 00007FF6CE53484B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreestrpbrk
String ID: RCPT TO:<%s>$RCPT TO:<%s@%s>
API String ID: 1812939018-579818044
Opcode ID: fd002c5fda19e28f6138e281b37765518e42b7f311f6b13a94937346a2177fdf
Instruction ID: 771dd891ef8d2714a530294de414750152c74b27a4d3817a4143392a4dc819a1
Opcode Fuzzy Hash: fd002c5fda19e28f6138e281b37765518e42b7f311f6b13a94937346a2177fdf
Instruction Fuzzy Hash: 7431A262A18BC181EB01CF25E4602B9A7B0FBA5B95F889231FADE53795DF7DD541C300

Function 00007FF6CE503B60 Relevance: 7.7, APIs: 5, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE4F53E0: memcpy.VCRUNTIME140(?,?,038E38E38E38E38E,00007FF6CE4F1849), ref: 00007FF6CE4F5492
Part of subcall function 00007FF6CE4F53E0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE4F54B7

Part of subcall function 00007FF6CE4F53E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,038E38E38E38E38E,00007FF6CE4F1849), ref: 00007FF6CE4F5474

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,00000000,00000000,?,00000000,00007FF6CE4F18BD), ref: 00007FF6CE503DD9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,00000000,00000000,?,00000000,00007FF6CE4F18BD), ref: 00007FF6CE503DE0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,00000000,00000000,?,00000000,00007FF6CE4F18BD), ref: 00007FF6CE503DE7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,00000000,00000000,?,00000000,00007FF6CE4F18BD), ref: 00007FF6CE503DEE
__std_exception_copy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,?,00000000,00007FF6CE4F18BD), ref: 00007FF6CE503E24

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copymemcpy
String ID:
API String ID: 1942857678-0
Opcode ID: 2ab750b89eafc8c325caa7b3c2e2d632db3c7bd570751d0e81a418894a5c78a6
Instruction ID: 11580ae47c60216c447851efd36d5f0d6fcea61cc4a62a6f0b7ad53818153032
Opcode Fuzzy Hash: 2ab750b89eafc8c325caa7b3c2e2d632db3c7bd570751d0e81a418894a5c78a6
Instruction Fuzzy Hash: A071AC73A04BC586EB20DF24E8943ED37B1E725B89F808135EA8D5AA5ADF79D5D4C300

Function 00007FF6CE547CE0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE547C40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547C66
Part of subcall function 00007FF6CE547C40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547C87
Part of subcall function 00007FF6CE547C40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547CA2
Part of subcall function 00007FF6CE547C40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547CB0
Part of subcall function 00007FF6CE547C40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547CC2

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE547D66

Strings

HTTP, xrefs: 00007FF6CE547CEA
NTLM, xrefs: 00007FF6CE547D1E, 00007FF6CE547DD0

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: HTTP$NTLM
API String ID: 2190258309-4188377180
Opcode ID: 21a5017a56f3473826fe67d1390752946f547c3f1a1b08df1558efcb37d8a741
Instruction ID: 246879e1b9260f477721a03bdc75489a24ed354b1d713399309c1bf468d61e48
Opcode Fuzzy Hash: 21a5017a56f3473826fe67d1390752946f547c3f1a1b08df1558efcb37d8a741
Instruction Fuzzy Hash: DE616D32608B8286EB608F25E45066E73B4FB98B85F944136EECD93B58DF3ED454CB40

Function 00007FF6CE550F90 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF6CE550F50), ref: 00007FF6CE550FFF

Part of subcall function 00007FF6CE52B2B0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6CE50E2DA,?,?,?,?,?,?,?,00007FF6CE50E0A7), ref: 00007FF6CE52B2C1

Part of subcall function 00007FF6CE52B2B0: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF6CE52B463
Part of subcall function 00007FF6CE52B2B0: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF6CE52B480

strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF6CE550F50), ref: 00007FF6CE55106E
strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF6CE550F50), ref: 00007FF6CE551088
strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF6CE550F50), ref: 00007FF6CE5510BE

Strings

xn--, xrefs: 00007FF6CE5510A5

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_errno
String ID: xn--
API String ID: 2644425738-2826155999
Opcode ID: 839c8b92e3b9afacb66d4b51936a73871cdfbc3f19561b6dfda382d68fbcc2d3
Instruction ID: 7de5d4e3460640d3fb6132394129fb578c72cc33797d4d32771c73add0641fbc
Opcode Fuzzy Hash: 839c8b92e3b9afacb66d4b51936a73871cdfbc3f19561b6dfda382d68fbcc2d3
Instruction Fuzzy Hash: DD41F851B1E68245FF549E219A243B969B15F65BC2FC48130FE8EE77C5EE6EE4018300

Function 00007FF6CE51F080 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6CE51F128
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51F1A8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51F252

Strings

CONNECT phase completed!, xrefs: 00007FF6CE51F293
allocate connect buffer!, xrefs: 00007FF6CE51F1CF

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: callocfreememset
String ID: CONNECT phase completed!$allocate connect buffer!
API String ID: 3505321882-591125384
Opcode ID: d9185432e4f8109c9eb5e8da7bfb322b6a696c3593a9c1bf62ff5a5b3cd25373
Instruction ID: 9de23244e2defa7264109894511ba32e2e49762b985ee82b11e5006a020adc2d
Opcode Fuzzy Hash: d9185432e4f8109c9eb5e8da7bfb322b6a696c3593a9c1bf62ff5a5b3cd25373
Instruction Fuzzy Hash: 8051C532B0868282E7158F61D9653B933B0FF54B89F844035EBAD97291DF7BE565C310

Function 00007FF6CE54AC03 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 125COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AF39

Strings

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF6CE54AD31
Start Date: %s, xrefs: 00007FF6CE54AF27
Start Date, xrefs: 00007FF6CE54AF0D
GMT, xrefs: 00007FF6CE54ACBE

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Start Date: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Start Date
API String ID: 1294909896-619256714
Opcode ID: 3f860ba45f9f8bdb9570643578fc2f6e0b1b8f6c69e6285e99155f7ed90d60f2
Instruction ID: 469f86d5c0c24823b795a7304e51f2dc1b240cf39801ad80140a7159fc4609de
Opcode Fuzzy Hash: 3f860ba45f9f8bdb9570643578fc2f6e0b1b8f6c69e6285e99155f7ed90d60f2
Instruction Fuzzy Hash: FF51E165A0C6D246EBA08F1095245B877B9FB21782FC44032FACDB6796EF3EE565C300

Function 00007FF6CE54C9F9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CA3C
memcpy.VCRUNTIME140 ref: 00007FF6CE54CA62
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CB39
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CBA6

Strings

%s: %s, xrefs: 00007FF6CE54CB91

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy
String ID: %s: %s
API String ID: 3401966785-1451338302
Opcode ID: 16ad3a361ab2fa0823f2abc1b06d59ff9ca4407b19865cf765ec968bd9bfee83
Instruction ID: 734b08724a3b01b2fec9b9633c964a03b897b31c58ffe880427a3a0d291a0a58
Opcode Fuzzy Hash: 16ad3a361ab2fa0823f2abc1b06d59ff9ca4407b19865cf765ec968bd9bfee83
Instruction Fuzzy Hash: 24418B12B0D2D146FA288E1690353B967A1EBA5BE1F84423BEEEF977C5DD2ED0558300

Function 00007FF6CE531E00 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE52B150: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE52B171

memcpy.VCRUNTIME140 ref: 00007FF6CE531F71
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE531F7F

Strings

Written %zu bytes, %I64u bytes are left for transfer, xrefs: 00007FF6CE531F3D
Failed to parse FETCH response., xrefs: 00007FF6CE531E5E
Found %I64d bytes to download, xrefs: 00007FF6CE531ED2

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _errnofreememcpy
String ID: Failed to parse FETCH response.$Found %I64d bytes to download$Written %zu bytes, %I64u bytes are left for transfer
API String ID: 738009125-4268564757
Opcode ID: c8dd9929abec7564cfc5343009131fcf02fe15ac9e744444b394123a8106f478
Instruction ID: e5d611b627da3e418b5d4a40fd6a94c7b70c86f0a8ab48b493f6ab29a3463b43
Opcode Fuzzy Hash: c8dd9929abec7564cfc5343009131fcf02fe15ac9e744444b394123a8106f478
Instruction Fuzzy Hash: 3351CFA2A0C7C282EB148F75D1202B9B770FB65B95F844032EADDA3A95DF7EE0159301

Function 00007FF6CE54AB40 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AF39

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF6CE54ABEF
GMT, xrefs: 00007FF6CE54AB9C
Start Date: %s, xrefs: 00007FF6CE54AF27
Start Date, xrefs: 00007FF6CE54AF0D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Start Date: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Start Date
API String ID: 1294909896-2752585153
Opcode ID: 852b57d354f196916215357cb39c7ca5b312e80e98ffe554f2fcfc727ca474eb
Instruction ID: 2a26d7bdba216d62e62c60164f6038e61561c8595e26305ccc26d362098debb8
Opcode Fuzzy Hash: 852b57d354f196916215357cb39c7ca5b312e80e98ffe554f2fcfc727ca474eb
Instruction Fuzzy Hash: 6C31A465A0D78295EB508F2094201B97776FB61B86FC84032F6CDB729AEF3EE555C700

Function 00007FF6CE54B8CE Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAA9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54BAFC

Strings

Signature: %s, xrefs: 00007FF6CE54BA97
Signature, xrefs: 00007FF6CE54BA7F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc
String ID: Signature: %s$Signature
API String ID: 2190258309-1663925961
Opcode ID: faee1b79d6e3ca57526c2964aab68c2ad45f1906e0f92ce6fbdfd11d9252326f
Instruction ID: 338176673f06af9381c8511a21c7c6e17dc36cd677e14a08013b92b175fcf656
Opcode Fuzzy Hash: faee1b79d6e3ca57526c2964aab68c2ad45f1906e0f92ce6fbdfd11d9252326f
Instruction Fuzzy Hash: 7021A276B08AC286EA508F66A4542E973B4FB59BE5F880132EE9D93799DF3DD101C700

Function 00007FF6CE535940 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE535A0B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE535A24
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE535A38

Strings

QUIT, xrefs: 00007FF6CE53596F
Failure sending QUIT command: %s, xrefs: 00007FF6CE535993

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Failure sending QUIT command: %s$QUIT
API String ID: 1294909896-1162443993
Opcode ID: af9c865519c706b1315f169865b9437b682a8768c619aeab1090bd7f57be2620
Instruction ID: c6c3e722dc03e2523eaf07f0b8e428db3e264fbd768695bbba06ce6c59757093
Opcode Fuzzy Hash: af9c865519c706b1315f169865b9437b682a8768c619aeab1090bd7f57be2620
Instruction Fuzzy Hash: 89318D32B0C78281EB50CF2594612B933B1FB55B85F885036EACDA7799CF2ED051C310

Function 00007FF6CE52C540 Relevance: 7.6, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE518920), ref: 00007FF6CE52C575
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE518920), ref: 00007FF6CE52C58A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE518920), ref: 00007FF6CE52C59F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE518920), ref: 00007FF6CE52C5CC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE518920), ref: 00007FF6CE52C5D5
memcpy.VCRUNTIME140(?,?,?,00007FF6CE518920), ref: 00007FF6CE52C609

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$calloc$memcpy
String ID:
API String ID: 3478730034-0
Opcode ID: c07fd4491912f1698f5e793d067f9ae57d05e03d60bd6e7bef04766d32f6f9cc
Instruction ID: b1ac86b0e33976c322f01d465fbf4d2fab32e2a8c74282307b8c1b1bf9824f01
Opcode Fuzzy Hash: c07fd4491912f1698f5e793d067f9ae57d05e03d60bd6e7bef04766d32f6f9cc
Instruction Fuzzy Hash: C621E771E0878186EB20CF25982422976B4FB69BE1F845135EADEE7785DF3EE0508700

Function 00007FF6CE54AD94 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54ADCF
memcpy.VCRUNTIME140 ref: 00007FF6CE54ADF5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AF39

Strings

Start Date: %s, xrefs: 00007FF6CE54AF27
Start Date, xrefs: 00007FF6CE54AF0D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemcpy
String ID: Start Date: %s$Start Date
API String ID: 3056473165-2389359183
Opcode ID: 1d0d3f75b15472ae08d81cdac9c55d6f53ac22eecaa99c6c728bfa1e1c9dd27f
Instruction ID: e0ec91b4e0baaec79713290ea06da6ef6e7a7d3170d8b62f85104c90d80eabb8
Opcode Fuzzy Hash: 1d0d3f75b15472ae08d81cdac9c55d6f53ac22eecaa99c6c728bfa1e1c9dd27f
Instruction Fuzzy Hash: 92210665A083C201EE558F1185202B42376AF65BE6FC84532F99EB77D6EF3EA064C300

Function 00007FF6CE53B7B0 Relevance: 7.6, APIs: 5, Instructions: 62stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53B7E1
strchr.VCRUNTIME140 ref: 00007FF6CE53B80D
strchr.VCRUNTIME140 ref: 00007FF6CE53B824
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE53B843

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_strdupmalloc
String ID:
API String ID: 4236146995-0
Opcode ID: 2590a711bc944bfc2dd0934ddfdb5976fa8bad20689cb497d6851a7f161e1f41
Instruction ID: 74647dd74543f5bffc8fcb35c0b70472ff3a397e42ebea6a352ad1d4b0bdafe9
Opcode Fuzzy Hash: 2590a711bc944bfc2dd0934ddfdb5976fa8bad20689cb497d6851a7f161e1f41
Instruction Fuzzy Hash: A8215162B15B8581EB85CF21946036863E1EB99B55F481134EE8D9B748EF2AD490C720

Function 00007FF6CE50E5B0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6CE50EA53
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6CE50EA67
CloseHandle.KERNEL32 ref: 00007FF6CE50EA74
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF6CE50EA96
closesocket.WS2_32 ref: 00007FF6CE50EAB4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 00007FF6CE50EACD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: c8a3fdc87ca7b702a94c4ef1d8f77eda044698d4a09b94f79638f0649c793e3d
Instruction ID: 1ee24069c827bdc674ac4d923a8779e3f0f9891a5678b78242c8ad63955200c1
Opcode Fuzzy Hash: c8a3fdc87ca7b702a94c4ef1d8f77eda044698d4a09b94f79638f0649c793e3d
Instruction Fuzzy Hash: 99116076708B8186EA10DF12E5642297370FB98B91F544035EFCE93B44CF3EE4608700

Function 00007FF6CE5065F0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE50688F

Strings

Host not found, xrefs: 00007FF6CE506858
No data record of requested type, xrefs: 00007FF6CE506873
Host not found, try again, xrefs: 00007FF6CE506885
Unrecoverable error in call to nameserver, xrefs: 00007FF6CE50687C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strncpy
String ID: Host not found$Host not found, try again$No data record of requested type$Unrecoverable error in call to nameserver
API String ID: 3301158039-3625861382
Opcode ID: 8540f1e6c2d8a3e43d3dc8f9ea4c236c2c3fd651578fb46491692c97b48acb01
Instruction ID: 387ddfff4d73efd061bde8e88aa4b2d7df21ff9f31aaa1e15712483cf083fe4b
Opcode Fuzzy Hash: 8540f1e6c2d8a3e43d3dc8f9ea4c236c2c3fd651578fb46491692c97b48acb01
Instruction Fuzzy Hash: 67117B61E0D58285FA5CCF15E97417826F0DF25786FC85131F58D66ED5DDBEE5808200

Function 00007FF6CE54CE3E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2E3
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54D35E

Strings

%s%lx, xrefs: 00007FF6CE54CEA8

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: isupper$free
String ID: %s%lx
API String ID: 573759493-530121141
Opcode ID: c456549fc9a9f1cca1fd9815eb7ac769fd56de37756c8d40557723f8e93c7337
Instruction ID: efc36d0beacf5214619db1f00abe46a13eff9e8a48b56f438ab8f2c72ea11dd1
Opcode Fuzzy Hash: c456549fc9a9f1cca1fd9815eb7ac769fd56de37756c8d40557723f8e93c7337
Instruction Fuzzy Hash: 9C31F112E0E5D649FB128F24902433C2FB19B75B86FC44573E6CAE6681CE2FE421C700

Function 00007FF6CE54D11F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2E3
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54D35E

Strings

TRUE, xrefs: 00007FF6CE54D2BD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: isupper$free
String ID: TRUE
API String ID: 573759493-3412697401
Opcode ID: e03a8531f0eebcabd4f090b1063a18774fc994da83e7471a6afe75b58af0ada3
Instruction ID: b94147469aa2a84cefbd6be151a280b20caa55d245417f16b3454084ee19716d
Opcode Fuzzy Hash: e03a8531f0eebcabd4f090b1063a18774fc994da83e7471a6afe75b58af0ada3
Instruction Fuzzy Hash: 65310722E0D69245FB11CF25952437C7FB1AB25B96F884232EAD9E36C5CE3ED141C300

Function 00007FF6CE535F40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF6CE535F92
accept.WS2_32 ref: 00007FF6CE535FB1

Part of subcall function 00007FF6CE528640: ioctlsocket.WS2_32 ref: 00007FF6CE528659

Strings

Error accept()ing server connect, xrefs: 00007FF6CE535FCE
Connection accepted from server, xrefs: 00007FF6CE535FDF

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: acceptgetsocknameioctlsocket
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 36920154-2331703088
Opcode ID: 91ff10935a309e61a2b265033101f797bcf3467bd80cc9426fbbb275bd97ac8b
Instruction ID: e751f14220a9db4976e18c9867aa9a2a67eceb2a630dcb4b4bc5b9e33e65544e
Opcode Fuzzy Hash: 91ff10935a309e61a2b265033101f797bcf3467bd80cc9426fbbb275bd97ac8b
Instruction Fuzzy Hash: 1C31A261A0D68182EB54DF21A4653AA73B0FB58BA5F840235EFED977C9CF7EE0058700

Function 00007FF6CE527AE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE527519), ref: 00007FF6CE527B6D

Strings

Failed to alloc memory for big header!, xrefs: 00007FF6CE527B78
Rejected %zu bytes header (max is %d)!, xrefs: 00007FF6CE527B0B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: realloc
String ID: Failed to alloc memory for big header!$Rejected %zu bytes header (max is %d)!
API String ID: 471065373-1365219457
Opcode ID: 2db9be89a545f89ee1c2905f2a2b40a643e136ebd8c9e5b01aeb6361d34a0176
Instruction ID: b188675d626d8c58fef66e25bc31276cfbc7b90c03617059b6c91f5c7ff85b71
Opcode Fuzzy Hash: 2db9be89a545f89ee1c2905f2a2b40a643e136ebd8c9e5b01aeb6361d34a0176
Instruction Fuzzy Hash: 38214B32B08A8486DB04DF29E4902AD77B1FB59BC4F984036EB8D53B59DF39D4A2C340

Function 00007FF6CE507CC3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE507D52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE507D6E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE507D8B

Strings

:, xrefs: 00007FF6CE507D46

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: 4f6e2ecb12e9d558fc2d2c7ef4666f3ac030c096481866a8b57b6e31448d3835
Instruction ID: 9f87c837a765e40a3d697469968700a87f4eb1913c062536725ae49f6b00b05c
Opcode Fuzzy Hash: 4f6e2ecb12e9d558fc2d2c7ef4666f3ac030c096481866a8b57b6e31448d3835
Instruction Fuzzy Hash: 0921AC22A08B8289EF659F04A5503B977B0FB54BA5F884531EBDCD3384EF3EE4108710

Function 00007FF6CE507E48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE507D52
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE507D6E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE507D8B

Strings

:, xrefs: 00007FF6CE507D46

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$_strdup
String ID: :
API String ID: 2653869212-336475711
Opcode ID: 151baf0ff303c6cb7b0971c13338ab6f1debb972bd9090e7dc2929162079fe60
Instruction ID: 50184bfcb281779d49e509343fca1172d9aeb70574b1b1b9f6ff1efad0104fbc
Opcode Fuzzy Hash: 151baf0ff303c6cb7b0971c13338ab6f1debb972bd9090e7dc2929162079fe60
Instruction Fuzzy Hash: A8119A32A09BC189EF619F04A5103B977B0AB64BA5F984132EBDC93394EF3EE4108710

Function 00007FF6CE531890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

LIST "%s" *, xrefs: 00007FF6CE531917
%s%s, xrefs: 00007FF6CE5318C3

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %s%s$LIST "%s" *
API String ID: 0-1744359683
Opcode ID: 558dbf9052364e554f08f6932d4ceb71aef4511f66943321a45585c9e54afdb3
Instruction ID: 1a239c6e73ec28d3319044f50f923cccc98c6a1595a9833905c4eb2d6e72b14c
Opcode Fuzzy Hash: 558dbf9052364e554f08f6932d4ceb71aef4511f66943321a45585c9e54afdb3
Instruction Fuzzy Hash: 91119D62F0D68281EA14CF66E5601B86370FB68BC5F841431FE8DA7711DF2EE5418340

Function 00007FF6CE53DE40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF6CE53DE7D
WSAGetLastError.WS2_32 ref: 00007FF6CE53DE87

Strings

SENT, xrefs: 00007FF6CE53DEA2
Sending data failed (%d), xrefs: 00007FF6CE53DE8D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: 8adbcbfae2e6e738960fed94a1e2467c945c95f03590d609fa70bb77f2276d34
Instruction ID: 5eababb2f8e3cf7d290a45cbf20e7beba48ea7921e601a74dc9e755bcf8f8d83
Opcode Fuzzy Hash: 8adbcbfae2e6e738960fed94a1e2467c945c95f03590d609fa70bb77f2276d34
Instruction Fuzzy Hash: 1901B172709A9281EB108F2AE85045D7B30FBA4FC4F895132EB9D93751DF7AE505C780

Function 00007FF6CE54AB11 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54AB14
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AF39

Part of subcall function 00007FF6CE513BF0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513C42

Strings

Start Date: %s, xrefs: 00007FF6CE54AF27
Start Date, xrefs: 00007FF6CE54AF0D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: Start Date: %s$Start Date
API String ID: 3985033223-2389359183
Opcode ID: 7d631355a8de000f4a4a44a516cbb3cbbfe75d1b6faa668608f3d6971fc78ce4
Instruction ID: f67a2298630e27509ea2ea215d523d9dd54744e107f6e56351b844e69466fc68
Opcode Fuzzy Hash: 7d631355a8de000f4a4a44a516cbb3cbbfe75d1b6faa668608f3d6971fc78ce4
Instruction Fuzzy Hash: CE01B5A5E0C28255EE508F1054301B53776AF65787FC81432F98AF6256EF2FA154C311

Function 00007FF6CE554F38 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF6CE554F6D
__current_exception_context.VCRUNTIME140 ref: 00007FF6CE554F81
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE554F89

Strings

csm, xrefs: 00007FF6CE554F59

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: b3e3c4fef44ee460f99591e46fdde72e012a966e5fafd429e245b8e10932cae7
Instruction ID: e8ca5d76485097dcbb96df89c864985253a108f09c179075323c37aa36d17e13
Opcode Fuzzy Hash: b3e3c4fef44ee460f99591e46fdde72e012a966e5fafd429e245b8e10932cae7
Instruction Fuzzy Hash: 3AF0E237606A84CAC7159F25EC901AC3774FB99B8AB895120FA8D97759CF39D8909300

Function 00007FF6CE525A40 Relevance: 6.3, APIs: 5, Instructions: 82stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FF6CE525AA4
strchr.VCRUNTIME140 ref: 00007FF6CE525AB7
strchr.VCRUNTIME140 ref: 00007FF6CE525AC9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE525AFB
memcpy.VCRUNTIME140 ref: 00007FF6CE525B25

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strchr$mallocmemcpy
String ID:
API String ID: 320687583-0
Opcode ID: b9e640fe0b783790492eba35bc4a1a08a5dd4f809ab9890f0efffccfe0a37522
Instruction ID: fda4fa6f260eaf3bb9802f94aea5bfb41de5674f7dc6639f5b6c89991e2f2bb8
Opcode Fuzzy Hash: b9e640fe0b783790492eba35bc4a1a08a5dd4f809ab9890f0efffccfe0a37522
Instruction Fuzzy Hash: AB21E211A0D69201EE558F1561A12B9A6E19F75BC6F8C4031FECDAB78AEF1EE4068211

Function 00007FF6CE524F50 Relevance: 6.3, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE525365), ref: 00007FF6CE524F88
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE525365), ref: 00007FF6CE524F91
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE525365), ref: 00007FF6CE52500A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE525365), ref: 00007FF6CE52501B
memcpy.VCRUNTIME140(?,?,00000000,00007FF6CE525365), ref: 00007FF6CE525044

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemcpy
String ID:
API String ID: 3401966785-0
Opcode ID: 3d643f7d79438e15a4e092c8fd1b8aa47cacbd5a7c2056c6ba5b58b76ebd2040
Instruction ID: 6012200748ac43884e3249e89432d1cea6d51afbe683d3d04b3bb2d347dbbd74
Opcode Fuzzy Hash: 3d643f7d79438e15a4e092c8fd1b8aa47cacbd5a7c2056c6ba5b58b76ebd2040
Instruction Fuzzy Hash: 69319262A08B8581EB10CF11E46436963B4FB64BE6F845631FEAEA77C9DF3ED4408300

Function 00007FF6CE547C40 Relevance: 6.3, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547C66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547C87
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547CA2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547CB0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5446D5), ref: 00007FF6CE547CC2

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: fab48c6ee78ae813bb08c2fcd08ab2c58dd65b3348b0b2be73b43a7dff085a05
Instruction ID: 0310242d10d2f3a2bfa032108f6e29288dd64426e0024d3e3172e829d5dd59cd
Opcode Fuzzy Hash: fab48c6ee78ae813bb08c2fcd08ab2c58dd65b3348b0b2be73b43a7dff085a05
Instruction Fuzzy Hash: 12110636A18B4182DB14DF65E8A113C73B8FF94F897400422DE9E87728CF3AC861C350

Function 00007FF6CE54D55F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54D86F

Strings

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF6CE54D681
TRUE, xrefs: 00007FF6CE54D879
GMT, xrefs: 00007FF6CE54D60E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
API String ID: 1294909896-910067264
Opcode ID: 6c03359ff7c482aaf561cea08a4c6d5eca18cb8ab8d562cd1ac589cbbc4e79e1
Instruction ID: fc129e85017b2bc30ba8a68e92920d697c4bb228dc075ec97b4f9f00cb9b13b1
Opcode Fuzzy Hash: 6c03359ff7c482aaf561cea08a4c6d5eca18cb8ab8d562cd1ac589cbbc4e79e1
Instruction Fuzzy Hash: 8751F162E0D69644EB158F25A5242B96BB9EB61786FC44033EACDE3794CF3EE461C300

Function 00007FF6CE54C870 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CBA6

Strings

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF6CE54C99A
GMT, xrefs: 00007FF6CE54C92E
%s: %s, xrefs: 00007FF6CE54CB91

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s
API String ID: 1294909896-2632828617
Opcode ID: c09ced58e012e3153cf9a83734317ed98a5bcae78de91fc8851e3d726c7046cd
Instruction ID: 219d18a947b7978ba1ab94be020659e487896038bcc36e37cf4c803a08491c5b
Opcode Fuzzy Hash: c09ced58e012e3153cf9a83734317ed98a5bcae78de91fc8851e3d726c7046cd
Instruction Fuzzy Hash: 8B41D462A0C69195FB208F11A4242B9A7B4FBA5B92FC44032EACDE3754CF3EE056C704

Function 00007FF6CE4FECA0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CE4FE968), ref: 00007FF6CE4FED7E
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CE4FE968), ref: 00007FF6CE4FEDAC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6CE4FE968), ref: 00007FF6CE4FEE15

Part of subcall function 00007FF6CE552CC8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE552CE2

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE4FEE22

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemset
String ID:
API String ID: 2942768764-0
Opcode ID: 838c4c2ec42f133e2bb95afb0797bb95adbb917204e895c0b0f8881c1c4df6bb
Instruction ID: f0c9977937e36911b312d268bab22c443622eb56c81ac17c961ec2ed45370e6d
Opcode Fuzzy Hash: 838c4c2ec42f133e2bb95afb0797bb95adbb917204e895c0b0f8881c1c4df6bb
Instruction Fuzzy Hash: 0141AD62B05A8785EA14CF25E4142BD6371FB54FA2F548631EBADA3BD9DF2DE0918300

Function 00007FF6CE5005F0 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6CE5006FF

Part of subcall function 00007FF6CE552CC8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF6CE4F5A5E,7FFFFFFFFFFFFFFF,black,-3333333333333333,00007FF6CE4F2319), ref: 00007FF6CE552CE2

memcpy.VCRUNTIME140 ref: 00007FF6CE5006EC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6CE50076D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE50077A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 01397470fab2f5b5c1620c07fbcdcd52e900671c3b036614bd55800486229bae
Instruction ID: 23ce1c6d54b0a360258d05405c005d56afc4e5d860684eb06d8ab81444f21d88
Opcode Fuzzy Hash: 01397470fab2f5b5c1620c07fbcdcd52e900671c3b036614bd55800486229bae
Instruction Fuzzy Hash: 8A41FF62B15B8681EA14CF26D5242BC6371AB54BE5F848A31FBADA37D4CF3DE091C300

Function 00007FF6CE54E620 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00007FF6CE531BD0,?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?), ref: 00007FF6CE54E673
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54E6FC

Strings

%s, xrefs: 00007FF6CE54E645

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s
API String ID: 1294909896-3043279178
Opcode ID: f65f70b5a708ea2614c8ad4bd169177c2fa0b1ebbdf00ecd579a5d03a48dd2c3
Instruction ID: 74e1d53c4d49d57e02584d64df3848de50c21a80d44bd4b19c0a701c54e415ad
Opcode Fuzzy Hash: f65f70b5a708ea2614c8ad4bd169177c2fa0b1ebbdf00ecd579a5d03a48dd2c3
Instruction Fuzzy Hash: F0418436A18B8582EA51CF26F5501AAB3B4FB54BA0F444135EFCE97BA1DF3DE5918300

Function 00007FF6CE539B7D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE539BB4

Part of subcall function 00007FF6CE5194A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE5195C5
Part of subcall function 00007FF6CE5194A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CE5195E0

Strings

Wildcard - "%s" skipped by user, xrefs: 00007FF6CE539C1D
%s%s, xrefs: 00007FF6CE539B84
Wildcard - START of "%s", xrefs: 00007FF6CE539BBD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: fwrite$free
String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
API String ID: 3468156532-1133524294
Opcode ID: a99002aadaf1bed436114ad876307ae12d5d69b86db3fb1ee0dfd25425540cd0
Instruction ID: 75fccc38c12c499b8fdd0a911928f4306fe22023cea12bf68b3cbbce43a2b77a
Opcode Fuzzy Hash: a99002aadaf1bed436114ad876307ae12d5d69b86db3fb1ee0dfd25425540cd0
Instruction Fuzzy Hash: 0C4161B6A08A86C1E710DF15D4641AD33B4FBA4B86F855032EF8EAB399DF3AD441C300

Function 00007FF6CE502D90 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF6CE4F1052), ref: 00007FF6CE502DC8
memcpy.VCRUNTIME140(?,?,?,?,00007FF6CE4F1052), ref: 00007FF6CE502E69
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CE502E87

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: 0095a3458d38002ce56d5708b486baacbc93d7d29360f347db19f7d0a4495090
Instruction ID: 9b729e10a926867bffb3a47421b56d3b383cdea6dd099636a64937b671b113a2
Opcode Fuzzy Hash: 0095a3458d38002ce56d5708b486baacbc93d7d29360f347db19f7d0a4495090
Instruction Fuzzy Hash: 2821F966B0A79645EA159F11A51037823749F15BE6FD40730FEED67BC3DE3DA4928300

Function 00007FF6CE54C7B5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CBA6

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF6CE54C859
GMT, xrefs: 00007FF6CE54C809
%s: %s, xrefs: 00007FF6CE54CB91

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: %s: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
API String ID: 1294909896-1153420294
Opcode ID: 4d1103fa62e6c2507ab0981a3cbfe9fc3372bb78163b423d7f281af3811cf701
Instruction ID: 27ce78ea6cc365aafccd82a60016fc77badf6519950eb58409bee945ae5b69c1
Opcode Fuzzy Hash: 4d1103fa62e6c2507ab0981a3cbfe9fc3372bb78163b423d7f281af3811cf701
Instruction Fuzzy Hash: 4231D262A0CB8285FB608F51E4606A973B0FB95B82FD50036EACDA3345CF7ED655C700

Function 00007FF6CE513BF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513C42
memcpy.VCRUNTIME140 ref: 00007FF6CE513C7D

Part of subcall function 00007FF6CE508FD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE508FE5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513CB2

Part of subcall function 00007FF6CE5090E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5136E0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE505511), ref: 00007FF6CE509107
Part of subcall function 00007FF6CE5090E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5136E0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE505511), ref: 00007FF6CE509113

Strings

%s:, xrefs: 00007FF6CE513C5C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$memcpy
String ID: %s:
API String ID: 901724546-64597662
Opcode ID: ca1c70b4015a75c0b4e7884eab1b54ec5112fcac75a59ffa4d7c5d7682220fe3
Instruction ID: 0445121823c81bf52e57d5cb9b67b283d6128dad0c48403b06fe4675e9a4317d
Opcode Fuzzy Hash: ca1c70b4015a75c0b4e7884eab1b54ec5112fcac75a59ffa4d7c5d7682220fe3
Instruction Fuzzy Hash: 4021F332A08A8591DB00CF12E8605AA73B4FBA4BE8F890132FE9D97395DF3DD041C340

Function 00007FF6CE54CEEA Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54CEF1
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2E3
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54D2F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54D35E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: isupper$_strdupfree
String ID:
API String ID: 3359907120-0
Opcode ID: 5f781520354aeffd126b610b3688fe8a2ae4306f663f6150b12bcc7ab7587f48
Instruction ID: 44c5d841b8bc09040a554ea00c0c000f6f102220a4dc1cb29b66b1e505e7b9c2
Opcode Fuzzy Hash: 5f781520354aeffd126b610b3688fe8a2ae4306f663f6150b12bcc7ab7587f48
Instruction Fuzzy Hash: 5A21ED22E0E6D245FB12CF25913433C2FB59B35B82FC84572E6CAE6A85CE3EA555C310

Function 00007FF6CE54CA01 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CA3C
memcpy.VCRUNTIME140 ref: 00007FF6CE54CA62
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CBA6

Strings

%s: %s, xrefs: 00007FF6CE54CB91

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemcpy
String ID: %s: %s
API String ID: 3056473165-1451338302
Opcode ID: 5282486b33acaf5a5de9a9b1fe1c669959b6da56d055b9849cb2ad875a21e0de
Instruction ID: e609caddc9cafafe4320fb7887344a375f2e8b766809fd6cf328d7b97c1099d7
Opcode Fuzzy Hash: 5282486b33acaf5a5de9a9b1fe1c669959b6da56d055b9849cb2ad875a21e0de
Instruction Fuzzy Hash: EA21CF52A0D78181FA658F02A5203B563A1BFE5FE1F844132EE9DA3795DE3EE0458300

Function 00007FF6CE54AA5A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54AF39

Strings

Start Date: %s, xrefs: 00007FF6CE54AF27
%s%lx, xrefs: 00007FF6CE54AAB5
Start Date, xrefs: 00007FF6CE54AF0D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: Start Date: %s$%s%lx$Start Date
API String ID: 1294909896-3519493645
Opcode ID: d638a4dd88b22513da0ef6d04f7a930c9b3dfc3b806c07ea69d016164678dc59
Instruction ID: cc67e1c98667e0b979d3c7ee2f75691e30a745b3a33f2f740abc59e7c119b64a
Opcode Fuzzy Hash: d638a4dd88b22513da0ef6d04f7a930c9b3dfc3b806c07ea69d016164678dc59
Instruction Fuzzy Hash: 8B21FB55B0C28255EE608F2194202B93772AF65786FC44432FA8EF7786EF2FE154C300

Function 00007FF6CE51CC8D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CAA5
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CABF

Strings

I64, xrefs: 00007FF6CE51CAB5
I32, xrefs: 00007FF6CE51CA95

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: e9367e4a8b2aad143c4ff54a677c4be23e1815099f00ec1c911c65e6b2dfae5e
Instruction ID: 538670d462d080644905e71324f9c4fac8579373b1f7f09524eb35b5474afee9
Opcode Fuzzy Hash: e9367e4a8b2aad143c4ff54a677c4be23e1815099f00ec1c911c65e6b2dfae5e
Instruction Fuzzy Hash: 4721072290D5A245E7258F20D46027C7BB0AB26B8AF894131EFD9F2291DE2FE900C740

Function 00007FF6CE546AE0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE547849,00000000,?,?,00007FF6CE546E06), ref: 00007FF6CE546B09
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE547849,00000000,?,?,00007FF6CE546E06), ref: 00007FF6CE546B40
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE547849,00000000,?,?,00007FF6CE546E06), ref: 00007FF6CE546B52
memcpy.VCRUNTIME140(?,?,?,00007FF6CE547849,00000000,?,?,00007FF6CE546E06), ref: 00007FF6CE546B7A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemcpyrealloc
String ID:
API String ID: 3881842442-0
Opcode ID: ed6c144b413d3c6f4c0763378b468c8b8c31378ad837f061f963e906113e2265
Instruction ID: 6d09cbfea5efac709c37e449ef6d303d1eeff41a168acc6d87359f8da0053339
Opcode Fuzzy Hash: ed6c144b413d3c6f4c0763378b468c8b8c31378ad837f061f963e906113e2265
Instruction Fuzzy Hash: 3C218136A09B8182DB44CF15E46122973B0FB58FD5B488032EE9E97758DF3DC4A1C700

Function 00007FF6CE535E60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE535E7D
strstr.VCRUNTIME140 ref: 00007FF6CE535EBC
strstr.VCRUNTIME140 ref: 00007FF6CE535ED4

Strings

;type=, xrefs: 00007FF6CE535EAF, 00007FF6CE535ECD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strstr$calloc
String ID: ;type=
API String ID: 3224321581-3507045495
Opcode ID: b18aa4fea0ffc3179bf2359159edbd89a47492eff8ce2a191aa9623d5d0a70ad
Instruction ID: 071c6bb37e48429ac1f98ea80c9a921b52f397da44af24eec12b83661d10465c
Opcode Fuzzy Hash: b18aa4fea0ffc3179bf2359159edbd89a47492eff8ce2a191aa9623d5d0a70ad
Instruction Fuzzy Hash: 2B21C172A0868282EB158F25E4503B837B0FB54794F885131EBDD977CADF7EE5918700

Function 00007FF6CE52F8F0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F918
GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F93E
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F95F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE513E69,?,?,?,?,00007FF6CE51320B), ref: 00007FF6CE52F970

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: realloc$EnvironmentVariablefree
String ID:
API String ID: 2828309815-0
Opcode ID: bb998d4ee8d8beaa37946d6ae0f8058e106fc9dab76d3547b6b7095a6caecdc5
Instruction ID: 6796d107d264d3470afe0c7f2feb6004589b54f5f30595d57ed591e728697f43
Opcode Fuzzy Hash: bb998d4ee8d8beaa37946d6ae0f8058e106fc9dab76d3547b6b7095a6caecdc5
Instruction Fuzzy Hash: 0A11A721B0D74242EA608F12759523DA1A6BB68FC1F941035EDCEA3B54DE3FD4408750

Function 00007FF6CE550CD0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6CE550D0D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE550D1D
WideCharToMultiByte.KERNEL32 ref: 00007FF6CE550D4C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE550D59

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 3ad4f33c8953e40300b547fcedd5c211c4b728828823019494c3ceedb6fc93da
Instruction ID: f979221fde00a110664f9fe4d965d174c186e9b2885eddbbd1221f23efc4ab1f
Opcode Fuzzy Hash: 3ad4f33c8953e40300b547fcedd5c211c4b728828823019494c3ceedb6fc93da
Instruction Fuzzy Hash: 74116D31B0AB4186E7208F62B864129B7B4FB98F81B884039EF8E93B54DF7DE5158740

Function 00007FF6CE550F00 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE550F26
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE550F37
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE550F66

Part of subcall function 00007FF6CE550F90: strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF6CE550F50), ref: 00007FF6CE550FFF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE550F5D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree$strchr
String ID:
API String ID: 1739957132-0
Opcode ID: c068768543c458f8091fffccb7625242576b2679e4b52a59b4085f63186abab1
Instruction ID: 300ab987897cb3634f16bb7afbe02a1cc8e1dd9afcc6e006585c92e04e57be16
Opcode Fuzzy Hash: c068768543c458f8091fffccb7625242576b2679e4b52a59b4085f63186abab1
Instruction Fuzzy Hash: 14019E61F1E78142EF698F5661B013962A0AF58FC1F881435FE8FD3B48DE2EE8818211

Function 00007FF6CE50EAE0 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,00007FF6CE50EA92,?,?,?,00000000), ref: 00007FF6CE50EAF1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EA92,?,?,?,00000000), ref: 00007FF6CE50EAFA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE50EA92,?,?,?,00000000), ref: 00007FF6CE50EB04
closesocket.WS2_32 ref: 00007FF6CE50EB22

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalDeleteSectionclosesocket
String ID:
API String ID: 3086658127-0
Opcode ID: 858ab1373b792e2845a933a24cdfc5cf25622238e82b98124378384e350de81d
Instruction ID: dedfb3d8d843a3b3ce171191f843c72da8bc76903a61d046800fa23d8efdbc3f
Opcode Fuzzy Hash: 858ab1373b792e2845a933a24cdfc5cf25622238e82b98124378384e350de81d
Instruction Fuzzy Hash: 08012D12E29A8182EB14CF71C8302782330FBF9B2DB556326FDAE911A5DF69A5D08200

Function 00007FF6CE51CB7A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CAA5
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CABF
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51CB02

Strings

I64, xrefs: 00007FF6CE51CAB5
I32, xrefs: 00007FF6CE51CA95

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: ad58df444f32354ceeeeaa037dadf27863a4da7689c97725897f6f1c5821c839
Instruction ID: be8aaff892afd40777c8b08b2de0a1d38fc7c610990707f8037b1698af968a24
Opcode Fuzzy Hash: ad58df444f32354ceeeeaa037dadf27863a4da7689c97725897f6f1c5821c839
Instruction Fuzzy Hash: ECF0E221B1E58340EA158F2598B07393674AF29B86FC84036ED9EE22D1DE2FE2008311

Function 00007FF6CE51CB82 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CAA5
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6CE51C958), ref: 00007FF6CE51CABF
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51CB02

Strings

I64, xrefs: 00007FF6CE51CAB5
I32, xrefs: 00007FF6CE51CA95

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: 2e94dd6edd3b13bddb1533ac41e18fb51fa0427d82f68d9783b6f1870346e836
Instruction ID: 3c17d6725b59e7613179af86c5afb4bcf92dd7eb8f21cc0696ba08bff0cf5fd7
Opcode Fuzzy Hash: 2e94dd6edd3b13bddb1533ac41e18fb51fa0427d82f68d9783b6f1870346e836
Instruction Fuzzy Hash: 83F0E211B1A58380EA158F2598B07393674AF29B86FC84036ED9EE22D1DE2EE200C311

Function 00007FF6CE544B70 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6CE519F26), ref: 00007FF6CE544B84

Strings

%lx, xrefs: 00007FF6CE544E6A

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _errno
String ID: %lx
API String ID: 2918714741-1448181948
Opcode ID: 3e1a03b3b34d7b5974f3a57e0b401176620edb60ba092262caea1c8e1528da42
Instruction ID: 8db9f5897fdd810fe5395d4cb16aa2856a6fc74bcb4a0251716116715f5da934
Opcode Fuzzy Hash: 3e1a03b3b34d7b5974f3a57e0b401176620edb60ba092262caea1c8e1528da42
Instruction Fuzzy Hash: B9815822A1C1D145EB688E25A46023D7BF0FBA5752F94423BFADAE23C4DE3DD861C701

Function 00007FF6CE530890 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF6CE530273), ref: 00007FF6CE530962
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF6CE530273), ref: 00007FF6CE5309B3

Strings

(){ %*], xrefs: 00007FF6CE5308AD

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupmalloc
String ID: (){ %*]
API String ID: 3515966317-731572209
Opcode ID: 5b75cad57522702296643e1deeafcc848028ed951f14d07a45b51d39aa2190da
Instruction ID: 0a973fd8ef456588d68143c820f70906b39ed750ae11fea14165c3dab9910fb0
Opcode Fuzzy Hash: 5b75cad57522702296643e1deeafcc848028ed951f14d07a45b51d39aa2190da
Instruction Fuzzy Hash: FB31181390DB8944FE614E1550703792BE29F76BA6FD84171FACE933C2CE2FA805C250

Function 00007FF6CE54210F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE542205
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE542267

Strings

%ld, xrefs: 00007FF6CE54213C

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: %ld
API String ID: 1865132094-1112595699
Opcode ID: 169c30279ba04736c4a6d2b2628939a9c40d880209fb22954fa79eb0c58b9e8d
Instruction ID: 4baff93df7065262d6a00bfc6b1d33aa7aaac1290c8e6f27289cbfd1eccd59b0
Opcode Fuzzy Hash: 169c30279ba04736c4a6d2b2628939a9c40d880209fb22954fa79eb0c58b9e8d
Instruction Fuzzy Hash: B831B226A0DB9241FA65CF60A07537A22B0AF64746F851032EECEA3685EF3EE451C710

Function 00007FF6CE51E030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE51E0A9
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE51E142

Strings

identity, xrefs: 00007FF6CE51E064, 00007FF6CE51E0D3, 00007FF6CE51E13B

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupmalloc
String ID: identity
API String ID: 3515966317-1788209604
Opcode ID: a976cd69ae314889b4e1ade3d16d4037d9f26e8745e8dddc183975ec2199c634
Instruction ID: e7568544efbbaf33a7c213a847c812cfcd3b4752acfac308037d670f09d93a3b
Opcode Fuzzy Hash: a976cd69ae314889b4e1ade3d16d4037d9f26e8745e8dddc183975ec2199c634
Instruction Fuzzy Hash: 5931A525F09A4681EF118F55D56037567B0EF64BE5F884631EEAD937C5EF2EE4428300

Function 00007FF6CE51A9C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FF6CE51AA3F
setsockopt.WS2_32 ref: 00007FF6CE51AA6E

Strings

@, xrefs: 00007FF6CE51A9CF

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: getsockoptsetsockopt
String ID: @
API String ID: 194641219-2726393805
Opcode ID: 0490720c5d60d7d5d69c3fce779b4dce03c322a35e3d52f9ff449d60e597bd45
Instruction ID: 7d7ad6ae5da378bd98afc1d68943a925e13f8045c5925655894337f641b74690
Opcode Fuzzy Hash: 0490720c5d60d7d5d69c3fce779b4dce03c322a35e3d52f9ff449d60e597bd45
Instruction Fuzzy Hash: 77118F76A1828287E721CF50E451266B7B0EB94346F940035EA8997BA5DFBFE589CB00

Function 00007FF6CE518E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE518EB5
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE518EDC

Strings

%I64d-, xrefs: 00007FF6CE518EC7

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfree
String ID: %I64d-
API String ID: 1865132094-19666937
Opcode ID: c4aefdc20ad5891078045dde08d4f6db41c50a31de546ca05e411f720a530e08
Instruction ID: cf5a334aae60b7cbc5eaaa834b48e3b69ff297aad85f132c793a0a51bea04531
Opcode Fuzzy Hash: c4aefdc20ad5891078045dde08d4f6db41c50a31de546ca05e411f720a530e08
Instruction Fuzzy Hash: 3D11C672A0A682C0FF258FA494153F413B1EB64B46F584035E98C8E251DF2E94968320

Function 00007FF6CE50BED0 Relevance: 5.3, APIs: 4, Instructions: 287COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50C19A
memcpy.VCRUNTIME140 ref: 00007FF6CE50C2CC
memcpy.VCRUNTIME140 ref: 00007FF6CE50C2E8

Part of subcall function 00007FF6CE521780: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE50A0A3,?,?,00000000,00007FF6CE514972,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE5217BC

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: freememcpy
String ID:
API String ID: 3223336191-0
Opcode ID: e926ef9e2a2cb08b65a6ac8835a4e956b17052ef3d2f2e48d9672f51b120bea6
Instruction ID: 49b34f8a2721718025316b9bc87384bd54e355f2d79b7b137f94aa06d93c9934
Opcode Fuzzy Hash: e926ef9e2a2cb08b65a6ac8835a4e956b17052ef3d2f2e48d9672f51b120bea6
Instruction Fuzzy Hash: F2C16E32B04B4286EB148F65D4203AD33B1BB55BADF844235EEADA77D8DE3AD446C740

Function 00007FF6CE54C788 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6CE54C78F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE54CBA6

Part of subcall function 00007FF6CE513BF0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE513C42

Strings

%s: %s, xrefs: 00007FF6CE54CB91

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: _strdupfreemalloc
String ID: %s: %s
API String ID: 3985033223-1451338302
Opcode ID: 8c74de58afd796775dd428b84ef2d128d12317424573d3852d9c3ba770e141a0
Instruction ID: 7a2d00f5a94c4f3f5dc7748d766eb3a496870880e8448413f9b89c269c2c8f9d
Opcode Fuzzy Hash: 8c74de58afd796775dd428b84ef2d128d12317424573d3852d9c3ba770e141a0
Instruction Fuzzy Hash: A3F0A451E0C78142FA619F52A8207A553707FA5B91FC81432EECEA3351DF3ED1558314

Function 00007FF6CE550C20 Relevance: 5.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CE543D58), ref: 00007FF6CE550C51
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF6CE543D58), ref: 00007FF6CE550C64
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CE543D58), ref: 00007FF6CE550C8B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF6CE543D58), ref: 00007FF6CE550C98

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: e421f637e0d4eeda450dfe8c16121f34d38647587d55194bbc6bfe2c7a670518
Instruction ID: 5627cfd3e64df0ca1c6ece1e1a62fa41b686b7c0e9ff7b06c6b75eeb455b651d
Opcode Fuzzy Hash: e421f637e0d4eeda450dfe8c16121f34d38647587d55194bbc6bfe2c7a670518
Instruction Fuzzy Hash: 7A115131B0974282EB209F6AF41002AB6B0BF99B95B984535EB9D97B58DE3DD5408B40

Function 00007FF6CE50F5B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CE5090E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5136E0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE505511), ref: 00007FF6CE509107
Part of subcall function 00007FF6CE5090E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE5136E0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF6CE505511), ref: 00007FF6CE509113

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50F5E6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50F5F6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE50F604
memset.VCRUNTIME140 ref: 00007FF6CE50F63F

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 6ee92241d928c6289353ba6ce05267bf135b4791ba7f700aaadd859f4dccfe85
Instruction ID: 8297f2d537658d00d1f2a31d6001f35a3f887f2314394f022e48cd0617adb839
Opcode Fuzzy Hash: 6ee92241d928c6289353ba6ce05267bf135b4791ba7f700aaadd859f4dccfe85
Instruction Fuzzy Hash: 0621E932E18B91A3E614CF22E6A03A86374F7A9744F51A225EB9D93A51DF75F1F1C300

Function 00007FF6CE54E7C0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE530643), ref: 00007FF6CE551756
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE530643), ref: 00007FF6CE551775
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE530643), ref: 00007FF6CE55178F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6CE530643), ref: 00007FF6CE55179D

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 092e5d567ebd9fef8945121da4f1ea54bc14929b8c9566ac7e48ade6aa5f6580
Instruction ID: a44f8104a4cf8c7f5b0a152dcb082a5be1ea5db9516c7efe72cc9b4e78a7904f
Opcode Fuzzy Hash: 092e5d567ebd9fef8945121da4f1ea54bc14929b8c9566ac7e48ade6aa5f6580
Instruction Fuzzy Hash: 2F115B36A19A4181EB14CF29E5A023C33B4FFA4F85F905032EA8E96764CE3ED8608350

Function 00007FF6CE5365B0 Relevance: 5.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE5365E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53660E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53662A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6CE53663E

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5c5e4b6a6e7c506d49b5deac227a76042c120f8c326041f8769d9db9dc51a305
Instruction ID: 01b555ef73c8c36f376f16036b57e4c06f69da4408b0a084687399d718265854
Opcode Fuzzy Hash: 5c5e4b6a6e7c506d49b5deac227a76042c120f8c326041f8769d9db9dc51a305
Instruction Fuzzy Hash: 6F111636A18A4086DB50CF65E59036873B4F794F95F585039EE8EA7328CF39E8A5C360

Function 00007FF6CE545B90 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE51BDB5,?,?,00000000,00007FF6CE514A71,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE545BA0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE51BDB5,?,?,00000000,00007FF6CE514A71,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE545BC6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE51BDB5,?,?,00000000,00007FF6CE514A71,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE545BD4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6CE51BDB5,?,?,00000000,00007FF6CE514A71,?,?,00000000,00007FF6CE514FA5), ref: 00007FF6CE545BE2

Memory Dump Source

Source File: 00000004.00000002.2530075810.00007FF6CE4F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CE4F0000, based on PE: true

Associated: 00000004.00000002.2529991174.00007FF6CE4F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530318590.00007FF6CE556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530439137.00007FF6CE56F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2530506284.00007FF6CE570000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6ce4f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d53b3aa07b0b662c989be39df313d4e48b7b724d0373c5710314684894adf95b
Instruction ID: b3f9e8027afe41f0a76dbdceab2db4d6fb52052956627bdd02537dd16c7d35c5
Opcode Fuzzy Hash: d53b3aa07b0b662c989be39df313d4e48b7b724d0373c5710314684894adf95b
Instruction Fuzzy Hash: 67F03C72A18B0082DB14CF61F8A112873B8FFA8F897505432DE9E83728CF3AC464C350

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe